This document describes Version 4.2 of the MITRE ATT&CK Navigator Layer file format. The ATT&CK Navigator stores layers as JSON, therefore this document defines the JSON properties in a layer file.
Name | Type | Required? | Default Value (if not present) | Description |
---|---|---|---|---|
versions | Version object | No | See Version object definition below | |
name | String | Yes | n/a | The name of the layer |
description | String | No | "" | A free-form text field that describes the contents or intent of the layer |
domain | String | Yes | n/a | Technology domain that this layer represents. Valid values are: "enterprise-attack", "mobile-attack", "ics-attack" |
filters | Filter object | No | See Filter object definition below | |
sorting | Number | No | 0 | Specifies the ordering of the techniques within each tactic category as follows: 0: sort ascending alphabetically by technique name 1: sort descending alphabetically by technique name 2: sort ascending by technique score 3: sort descending by technique score |
layout | Layout object | No | See definition of Layout object below | |
hideDisabled | Boolean | No | false | Specifies whether techniques that have been disabled are still displayed (greyed-out) or omitted from the view as follows: true: omit techniques marked as disabled from the view false: include disabled techniques in the view but display as greyed-out |
techniques | Array of Technique objects | No | See definition of Technique object below | |
gradient | Gradient object | No | Red to Green, minValue=0, maxValue=100 | See definition of Gradient object below |
legendItems | Array of LegendItem objects | no | See definition of LegendItem object below | |
showTacticRowBackground | boolean | no | false | If true, the tactic row background color will be the value of the tacticRowBackground field |
tacticRowBackground | string | no | "#dddddd" | The tactic row background color |
selectTechniquesAcrossTactics | boolean | no | true | If true, selecting a technique also selects all instances with the same technique ID. See also selectSubtechniquesWithParent |
selectSubtechniquesWithParent | boolean | no | true | If true, selecting a technique will also select all subtechniques of the technique. See also selectTechniquesAcrossTactics |
metadata | Array of Metadata objects | No | User defined metadata for this layer. See definition of Metadata object |
Name | Type | Required? | Default Value (if not present) | Description |
---|---|---|---|---|
platforms | Array of String | No | all platforms within domain | Specifies the platforms within the technology domain - only those techniques tagged with these platforms are to be displayed. Valid values are as follows: domain=enterprise-attack: "PRE", "Windows", "Linux", "macOS", "Network", "AWS", "GCP", "Azure", "Azure AD", "Office 365", "SaaS" domain=mobile-attack: "Android", "iOS". domain=ics-attack: "Windows", "Control Server", "Data Historian", "Engineering Workstation", "Field Controller/RTU/PLC/IED", "Human-Machine Interface", "Input/Output Server", "Safety Instrumented System/Protection Relay" |
Name | Type | Required? | Default Value (if not present) | Description |
---|---|---|---|---|
attack | String | No | Current version of ATT&CK: "9" | ATT&CK version of this layer |
navigator | String | Yes | Must be "4.4.1" | |
layer | String | Yes | Must be "4.2" |
Technique objects are used to store both techniques and subtechniques. The only difference in representation between a technique and a subtechnique is in the techniqueID field, which for subtechniques is the parent technique ID followed by the subtechnique-id suffix.
Name | Type | Required? | Default Value (if not present) | Description |
---|---|---|---|---|
techniqueID | String | Yes | n/a | Unique identifier of the ATT&CK technique, e.g. "T####". For subtechniques, the format is "T####.###", where the substring to the left of the decimal is the parent technique ID, and the right-side substring is the subtechnique ID suffix. |
tactic | String | No | n/a | Unique identifier of the ATT&CK technique's tactic, e.g. "lateral-movement". If the field is not present, the annotations for the technique will appear under every tactic the technique belongs to |
comment | String | No | "" | Free-text field |
enabled | Boolean | No | true | Specifies if the technique is considered enabled or disabled in this layer |
score | Number | No | (unscored) | Optional numeric score assigned to this technique in the layer. If omitted, the technique is considered to be "unscored" meaning that it will not be assigned a color from the gradient by the Navigator |
color | String | No | "" | Explicit color value assigned to the technique in this layer. Note that explicitly defined color overrides any color implied by the score - the Navigator will display the technique using the explicitly defined color |
metadata | Array of Metadata objects and Metadata Separator objects | No | User defined metadata for this technique. See definition of Metadata object and Metadata Separator object below | |
showSubtechniques | boolean | No | false | if true, the sub-techniques under this technique will be shown by default. This field is only valid under a technique with subtechniques. Note that subtechniques can still be shown/hidden using the UI controls - this field is simply the default state. |
Name | Type | Required? | Default Value (if not present) | Description |
---|---|---|---|---|
colors | Array of String | Yes | n/a | Specifies the hexadecimal RGB color values that constitute the color spectrum in use. The array must contain at least two (2) values, corresponding to the minValue and maxValue scores |
minValue | Number | Yes | n/a | Lower bound score of the gradient |
maxValue | Number | Yes | n/a | Upper bound score of the gradient. Note: maxValue must be > minValue |
Name | Type | Required? | Default Value (if not present) | Description |
---|---|---|---|---|
label | String | Yes | n/a | The name of the legend item |
color | String | Yes | n/a | The color of the legend item |
Name | Type | Required? | Default Value (if not present) | Description |
---|---|---|---|---|
name | String | Yes | n/a | The name of the metadata |
value | String | Yes | n/a | The value of the metadata |
Name | Type | Required? | Default Value (if not present) | Description |
---|---|---|---|---|
divider | Boolean | Yes | n/a | If true, display a horizontal separator in the metadata tooltip where this object occurs in the list of metadata |
Name | Type | Required? | Default Value (if not present) | Description |
---|---|---|---|---|
layout | String | No | "side' | The layout of the matrix. Either "side", "flat" or "mini" |
showID | Boolean | No | false | if true, show the ATT&CK ID of techniques and tactics in the matrix |
showName | Boolean | No | true | if true, show the name of techniques and tactics in the matrix |
showAggregateScores | Boolean | No | false | if true, show the aggregate scores of techniques and its subtechniques in the matrix |
countUnscored | Boolean | No | false | if true, count the unscored techniques in the calculation of the aggregate score of techniques in the matrix |
aggregateFunction | String | No | "average" | The aggregate function used to calculate aggregate scores for techniques in the matrix. Either "average", "min", "max" or "sum" |
The following example illustrates the layer file format:
{
"name": "example layer",
"versions": {
"attack": "8",
"navigator": "4.4.4",
"layer": "4.2"
},
"domain": "enterprise-attack",
"description": "hello, world",
"filters": {
"platforms": [
"Windows",
"macOS"
]
},
"sorting": 2,
"layout": {
"layout": "side",
"showName": true,
"showID": false,
"showAggregateScores": true,
"countUnscored": true,
"aggregateFunction": "average"
},
"hideDisabled": false,
"techniques": [
{
"techniqueID": "T1110",
"score": 0,
"color": "#fd8d3c",
"comment": "This is a comment for technique T1110",
"showSubtechniques": true
},
{
"techniqueID": "T1110.001",
"score": 100,
"comment": "This is a comment for T1110.001 - the first subtechnique of technique T1110.001"
},
{
"techniqueID": "T1134",
"tactic": "defense-evasion",
"score": 75,
"comment": "this is a comment for T1134 which is only applied on the defense-evasion tactic"
},
{
"techniqueID": "T1078",
"tactic": "discovery",
"enabled": false
},
{
"techniqueID": "T1053",
"tactic": "privilege-escalation",
"metadata": [
{
"name": "T1053 metadata1",
"value": "T1053 metadata1 value"
},
{
"divider": true
},
{
"name": "T1053 metadata2",
"value": "T1053 metadata2 value"
}
]
}
],
"gradient": {
"colors": [
"#ff6666",
"#ffe766",
"#8ec843"
],
"minValue": 0,
"maxValue": 100
},
"legendItems": [
{
"label": "Legend Item Label",
"color": "#FF00FF"
}
],
"showTacticRowBackground": true,
"tacticRowBackground": "#dddddd",
"selectTechniquesAcrossTactics": false,
"selectSubtechniquesWithParent": false,
"metadata": [
{
"name": "layer metadata 1",
"value": "layer metadata 1 value"
},
{
"name": "layer metadata 2",
"value": "layer metadata 2 value"
}
]
}