---
title: "ATT&CK Tags | ThreatConnect"
slug: "attack-tags"
description: "This article describes ATT&CK Tags in ThreatConnect, including how to view them, identify objects to which they are applied, and apply them to objects. It also describes ATT&CK Tag conversion rules and how to configure them."
tags: ["Administrator", "Enriching Data"]
updated: 2025-10-02T20:13:30Z
published: 2025-10-02T20:13:30Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt
> Use this file to discover all available pages before exploring further.

# ATT&CK Tags

## Overview

An ATT&CK® Tag is a system-level Tag in ThreatConnect® that represents a [technique or sub-technique](https://attack.mitre.org/techniques/enterprise/) in the MITRE ATT&CK® [Enterprise Matrix](https://attack.mitre.org/matrices/enterprise/). All ATT&CK Tags are formatted as: `T&lt;technique or sub-technique number&gt; - &lt;technique or sub-technique name&gt;`, as **in T1499 - Endpoint Denial of Service** and **T1499.004 - Endpoint Denial of Service: Application or System Exploitation**. ATT&CK Tags do not have an [owner](https://knowledge.threatconnect.com/docs/ownership-in-threatconnect), and they cannot be deleted.

ATT&CK Tags are tied directly to the ThreatConnect [ATT&CK Visualizer](https://knowledge.threatconnect.com/docs/accessing-the-attack-visualizer), as they must be applied to a [Group](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model#groups) in order to view the Group’s techniques and sub-techniques while using the ATT&CK Visualizer. In addition to Groups, you can apply ATT&CK Tags to [Indicators](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model#indicators), [Intelligence Requirements (IRs)](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model#intelligence-requirements), [Victims](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model#victims), and [Workflow Cases](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model#workflow-cases).

System Administrators can use pre-configured rules to convert [standard Tags](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model#tags) to ATT&CK Tags based on whether they exactly or approximately match a specific ATT&CK Tag. These rules ensure that all users on a ThreatConnect instance use ATT&CK Tags to identify the techniques and sub-techniques associated with a particular object.

NoteATT&CK Tag conversion rules do not convert standard Tags named after deprecated ATT&CK techniques and sub-techniques to ATT&CK Tags.ImportantTags [copied from the **MITRE ATT&CK** Source](https://knowledge.threatconnect.com/docs/enriching-data-with-tags-from-the-mitre-attack-source) into one of your ThreatConnect owners are not ATT&CK Tags. Instead, they are legacy standard Tags named after ATT&CK techniques and sub-techniques (e.g., **T1059 - Command and Scripting Interpreter - EXE - ENT - ATT&CK**). If a Tag of this type has not been converted to an ATT&CK Tag and you apply it to a Group, you will not be able to view that technique when using the ATT&CK Visualizer while the Group is added as an analysis layer. Using ATT&CK Tags instead of these legacy standard Tags is recommended.ImportantATT&CK Tags cannot be used as synonymous Tags when configuring [Tag normalization rules](https://knowledge.threatconnect.com/docs/tag-normalization).

## Before You Start

### User Roles

- To view ATT&CK Tags applied to Groups, Indicators, IRs, and Victims in an Organization, your user account can have any [Organization role](https://knowledge.threatconnect.com/docs/organization-roles).
- To view ATT&CK Tags applied to Groups, Indicators, IRs, and Victims in a Community or Source, your user account can have any [Community role](https://knowledge.threatconnect.com/docs/community-roles) except Banned for that Community or Source.
- To view ATT&CK Tags applied to Cases in an Organization, your user account can have any Organization role except App Developer.
- To view an ATT&CK Tag’s **Details**drawer and **Details**screen, your user account can have any Organization role.
- To apply ATT&CK Tags to Groups, Indicators, IRs, and Victims in an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
- To apply ATT&CK Tags to Groups, Indicators, and Victims in a Community or Source, your user account must have a Community role of Contributor, Editor, or Director for that Community or Source.
- To apply ATT&CK Tags to Cases in an Organization, your user account must have an Organization role of Standard User, Sharing User, or Organization Administrator.
- To add ThreatConnect owners to ATT&CK Tag conversion rules, your user account must have a [System role](https://knowledge.threatconnect.com/docs/threatconnect-system-roles-and-permissions) of Administrator.

### Prerequisites

- To apply ATT&CK Tags to Cases, Workflow must be enabled for your Organization. To enable Workflow in your Organization, edit your Organization on the **Organizations**tab of the **Account Settings**screen and select the **Enable Workflow** checkbox on the **Permissions**tab of the **Organization Information** window (must be a System Administrator, Operations Administrator, or Accounts Administrator to perform this action).

## Viewing ATT&CK Tags Applied to an Object

All areas of ThreatConnect that display an object’s Tags are divided into two subsections: **Standard Tags** and **ATT&CK Tags**. For example, Figure 1 shows the **Tags**section of the **Details**card on an object’s **Details** screen. In most areas of ThreatConnect, ATT&CK Tags can be identified by the **&** character before the Tag’s name.

![Figure 1_ATT&amp;CK Tags_7.10.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%201_ATT&amp;CK%20Tags_7.10.0.png)

## Identifying Objects That Have ATT&CK Tags

When [searching by object type](https://knowledge.threatconnect.com/docs/searching-by-object-type) on the [**Search**screen](https://knowledge.threatconnect.com/docs/searching-in-threatconnect)****for Groups, Indicators, IRs, and Victims,or when viewing Groups, Indicators, IRs, and Victims on the [**Legacy Browse**screen](https://knowledge.threatconnect.com/docs/the-browse-screen) , you can run an [advanced search](https://knowledge.threatconnect.com/docs/running-advanced-searches-with-tql) with [ThreatConnect Query Language (TQL)](https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql) to filter objects based on the ATT&CK Tags applied to them.

The query in the following example searches for objects with an ATT&CK Tag representing one of the specified technique IDs applied to them:

```none
hasTag(techniqueId is not null and techniqueId startswith ("T1486","T1490","T1027","T1047","T1036","T1059","T1562","T1112","T1204","T1055"))
```

For more information on using ATT&CK Tag–related TQL queries, see the [“Query for ATT&CK Tags” section of *Constructing Query Expressions*](https://knowledge.threatconnect.com/docs/constructing-query-expressions#query-for-attck-tags).

HintUse the [TQL Generator](https://knowledge.threatconnect.com/docs/tql-generator) to create TQL queries that filter your object set by applied ATT&CK Tags.

## Viewing ATT&CK Tag Details

On the [**Search: Tags**screen](/docs/attack-tags#viewing-attck-tags-in-search-tags) and the [**Legacy Browse**screen](/docs/attack-tags#viewing-attck-tags-in-legacy-browse), you can view all ATT&CK Tags and access an ATT&CK Tag’s **Details** drawer and **Details** screen.

NoteThe **Details** screen for ATT&CK Tags has two fields that are not available on the **Details** screen for standard Tags: **Associated Tactics** and **Platform(s)**.

### Viewing ATT&CK Tags in Search: Tags

Follow these steps to view only ATT&CK Tags on the **[](https://knowledge.threatconnect.com/docs/searching-tags)** [](https://knowledge.threatconnect.com/docs/searching-tags)[**Search: Tags**screen](https://knowledge.threatconnect.com/docs/searching-tags) [](https://knowledge.threatconnect.com/docs/searching-tags)**[](https://knowledge.threatconnect.com/docs/searching-tags)** and access an ATT&CK Tag’s **Details**drawer and **Details**screen:

1. From the **Search & Create** dropdown on the top navigation bar, select **Tags**.
2. From the Tag type dropdown at the upper right of the **Search: Tags**screen, select **ATT&CK Tag** to display only ATT&CK Tags in the results table.
3. To open an ATT&CK Tag’s [**Details**drawer](https://knowledge.threatconnect.com/v1/docs/the-details-drawer), click the ATT&CK Tag’s row or select **View Details**from the ATT&CK Tag’s **⋯** menu.
4. To open an ATT&CK Tag’s [**Details**screen](https://knowledge.threatconnect.com/docs/the-details-screen), click the ATT&CK Tag’s name/summary.

### Viewing ATT&CK Tags in Legacy Browse

Follow these steps to view only ATT&CK Tags on the [**Legacy Browse** screen](https://knowledge.threatconnect.com/docs/the-browse-screen) and access an ATT&CK Tag’s **Details**drawer and **Details**screen:

1. From the **Search & Create** dropdown on the top navigation bar, select **Legacy Browse**.
2. Select the **Tags** filter on the left side of the screen.
3. Turn on the **Advanced Search**toggle at the upper left of the screen.
4. Enter the following TQL query into the search bar:

```custom
techniqueId is not null
```
5. Click **Search![Search button](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Search%20drawer%20icon.png)**or press **Enter**to run the query and display only ATT&CK Tags in the results table.
6. To open an ATT&CK Tag’s [**Details**drawer](https://knowledge.threatconnect.com/v1/docs/the-details-drawer), click the ATT&CK Tag’s row.
7. To open an ATT&CK Tag’s [**Details**screen](https://knowledge.threatconnect.com/docs/the-details-screen), hover over the ATT&CK Tag’s row and click one of the following icons next to the ATT&CK Tag’s name/summary:
  - **View full details**![View full details_Browse](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/View%20full%20details_Browse.png): Open the **Details**screen in the current browser tab.
  - **View full details in new tab![View full details in new tab icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/View%20full%20details%20in%20new%20tab%20icon.png)**: Open the **Details**screen in a new browser tab.

## Applying ATT&CK Tags to an Object

Follow these steps to apply ATT&CK Tags to Groups, Indicators, IRs, Victims, or Cases:

1. Edit the Tags applied to a [Group, Indicator, IR, Victim](https://knowledge.threatconnect.com/docs/applying-tags), or [Case](https://knowledge.threatconnect.com/docs/case-details#tags).
2. Begin entering text into the **Tags**text box. If there are ATT&CK Tags that match part or all of the entered text, the menu below the **Tags**text box will display the Tags under the **ATT&CK Tags**heading (Figure 2).

![Figure 1_ATT&amp;CK Tags_7.2.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%202_ATT&amp;CK%20Tags_7.10.0.png)

ImportantIf there are standard Tags whose names match part or all of the entered text, they will be listed under the **Standard Tags**heading in the menu, which comes before the **ATT&CK Tags**heading. Scroll down to view the list of ATT&CK Tags under the **ATT&CK Tags**heading.
3. Select an ATT&CK Tag to add it to the **Tags**text box.
4. Repeat Steps 2 and 3 for each ATT&CK Tag to apply to the object.
5. Click **Confirm![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Confirm%20icon_Details%20screen.png)**to the right of the**Tags**text box.

## Converting Standard Tags to ATT&CK Tags

### Before Performing a Conversion

Before performing the ATT&CK Tag conversion process on an owner’s standard Tags, which is irreversible, review the following recommended tips:

- If an owner contains standard Tags with common names that match the names of ATT&CK techniques (e.g., Phishing, Rootkit, Email Collection, etc.), verify whether you want to convert them to ATT&CK Tags. If you do not want to convert them, rename the standard Tags, or use [Tag normalization rules](https://knowledge.threatconnect.com/docs/tag-normalization) to convert them to a main Tag whose name does not match an ATT&CK technique. For example, if you use a standard Tag named **Phishing**and you do not want to convert it to the **T1566 – Phishing**ATT&CK Tag, use either of these methods to change that standard Tag’s name to something like **Phishing Attack**, which does not match an ATT&CK technique.
- If you leverage [TQL](https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql)queries (e.g., in dashboard cards), review those queries and determine whether they will need to be updated based on the results of the ATT&CK Tag conversion process. The following examples demonstrate scenarios where an existing query may need to be updated after completing the ATT&CK Tag conversion process:
  - If you use a query such as `summary contains "t1001"` to return only Tags whose summary contains the technique ID “T1001,”, use `techniqueId startswith "t1001"` instead to return all ATT&CK Tags that map to the “T1001” technique ID.
  - If you use a query such as `summary contains "ent – att&amp;ck"` to return only Tags named after Enterprise techniques and sub-techniques, use `techniqueId is not null` instead to return all ATT&CK Tags that map to Enterprise techniques and sub-techniques.
- If you use Playbooks that execute when a specific Tag is applied to or removed from an object, review the Playbooks and verify whether they need to be updated based on the results of the ATT&CK Tag conversion process. For example, if you use a Playbook that executes when a Tag whose summary contains “ENT – ATT&CK” is applied to an Indicator, you may need to update the Trigger's configuration, as ATT&CK Tags do not include that specific text in their summaries.

### ATT&CK Tag Conversion Rules

Table 1 describes the pre-configured ATT&CK Tag conversion rules that System Administrators can add owners to in order to convert standard Tags in the owners to ATT&CK Tags.

| Rule Name | Description | Example Matches |
| --- | --- | --- |
| Exact Match | The **Exact Match** rule converts standard Tags that have the same name as an ATT&CK technique/sub-technique or the same combination of technique/sub-technique ID and name to the corresponding ATT&CK Tag. | The following Tags would be converted to the **T1055 - Process Injection**ATT&CK Tag: - T1055 - Process Injection - t1055 - process injection - Process Injection - process injection |
| Approximate Match | The **Approximate Match** rule converts standard Tags that start with the letter “T” followed by a set of digits that map to a technique/sub-technique ID (e.g., T1055, T1055.001) to the corresponding ATT&CK Tag. | The following Tags would be converted to the **T1055 - Process Injection**ATT&CK Tag: - T1055 - t1055 - T1055_Process injection - t1055: Injecting code into processes |

ImportantBy default, all newly created Tags that meet the **Exact Match**rule’s conditions are converted to ATT&CK Tags, regardless of whether their owner is added to the rule. If an owner is added to the **Exact Match**rule, existing Tags in the owner that meet the rule’s conditions will also be converted to ATT&CK Tags. If an owner is added to the **Approximate Match**rule, existing Tags in the owner that meet the rule’s conditions will be converted to ATT&CK Tags, and newly created Tags that meet the conditions of the **Exact Match**or **Approximate Match**rule will be converted to ATT&CK Tags.

### Adding an Owner to a Conversion Rule

Follow these steps to add a ThreatConnect owner to an ATT&CK Tag conversion rule:

1. From the **Settings![Settings icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)**menu on the top navigation bar, select **System Settings**.
2. On the **System Settings**screen, select the **Tags**tab. Then click **ATT&CK Tag Conversion**in the sidebar.
3. On the **ATT&CK Tag Conversion**screen (Figure 3), expand the conversion rule you want to add an owner to, and then click **+ Add Owners**.  
![Figure 3_ATT&amp;CK Tags_7.2.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%203_ATT&amp;CK%20Tags_7.3.0.png)
4. On the **Add Owners**window (Figure 4), do the following to add one or more owners to the conversion rule:  
![Figure 4_ATT&amp;CK Tags_7.2.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%204_ATT&amp;CK%20Tags_7.2.0.png)
  1. Select each owner to add to the conversion rule.ImportantYou can add an owner to only one conversion rule. If an owner is already added to a conversion rule, that rule will be listed in the **Current Rule** column on the **Add Owners** window. Adding an owner to another conversion rule while it is already added to a conversion rule will remove it from the previous rule.
  2. (Optional) To view the standard Tags in an owner that match the conversion rule and the ATT&CK Tags they will be converted to, click **Preview![Preview icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Preview%20icon.png)**on the right side of the owner’s row. It is recommended to preview the standard Tags that will be converted to ATT&CK Tags for each selected owner, as the conversion process will remove the standard Tags from the owners.
  3. Click **SAVE**.
5. On the **Convert Existing Tags**window, click **Convert**to start the conversion process for each owner added to the conversion rule.WarningThe conversion process cannot be stopped once started and is irreversible. As part of the conversion process, standard Tags that are converted to ATT&CK Tags will be removed from the selected owners.

The **Status**column on the **ATT&CK Tag Conversion**screen displays the status of the conversion process for each owner. If the conversion process is queued or in progress, the **Status**column will display **Queued**for the owner. After the conversion process is complete, the **Status**column will display **Converted**for the owner. To refresh the **Status**column manually, click **Refresh**at the upper right of the **ATT&CK Tag Conversion**screen.

### Rerunning the Conversion Process

To rerun the conversion process for an owner added to a conversion rule, expand the conversion rule on the **ATT&CK Tag Conversion**screen, and then click **Rerun Merge![Rerun icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Rerun%20icon.png)**on the right side of the owner’s row. The conversion process will start immediately, and you will not be prompted for confirmation.

### Removing an Owner From a Conversion Rule

To remove an owner from a conversion rule, expand the conversion rule on the **ATT&CK Tag Conversion**screen, and then click **Delete![Trash icon_Black](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Trash%20icon_Black.png)**on the right side of the owner’s row.

ImportantRemoving an owner from a conversion rule does not revert previous conversion processes that were run on its standard Tags. Also, any new Tags created in the owner that meet the **Exact Match**rule’s conditions will still be converted to ATT&CK Tags.

---

*ThreatConnect® is a registered trademark of ThreatConnect, Inc.* *MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.*

20151-02 v.02.A