Mitigation Schema

Mitigation

Mitigations represent defensive measures or controls that can reduce the effectiveness of adversary techniques. They are defined as course-of-action objects and strictly follow the STIX 2.1 specification without additional custom fields.

ATT&CK ID Collisions (Legacy)

Historical context: In ATT&CK versions prior to v5 (July 2019), mitigations maintained 1:1 relationships with techniques and shared identical ATT&CK IDs. This design was deprecated to support more flexible mitigation-to-technique mappings.

Current impact: Legacy 1:1 mitigations may cause ATT&CK ID collisions between mitigations and techniques. These deprecated objects can be filtered out during queries.

Object containing the following properties:

Property	Description	Type
id (*)		string
type (*)		'course-of-action'
spec_version (*)	The version of the STIX specification used to represent this object.	'2.1'
created (*)	The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest millisecond.	string (ISO 8601)
modified (*)	The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest millisecond.	string (ISO 8601)
created_by_ref (*)	The created_by_ref property specifies the id property of the identity object that describes the entity that created this object. If this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous.	string
labels	The labels property specifies a set of terms used to meta this object.	Array<string (_min length: 1_)> (min: 1)
revoked	The revoked property indicates whether the object has been revoked.	boolean
confidence	Identifies the confidence that the creator has in the correctness of their data.	number (int, ≥1, ≤99)
lang	Identifies the language of the text content in this object.	string (min length: 1)
external_references (*)	A list of external references with the first containing a valid ATT&CK ID	Array of at least 1 objects: source_name (*): string (min length: 1) description: string (min length: 1) url: string (url) external_id: string (min length: 1)
object_marking_refs (*)	The list of marking-definition objects to be applied to this object.	Array<string (_startsWith: marking-definition--_)>
granular_markings	The set of granular markings that apply to this object.	Array of objects: lang: string (min length: 1) - The lang property identifies the language of the text identified by this marking. The value of the lang property, if present, MUST be an [RFC5646] language code. If the marking_ref property is not present, this property MUST be present. If the marking_ref property is present, this property MUST NOT be present. marking_ref: string - The marking_ref property specifies the ID of the marking-definition object that describes the marking. If the lang property is not present, this property MUST be present. If the lang property is present, this property MUST NOT be present. selectors (*): Array<string (_min length: 1_)> (min: 1) - The selectors property specifies a list of selectors for content contained within the STIX Object in which this property appears.
extensions	Specifies any extensions of the object, as a dictionary where keys are extension definition UUIDs	Object with dynamic keys of type string (min length: 1) and values of type Object with properties: extension_type (*): 'new-sdo' | 'new-sco' | 'new-sro' | 'property-extension' | 'toplevel-property-extension' or Object with dynamic keys of type string (min length: 1) and values of type unknown
name (*)	The name of the object.	string (min length: 1)
x_mitre_attack_spec_version (*)	The version of the ATT&CK spec used by the object. This field helps consuming software determine if the data format is supported. If the field is not present on an object, the spec version will be assumed to be 2.0.0. Refer to the ATT&CK CHANGELOG for all supported versions.	string (min length: 1, regex: /^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)$/)
x_mitre_version (*)	Represents the version of the object in a 'major.minor' format, where both 'major' and 'minor' are integers between 0 and 99. This versioning follows semantic versioning principles but excludes the patch number. The version number is incremented by ATT&CK when the content of the object is updated. This property does not apply to relationship objects.	string (min length: 1, regex: /^(\d{1,2})\.(\d{1,2})$/)
x_mitre_old_attack_id		string (min length: 1)
x_mitre_deprecated	Indicates whether the object has been deprecated.	boolean
description (*)	A description that provides more details and context about the Mitigation.	string (min length: 1)
x_mitre_domains (*)	The technology domains to which the ATT&CK object belongs.	Array<'enterprise-attack' | 'mobile-attack' | 'ics-attack'> (min: 1)
x_mitre_modified_by_ref (*)	The STIX ID of the MITRE identity object. Used to track the identity of the MITRE organization, which created the current version of the object. Previous versions of the object may have been created by other individuals or organizations.	'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5'
x_mitre_contributors		Array<string (_min length: 1_)> (min: 1, min: 1)

(*) Required.