Class: Attack
The MITRE ATT&CK® & ATLAS™ object describes the tactic, technique,
sub-technique & mitigation associated to an attack.
URI: ocsf:Attack
classDiagram
class Attack
click Attack href "../Attack/"
Object <|-- Attack
click Object href "../Object/"
Attack : mitigation
Attack --> "0..1" Mitigation : mitigation
click Mitigation href "../Mitigation/"
Attack : sub_technique
Attack --> "0..1 _recommended_" SubTechnique : sub_technique
click SubTechnique href "../SubTechnique/"
Attack : tactic
Attack --> "0..1 _recommended_" Tactic : tactic
click Tactic href "../Tactic/"
Attack : tactics
Attack --> "*" Tactic : tactics
click Tactic href "../Tactic/"
Attack : technique
Attack --> "0..1 _recommended_" Technique : technique
click Technique href "../Technique/"
Attack : version
Inheritance
- OcsfObject
- Object
- Attack
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| mitigation | 0..1 Mitigation |
The Mitigation object describes the MITRE ATT&CK® or ATLAS™ Mitigation ID | direct |
| sub_technique | 0..1 recommended SubTechnique |
The Sub-technique object describes the MITRE ATT&CK® or ATLAS™ Sub-technique ... | direct |
| tactic | 0..1 recommended Tactic |
The Tactic object describes the MITRE ATT&CK® or ATLAS™ Tactic ID and/or name | direct |
| tactics | * Tactic |
The Tactic object describes the tactic ID and/or tactic name that are | direct |
| technique | 0..1 recommended Technique |
The Technique object describes the MITRE ATT&CK® or ATLAS™ Technique ID and/o... | direct |
| version | 0..1 recommended String |
The ATT&CK® or ATLAS™ Matrix version | direct |
Usages
Rules
| Rule Applied | Preconditions | Postconditions | Elseconditions |
|---|---|---|---|
| any_of | [{'slot_conditions': {'tactic': {'required': True}}}, {'slot_conditions': {'technique': {'required': True}}}, {'slot_conditions': {'sub_technique': {'required': True}}}] |
In Subsets
Aliases
- MITRE ATT&CK® & ATLAS™
See Also
Notes
- ATT&CK® Matrix — https://attack.mitre.org
- ATLAS™ Matrix — https://atlas.mitre.org/matrices/ATLAS
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_constraints | {"at_least_one": ["tactic", "technique", "sub_technique"]} |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:Attack |
| native | ocsf:Attack |
| exact | attack:AttackPattern, capec:AttackPattern, stix:AttackPattern |
LinkML Source
Direct
name: Attack
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["tactic", "technique", "sub_technique"]}'
description: 'The MITRE ATT&CK® & ATLAS™ object describes the tactic, technique,
sub-technique & mitigation associated to an attack.'
notes:
- ATT&CK® Matrix — https://attack.mitre.org
- ATLAS™ Matrix — https://atlas.mitre.org/matrices/ATLAS
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://attack.mitre.org
- https://atlas.mitre.org/matrices/ATLAS
aliases:
- MITRE ATT&CK® & ATLAS™
exact_mappings:
- attack:AttackPattern
- capec:AttackPattern
- stix:AttackPattern
is_a: Object
slots:
- mitigation
- sub_technique
- tactic
- tactics
- technique
- version
slot_usage:
sub_technique:
name: sub_technique
recommended: true
tactic:
name: tactic
recommended: true
technique:
name: technique
recommended: true
version:
name: version
description: The ATT&CK® or ATLAS™ Matrix version.
recommended: true
rules:
- postconditions:
any_of:
- slot_conditions:
tactic:
name: tactic
required: true
- slot_conditions:
technique:
name: technique
required: true
- slot_conditions:
sub_technique:
name: sub_technique
required: true
description: 'OCSF at_least_one: at least one of [''tactic'', ''technique'', ''sub_technique'']
must be set.'
Induced
name: Attack
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["tactic", "technique", "sub_technique"]}'
description: 'The MITRE ATT&CK® & ATLAS™ object describes the tactic, technique,
sub-technique & mitigation associated to an attack.'
notes:
- ATT&CK® Matrix — https://attack.mitre.org
- ATLAS™ Matrix — https://atlas.mitre.org/matrices/ATLAS
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://attack.mitre.org
- https://atlas.mitre.org/matrices/ATLAS
aliases:
- MITRE ATT&CK® & ATLAS™
exact_mappings:
- attack:AttackPattern
- capec:AttackPattern
- stix:AttackPattern
is_a: Object
slot_usage:
sub_technique:
name: sub_technique
recommended: true
tactic:
name: tactic
recommended: true
technique:
name: technique
recommended: true
version:
name: version
description: The ATT&CK® or ATLAS™ Matrix version.
recommended: true
attributes:
mitigation:
name: mitigation
description: 'The Mitigation object describes the MITRE ATT&CK® or ATLAS™ Mitigation
ID
and/or name that is associated to an attack.'
notes:
- ATT&CK® Matrix — https://attack.mitre.org
- ATLAS™ Matrix — https://atlas.mitre.org/matrices/ATLAS
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://attack.mitre.org
- https://atlas.mitre.org/matrices/ATLAS
aliases:
- MITRE Mitigation
rank: 1000
alias: mitigation
owner: Attack
domain_of:
- Attack
range: Mitigation
sub_technique:
name: sub_technique
description: 'The Sub-technique object describes the MITRE ATT&CK® or ATLAS™ Sub-technique
ID
and/or name associated to an attack.'
notes:
- ATT&CK® Matrix — https://attack.mitre.org
- ATLAS™ Matrix — https://atlas.mitre.org/matrices/ATLAS
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://attack.mitre.org
- https://atlas.mitre.org/matrices/ATLAS
aliases:
- MITRE Sub-technique
rank: 1000
alias: sub_technique
owner: Attack
domain_of:
- Attack
range: SubTechnique
recommended: true
tactic:
name: tactic
description: 'The Tactic object describes the MITRE ATT&CK® or ATLAS™ Tactic ID
and/or name
that is associated to an attack.'
notes:
- ATT&CK® Matrix — https://attack.mitre.org
- ATLAS™ Matrix — https://atlas.mitre.org/matrices/ATLAS
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://attack.mitre.org
- https://atlas.mitre.org/matrices/ATLAS
aliases:
- MITRE Tactic
rank: 1000
alias: tactic
owner: Attack
domain_of:
- Attack
range: Tactic
recommended: true
tactics:
name: tactics
description: 'The Tactic object describes the tactic ID and/or tactic name that
are
associated with the attack technique, as defined by <a target=''_blank''
href=''https://attack.mitre.org/wiki/ATT&CK_Matrix''>ATT&CK® Matrix</a>.'
deprecated: Use the <code>tactic</code> attribute instead. (since 1.1.0)
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Tactics
rank: 1000
alias: tactics
owner: Attack
domain_of:
- Attack
range: Tactic
multivalued: true
technique:
name: technique
description: 'The Technique object describes the MITRE ATT&CK® or ATLAS™ Technique
ID and/or
name associated to an attack.'
notes:
- ATT&CK® Matrix — https://attack.mitre.org
- ATLAS™ Matrix — https://atlas.mitre.org/matrices/ATLAS
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://attack.mitre.org
- https://atlas.mitre.org/matrices/ATLAS
aliases:
- MITRE Technique
rank: 1000
alias: technique
owner: Attack
domain_of:
- Attack
range: Technique
recommended: true
version:
name: version
description: The ATT&CK® or ATLAS™ Matrix version.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Version
rank: 1000
alias: version
owner: Attack
domain_of:
- Os
- Package
- RpcInterface
- Sbom
- Scim
- SoftwareComponent
- Tls
- Agent
- AiModel
- Analytic
- Api
- ApplicationObject
- Attack
- Certificate
- Check
- CisControl
- CisCsc
- Cvss
- D3fend
- Databucket
- Epss
- Extension
- Feature
- File
- HttpRequest
- Logger
- ManagedEntity
- Metadata
- Policy
- Product
- ResourceDetails
- Rule
- Service
- NtpActivity
range: string
recommended: true
rules:
- postconditions:
any_of:
- slot_conditions:
tactic:
name: tactic
required: true
- slot_conditions:
technique:
name: technique
required: true
- slot_conditions:
sub_technique:
name: sub_technique
required: true
description: 'OCSF at_least_one: at least one of [''tactic'', ''technique'', ''sub_technique'']
must be set.'