---
title: "MITRE ATT&CK App Data Mappings | ThreatConnect"
slug: "mitre-attack-app-data-mappings"
description: "This article provides data mappings for the MITRE ATT&CK App and describes how each ThreatConnect object created by the App corresponds to the information provided for the object in the MITRE ATT&CK database."
tags: ["Viewing Data"]
updated: 2024-01-23T14:52:01Z
published: 2024-01-23T14:52:01Z
canonical: "knowledge.threatconnect.com/mitre-attack-app-data-mappings"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt
> Use this file to discover all available pages before exploring further.

# MITRE ATT&CK App Data Mappings

The following sections illustrate how data created by the **MITRE ATT&CK®**App are mapped in ThreatConnect and describe how each ThreatConnect object created by the App corresponds to the information provided for the object in the MITRE ATT&CK database.

## ThreatConnect Data Model Mappings

Table 1 shows how each ATT&CK® data type is mapped to the [ThreatConnect data model](https://knowledge.threatconnect.com/v1/docs/the-threatconnect-data-model) for data created by the **MITRE ATT&CK**App.

| ATT&CK Data Type | ThreatConnect Object Type | Name Format in Object's Summary | MITRE ATT&CK Website Link |
| --- | --- | --- | --- |
| Tactic | Tactic, Tag | **Tactic**: TA*xxxx* Tactic Name ***Example***: TA0004 Privilege Escalation **Tag**: Tactic-Name ***Example***: Privilege-Escalation | [Enterprise ATT&CK Tactics](https://attack.mitre.org/tactics/enterprise/) |
| Technique | Attack Pattern | T*xxxx* Technique Name ***Example***: T1548 Abuse Elevation Control Mechanism | [Enterprise ATT&CK Techniques](https://attack.mitre.org/techniques/enterprise/) |
| Sub-Technique | Attack Pattern | T*xxxx*.*xxx* Sub-Technique Name ***Example***: T1548.001 Setuid and Setgid | [Enterprise ATT&CK Techniques](https://attack.mitre.org/techniques/enterprise/) |
| Software | Malware, Tool | Software Name ***Example***: WindTail | [Enterprise ATT&CK Software](https://attack.mitre.org/software/) |
| Group | Intrusion Set | Group Name ***Example***: Chimera | [Enterprise ATT&CK Groups](https://attack.mitre.org/groups/) |

## ATT&CK Data Type Mappings

Table 2 through Table 5 illustrate how STIX™ fields for each ATT&CK data type are mapped in ThreatConnect. The information provided in the [**Attributes**card](https://knowledge.threatconnect.com/docs/attributes) on the **Overview**tab of the [**Details**screen](https://knowledge.threatconnect.com/docs/the-details-screen) for each Group object created by the **MITRE ATT&CK**App corresponds to the information provided for the ATT&CK object in the MITRE ATT&CK database.

### ATT&CK Tactics

ThreatConnect object type: Tactic Group

| ATT&CK STIX Field | ThreatConnect Mapping | Pivotable? |
| --- | --- | --- |
| name | Name/Summary | No |
| id | Attribute: External ID | Yes |
| external_references/url, external_references/description, x_mitre_contributors | Attribute: External References (concatenated), Attribute: Source | Yes |
| description | Attribute: Description | No |
| kill_chain_phases/phase_name | Tag | Yes |
| modified | Attribute: External Date Last Modified | Yes |
| created | Attribute: External Date Created | Yes |
| x_mitre_platforms, x_mitre_permissions_required | Attribute: Capabilities (concatenated) | Yes |
| x_mitre_detection, x_mitre_data_sources | Attribute: Additional Analysis and Context (concatenated) | No |

### ATT&CK Techniques and Sub-Techniques

ThreatConnect object type: Attack Pattern Group

| ATT&CK STIX Field | ThreatConnect Mapping | Pivotable? |
| --- | --- | --- |
| name | Name/Summary | No |
| id | Attribute: External ID | Yes |
| external_references/url, external_references/description, x_mitre_contributors | Attribute: External References (concatenated), Attribute: Source | Yes |
| description | Attribute: Description | No |
| kill_chain_phases/phase_name | Tag | Yes |
| modified | Attribute: External Date Last Modified | Yes |
| created | Attribute: External Date Created | Yes |
| x_mitre_platforms, x_mitre_permissions_required | Attribute: Capabilities (concatenated) | Yes |
| x_mitre_detection, x_mitre_data_sources | Attribute: Additional Analysis and Context (concatenated) | No |

### ATT&CK Groups

ThreatConnect object type: Intrusion Set Group

| ATT&CK STIX Field | ThreatConnect Mapping | Pivotable? |
| --- | --- | --- |
| name | Name/Summary | No |
| id | Attribute: External ID | Yes |
| description | Attribute: Description | No |
| external_references/url, external_references/description, x_mitre_contributors | Attribute: External References (concatenated), Attribute: Source | Yes |
| aliases | Attribute: Aliases | Yes |
| modified | Attribute: External Date Last Modified | Yes |
| created | Attribute: External Date Created | Yes |

### ATT&CK Software

ThreatConnect object types: Malware Group; Tool Group

| ATT&CK STIX Field | ThreatConnect Mapping | Pivotable? |
| --- | --- | --- |
| name | Name/Summary | No |
| id | Attribute: External ID | Yes |
| description | Attribute: Description | No |
| external_references/url, external_references/description, x_mitre_contributors | Attribute: External References (concatenated), Attribute: Source | Yes |
| aliases | Attribute: Aliases | Yes |
| modified | Attribute: External Date Last Modified | Yes |
| created | Attribute: External Date Created | Yes |
| x_mitre_platforms | Attribute: Capabilities | Yes |

## Associations

Groups created by the **MITRE ATT&CK**App are [associated](/v1/docs/associations) to each other according to their relationships in the MITRE ATT&CK framework. For example, all techniques and sub-techniques (Attack Pattern Groups in ThreatConnect) used by a given software will be associated to the Malware or Tool Group representing the software in ThreatConnect. These associations are shown on the **[](https://knowledge.threatconnect.com/docs/the-associations-tab)** [](https://knowledge.threatconnect.com/docs/the-associations-tab)[**Associations**tab](https://knowledge.threatconnect.com/docs/the-associations-tab) of the **[](https://knowledge.threatconnect.com/docs/the-details-screen)** [](https://knowledge.threatconnect.com/docs/the-details-screen)[**Details** screen](https://knowledge.threatconnect.com/docs/the-details-screen) and the [**Associations** card](https://knowledge.threatconnect.com/docs/the-associations-card) on the **Overview** tab of the [legacy **Details** screen](https://knowledge.threatconnect.com/docs/the-details-screen-legacy) for the Group object. Similarly, if an ATT&CK group uses a number of techniques, sub-techniques, and software, all of the objects representing those items will be associated to the Intrusion Set Group representing the ATT&CK group in ThreatConnect.

If an ATT&CK technique has sub-techniques, the Attack Pattern Groups for the sub-techniques will be associated with the Attack Pattern Group representing the parent technique in ThreatConnect.

NoteSub-techniques for a given parent technique are not directly associated to each other; instead, they are linked through a second-level association via the parent technique

## Tags

Groups created by the **MITRE ATT&CK**App will have one or more [standard Tags](https://knowledge.threatconnect.com/docs/applying-tags) or [ATT&CK Tags](https://knowledge.threatconnect.com/docs/attack-tags) applied to them, depending on the Group’s type.

ImportantIf you are using the **MITRE ATT&CK**App version 2.0.3 or newer on a ThreatConnect instance with version 7.1.3 or older installed, standard Tags representing techniques and sub-techniques will be applied to Intrusion Set, Malware, Tactic, and Tool Groups instead of ATT&CK Tags.

### Tactic Groups (ATT&CK Tactics)

The following Tags will be applied to Tactic Groups representing ATT&CK tactics:

- A standard Tag representing the ATT&CK tactic to which the Group corresponds. If there are multiple words in a tactic’s name, they will be separated by hyphens in the Tag’s name (e.g., **Defense-Evasion**, **Privilege-Escalation**).
- One or more ATT&CK Tags representing each technique and sub-technique the tactic comprises. If an ATT&CK Tag does not exist for a technique or sub-technique, a standard Tag representing it will be applied instead.

### Attack Pattern Groups (ATT&CK Techniques and Sub-Techniques)

The following Tags will be applied to Attack Pattern Groups representing ATT&CK techniques and sub-techniques:

- A standard Tag named **Enterprise ATT&CK** to indicate that the technique or sub-technique belongs to the MITRE ATT&CK Enterprise framework.
- A standard Tag representing the parent tactic for the technique or sub-technique. If there are multiple words in a tactic’s name, they will be separated by hyphens in the Tag’s name (e.g., **Defense-Evasion**, **Privilege-Escalation**).

### Intrusion Set Groups (ATT&CK Groups)

Intrusion Set Groups representing ATT&CK groups may have one or more ATT&CK Tags representing each technique and sub-technique used by the ATT&CK group, if any. If an ATT&CK Tag does not exist for a technique or sub-technique, a standard Tag representing it will be applied instead.

### Malware and Tool Groups (ATT&CK Software)

Malware and Tool Groups representing ATT&CK software may have one or more ATT&CK Tags representing each technique and sub-technique used by the ATT&CK software, if any. If an ATT&CK Tag does not exist for a technique or sub-technique, a standard Tag representing it will be applied instead.

---

*ThreatConnect® is a registered trademark of ThreatConnect, Inc. MITRE ATT&CK® and ATT&CK® are registered trademarks, and STIX™ is a trademark, of The MITRE Corporation.*

20119-08 v.04.A