Class: AttackObject
Abstract base class for all versioned ATT&CK objects (SDOs and SROs). Extends the STIX Core (Common Properties) object with ATT&CK-specific universal properties: the required x_mitre_attack_spec_version (which ATT&CK specification the object conforms to), x_mitre_version (the object's content version), and optional x_mitre_deprecated and x_mitre_old_attack_id for lifecycle management. The name property inherited from StixEntity is required on all AttackObject subclasses (except Relationship, where it is not present).
- NOTE: this is an abstract class and should not be instantiated directly
URI: attack:AttackObject
classDiagram
class AttackObject
click AttackObject href "../AttackObject/"
Core <|-- AttackObject
click Core href "../Core/"
AttackObject <|-- AttackSoftware
click AttackSoftware href "../AttackSoftware/"
AttackObject <|-- Technique
click Technique href "../Technique/"
AttackObject <|-- Tactic
click Tactic href "../Tactic/"
AttackObject <|-- Group
click Group href "../Group/"
AttackObject <|-- AttackCampaign
click AttackCampaign href "../AttackCampaign/"
AttackObject <|-- Mitigation
click Mitigation href "../Mitigation/"
AttackObject <|-- Asset
click Asset href "../Asset/"
AttackObject <|-- DataSource
click DataSource href "../DataSource/"
AttackObject <|-- DataComponent
click DataComponent href "../DataComponent/"
AttackObject <|-- Matrix
click Matrix href "../Matrix/"
AttackObject <|-- Collection
click Collection href "../Collection/"
AttackObject <|-- AttackIdentity
click AttackIdentity href "../AttackIdentity/"
AttackObject <|-- DetectionStrategy
click DetectionStrategy href "../DetectionStrategy/"
AttackObject <|-- Analytic
click Analytic href "../Analytic/"
AttackObject <|-- AttackRelationship
click AttackRelationship href "../AttackRelationship/"
AttackObject : confidence
AttackObject : created
AttackObject : created_by_ref
AttackObject : description
AttackObject : extensions
AttackObject : external_references
AttackObject --> "*" ExternalReference : external_references
click ExternalReference href "../ExternalReference/"
AttackObject : granular_markings
AttackObject --> "*" GranularMarking : granular_markings
click GranularMarking href "../GranularMarking/"
AttackObject : id
AttackObject : labels
AttackObject : lang
AttackObject : modified
AttackObject : name
AttackObject : object_marking_refs
AttackObject : revoked
AttackObject : spec_version
AttackObject --> "1" SpecVersionEnum : spec_version
click SpecVersionEnum href "../SpecVersionEnum/"
AttackObject : type
AttackObject : x_mitre_attack_spec_version
AttackObject : x_mitre_deprecated
AttackObject : x_mitre_old_attack_id
AttackObject : x_mitre_version
Inheritance
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| x_mitre_attack_spec_version | 1 SemverString |
The version of the ATT&CK Data Model specification used to construct this obj... | direct |
| x_mitre_version | 1 AttackVersionString |
The version of this ATT&CK object content in 'major | direct |
| x_mitre_deprecated | 0..1 Boolean |
Boolean flag indicating that this ATT&CK object has been deprecated and shoul... | direct |
| x_mitre_old_attack_id | 0..1 String |
A legacy ATT&CK ID previously assigned to this object before a knowledge base... | direct |
| type | 1 StixTypeName |
STIX object type | Core, StixEntity |
| spec_version | 1 SpecVersionEnum |
STIX specification version | Core |
| id | 1 StixIdentifier |
STIX object identifier | Core, StixEntity |
| created | 1 Datetime |
Creation timestamp | Core |
| modified | 1 Datetime |
Modification timestamp | Core |
| created_by_ref | 0..1 StixIdentifier |
The STIX ID of the identity object that first created this ATT&CK object | Core |
| labels | * String |
Terms used to describe this object | Core |
| revoked | 0..1 Boolean |
Indicates whether this object has been revoked | Core |
| confidence | 0..1 Integer |
Confidence that the producer has in this data | Core |
| lang | 0..1 String |
Language of textual properties | Core |
| external_references | * ExternalReference |
External references to non-STIX information | Core |
| object_marking_refs | * StixIdentifier |
Marking definition references applied to this object | Core |
| granular_markings | * GranularMarking |
Granular markings that apply to selected content | Core |
| extensions | * String |
Open-ended extension payloads | Core |
| name | 1 String |
The human-readable name of this ATT&CK object | StixEntity |
| description | 0..1 String |
Human-readable description | StixEntity |
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| note | Corresponds to attackBaseDomainObjectSchema / attackBaseRelationshipObjectSchema in the ATT&CK Data Model TypeScript implementation. Relationship objects additionally omit 'name' and 'x_mitre_version'; see AttackRelationship for those constraints. MarkingDefinition additionally omits 'modified', 'x_mitre_attack_spec_version', 'x_mitre_version', and 'x_mitre_deprecated'; see AttackMarkingDefinition. |
Schema Source
- from schema: https://w3id.org/lmodel/attack
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | attack:AttackObject |
| native | attack:AttackObject |
LinkML Source
Direct
name: AttackObject
annotations:
note:
tag: note
value: Corresponds to attackBaseDomainObjectSchema / attackBaseRelationshipObjectSchema
in the ATT&CK Data Model TypeScript implementation. Relationship objects additionally
omit 'name' and 'x_mitre_version'; see AttackRelationship for those constraints.
MarkingDefinition additionally omits 'modified', 'x_mitre_attack_spec_version',
'x_mitre_version', and 'x_mitre_deprecated'; see AttackMarkingDefinition.
description: 'Abstract base class for all versioned ATT&CK objects (SDOs and SROs).
Extends the STIX Core (Common Properties) object with ATT&CK-specific universal
properties: the required x_mitre_attack_spec_version (which ATT&CK specification
the object conforms to), x_mitre_version (the object''s content version), and optional
x_mitre_deprecated and x_mitre_old_attack_id for lifecycle management. The name
property inherited from StixEntity is required on all AttackObject subclasses (except
Relationship, where it is not present).'
from_schema: https://w3id.org/lmodel/attack
is_a: Core
abstract: true
slots:
- x_mitre_attack_spec_version
- x_mitre_version
- x_mitre_deprecated
- x_mitre_old_attack_id
slot_usage:
id:
name: id
required: true
type:
name: type
required: true
spec_version:
name: spec_version
required: true
name:
name: name
description: The human-readable name of this ATT&CK object. Required on all ATT&CK
objects except relationship objects (which never carry a name).
required: true
created:
name: created
required: true
modified:
name: modified
required: true
x_mitre_attack_spec_version:
name: x_mitre_attack_spec_version
required: true
x_mitre_version:
name: x_mitre_version
required: true
created_by_ref:
name: created_by_ref
description: The STIX ID of the identity object that first created this ATT&CK
object. Typically references MITRE's identity (identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5).
Induced
name: AttackObject
annotations:
note:
tag: note
value: Corresponds to attackBaseDomainObjectSchema / attackBaseRelationshipObjectSchema
in the ATT&CK Data Model TypeScript implementation. Relationship objects additionally
omit 'name' and 'x_mitre_version'; see AttackRelationship for those constraints.
MarkingDefinition additionally omits 'modified', 'x_mitre_attack_spec_version',
'x_mitre_version', and 'x_mitre_deprecated'; see AttackMarkingDefinition.
description: 'Abstract base class for all versioned ATT&CK objects (SDOs and SROs).
Extends the STIX Core (Common Properties) object with ATT&CK-specific universal
properties: the required x_mitre_attack_spec_version (which ATT&CK specification
the object conforms to), x_mitre_version (the object''s content version), and optional
x_mitre_deprecated and x_mitre_old_attack_id for lifecycle management. The name
property inherited from StixEntity is required on all AttackObject subclasses (except
Relationship, where it is not present).'
from_schema: https://w3id.org/lmodel/attack
is_a: Core
abstract: true
slot_usage:
id:
name: id
required: true
type:
name: type
required: true
spec_version:
name: spec_version
required: true
name:
name: name
description: The human-readable name of this ATT&CK object. Required on all ATT&CK
objects except relationship objects (which never carry a name).
required: true
created:
name: created
required: true
modified:
name: modified
required: true
x_mitre_attack_spec_version:
name: x_mitre_attack_spec_version
required: true
x_mitre_version:
name: x_mitre_version
required: true
created_by_ref:
name: created_by_ref
description: The STIX ID of the identity object that first created this ATT&CK
object. Typically references MITRE's identity (identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5).
attributes:
x_mitre_attack_spec_version:
name: x_mitre_attack_spec_version
description: The version of the ATT&CK Data Model specification used to construct
this object, in MAJOR.MINOR.PATCH (semantic versioning) format. Helps consuming
software determine whether the data format is supported. Objects lacking this
property are assumed to conform to ATT&CK spec version 2.0.0. Refer to the ATT&CK
CHANGELOG for all supported versions.
comments:
- 'absent_on: marking-definition, identity (x_mitre_version absent), relationship
(x_mitre_version absent)'
in_subset:
- attack_sdos
- attack_sros
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_attack_spec_version
owner: AttackObject
domain_of:
- AttackObject
range: semver_string
required: true
x_mitre_version:
name: x_mitre_version
description: 'The version of this ATT&CK object content in ''major.minor'' format,
where both components are integers between 0 and 99. Incremented by ATT&CK whenever
the substantive content of the object changes. Does not apply to relationship
objects. Example: "1.0", "12.5".'
comments:
- 'absent_on: relationship, marking-definition'
in_subset:
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_version
owner: AttackObject
domain_of:
- AttackObject
range: attack_version_string
required: true
x_mitre_deprecated:
name: x_mitre_deprecated
description: Boolean flag indicating that this ATT&CK object has been deprecated
and should no longer be used in new analyses or tooling implementations. Deprecated
objects are retained in the knowledge base for historical reference and legacy
compatibility, but are not actively maintained with new information.
comments:
- 'absent_on: marking-definition'
in_subset:
- attack_sdos
- attack_sros
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_deprecated
owner: AttackObject
domain_of:
- AttackObject
range: boolean
x_mitre_old_attack_id:
name: x_mitre_old_attack_id
description: A legacy ATT&CK ID previously assigned to this object before a knowledge
base restructuring or domain migration event. Format mirrors the current ATT&CK
ID format but from the prior numbering scheme (e.g., "MOB-T1001" for a mobile
technique previously in the pre-unification Mobile ATT&CK dataset).
in_subset:
- attack_sdos
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: x_mitre_old_attack_id
owner: AttackObject
domain_of:
- AttackObject
range: string
type:
name: type
description: STIX object type.
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:state
rank: 1000
alias: type
owner: AttackObject
domain_of:
- StixEntity
- Bundle
- Core
- CyberObservableCore
- ExtensionDefinition
- LanguageContent
- MarkingDefinition
- File
range: stix_type_name
required: true
spec_version:
name: spec_version
description: STIX specification version.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:specVersion
rank: 1000
alias: spec_version
owner: AttackObject
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: SpecVersionEnum
required: true
id:
name: id
description: STIX object identifier.
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:externalReference
rank: 1000
alias: id
owner: AttackObject
domain_of:
- StixEntity
- Bundle
- Core
- CyberObservableCore
- ExtensionDefinition
- LanguageContent
- MarkingDefinition
- File
range: stix_identifier
required: true
created:
name: created
description: Creation timestamp.
notes:
- STIX core timestamps require millisecond precision.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:objectCreatedTime
rank: 1000
alias: created
owner: AttackObject
domain_of:
- Core
- MarkingDefinition
range: datetime
required: true
pattern: T\d{2}:\d{2}:\d{2}\.\d{3,}Z$
modified:
name: modified
description: Modification timestamp.
notes:
- STIX core timestamps require millisecond precision.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:modifiedTime
rank: 1000
alias: modified
owner: AttackObject
domain_of:
- Core
range: datetime
required: true
pattern: T\d{2}:\d{2}:\d{2}\.\d{3,}Z$
created_by_ref:
name: created_by_ref
description: The STIX ID of the identity object that first created this ATT&CK
object. Typically references MITRE's identity (identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5).
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:createdBy
rank: 1000
alias: created_by_ref
owner: AttackObject
domain_of:
- Core
- MarkingDefinition
range: stix_identifier
labels:
name: labels
description: Terms used to describe this object.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:tag
rank: 1000
alias: labels
owner: AttackObject
domain_of:
- Core
range: string
multivalued: true
revoked:
name: revoked
description: Indicates whether this object has been revoked.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: revoked
owner: AttackObject
domain_of:
- Core
range: boolean
confidence:
name: confidence
description: Confidence that the producer has in this data.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: confidence
owner: AttackObject
domain_of:
- Core
range: integer
minimum_value: 0
maximum_value: 100
lang:
name: lang
description: Language of textual properties.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: lang
owner: AttackObject
domain_of:
- Core
- GranularMarking
range: string
external_references:
name: external_references
description: External references to non-STIX information.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:externalReference
rank: 1000
alias: external_references
owner: AttackObject
domain_of:
- Core
- MarkingDefinition
range: ExternalReference
multivalued: true
object_marking_refs:
name: object_marking_refs
description: Marking definition references applied to this object.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:objectMarking
rank: 1000
alias: object_marking_refs
owner: AttackObject
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: stix_identifier
multivalued: true
granular_markings:
name: granular_markings
description: Granular markings that apply to selected content.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
narrow_mappings:
- unified_cyber_ontology:objectMarking
rank: 1000
alias: granular_markings
owner: AttackObject
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: GranularMarking
multivalued: true
extensions:
name: extensions
description: Open-ended extension payloads.
notes:
- JSON Schema uses patternProperties for extension keys; exact key validation
is delegated to validator tooling.
comments:
- 'jsonschema_rule: patternProperties validator_hint: validate-extension-keys-and-values'
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:hasFacet
rank: 1000
alias: extensions
owner: AttackObject
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
- File
range: string
multivalued: true
name:
name: name
description: The human-readable name of this ATT&CK object. Required on all ATT&CK
objects except relationship objects (which never carry a name).
from_schema: https://w3id.org/lmodel/attack
exact_mappings:
- unified_cyber_ontology:name
rank: 1000
alias: name
owner: AttackObject
domain_of:
- RelatedAsset
- StixEntity
- ExtensionDefinition
- MarkingDefinition
- AutonomousSystem
- File
range: string
required: true
description:
name: description
description: Human-readable description.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:description
rank: 1000
alias: description
owner: AttackObject
domain_of:
- RelatedAsset
- MutableElement
- StixEntity
- ExtensionDefinition
- ExternalReference
range: string