Enum: AttackRelationshipTypeEnum
Closed enumeration of relationship types used in ATT&CK relationship objects. Each value defines a specific semantic connection between ATT&CK STIX objects. Not all (source, relationship, target) type combinations are valid; see the ATT&CK Data Model specification for the full relationship compatibility matrix.
URI: attack:AttackRelationshipTypeEnum
Permissible Values
| Value | Meaning | Description |
|---|---|---|
| uses | None | A Group (intrusion-set), Campaign, Malware, or Tool uses a Technique (attack-... |
| mitigates | None | A Mitigation (course-of-action) mitigates a Technique (attack-pattern) |
| subtechnique-of | None | A sub-technique (attack-pattern) is a specialized implementation of a parent ... |
| detects | None | A DataComponent (x-mitre-data-component) or DetectionStrategy (x-mitre-detect... |
| attributed-to | None | A Campaign is attributed to a Group (intrusion-set) |
| targets | None | A Technique (attack-pattern) targets an Asset (x-mitre-asset) |
| revoked-by | None | An ATT&CK object has been revoked and replaced by another object of the same ... |
Slots
| Name | Description |
|---|---|
| relationship_type | The semantic type of this relationship |
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/attack
LinkML Source
name: AttackRelationshipTypeEnum
description: Closed enumeration of relationship types used in ATT&CK relationship
objects. Each value defines a specific semantic connection between ATT&CK STIX objects.
Not all (source, relationship, target) type combinations are valid; see the ATT&CK
Data Model specification for the full relationship compatibility matrix.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
permissible_values:
uses:
text: uses
description: 'A Group (intrusion-set), Campaign, Malware, or Tool uses a Technique
(attack-pattern), Malware, or Tool. Constraint: Malware CANNOT use Malware;
Tool CANNOT use Tool. Campaign --uses--> Technique/Malware/Tool is also valid.'
mitigates:
text: mitigates
description: 'A Mitigation (course-of-action) mitigates a Technique (attack-pattern).
Only valid source type: course-of-action. Only valid target type: attack-pattern.'
subtechnique-of:
text: subtechnique-of
description: A sub-technique (attack-pattern) is a specialized implementation
of a parent technique (attack-pattern). Source is the sub-technique; target
is the parent. Each sub-technique has exactly one parent; parent techniques
may have many sub-techniques.
detects:
text: detects
description: 'A DataComponent (x-mitre-data-component) or DetectionStrategy (x-mitre-detection-strategy)
detects a Technique (attack-pattern). Note: x-mitre-data-component --detects-->
attack-pattern is DEPRECATED as of v3.3.0.'
attributed-to:
text: attributed-to
description: A Campaign is attributed to a Group (intrusion-set). Represents the
intelligence assessment linking a campaign to a known threat actor group.
targets:
text: targets
description: A Technique (attack-pattern) targets an Asset (x-mitre-asset). Only
applicable in the ICS domain to model technique-to-asset targeting relationships.
revoked-by:
text: revoked-by
description: An ATT&CK object has been revoked and replaced by another object
of the same STIX type. Both source and target must be the same STIX type (e.g.,
both attack-pattern).