ATT&CK IDs
⚠️🚧 Work in Progress
This document is a work in progress. Content may change, and some sections may be incomplete.
ATT&CK objects use multiple identifier systems to support different use cases and ensure compatibility with external frameworks.
STIX IDs
Every ATT&CK object (including relationships) contains a STIX ID in its id field.
STIX IDs are guaranteed to be globally unique and follow the STIX 2.1 specification format.
STIX IDs are the recommended method for programmatic object retrieval and referencing.
ATT&CK IDs
ATT&CK IDs are human-readable identifiers commonly used for referencing objects in documentation and communication. Each ATT&CK object type follows a specific ID format:
| ATT&CK concept | ID format |
|---|---|
| Matrix | domain identifier |
| Tactic | TAxxxx |
| Technique | Txxxx |
| Sub-Technique | Txxxx.yyy |
| Mitigation | Mxxxx |
| Group | Gxxxx |
| Software | Sxxxx |
| Data Source | DSxxxx |
| Data Component | DCxxxx |
| Campaign | Cxxxx |
| Asset | Axxxx |
| Detection Strategy | DETxxxx |
| Analytic | ANxxxx |
| Log Source | LSxxxx |
Important limitations:
- ATT&CK IDs are not guaranteed to be unique
- Matrices within the same domain share identical ATT&CK IDs
- Relationship objects do not have ATT&CK IDs
ATT&CK IDs are stored in the first external reference of applicable objects, which also includes a url field linking to the object's page on the ATT&CK Website.