This document describes the formatting of the control frameworks and mappings in STIX2.0 JSON. You can find the STIX data in the /frameworks/ folder:
Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX enables organizations to share CTI with one another in a consistent and machine readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively. To find out more about STIX, please see the STIX 2.0 website.
The control and mapping data in this repository follows the STIX 2.0 format as follows:
- Both controls and mappings are represented in STIX2.0 JSON.
- Controls are represented as course-of-actions.
- Relationships of type
subcontrol-ofmap sub-controls to their parent controls for frameworks which have hierarchical controls. x_mitre_properties are added to controlcourse-of-actionobjects for additional properties depending on the control framework, such as the control family (x_mitre_family) or control priority (x_mitre_priority). These additional properties are not standardized across control frameworks, and are described in the README of each control framework:- Mappings from individual controls to ATT&CK techniques and sub-techniques are represented as relationships of type
mitigates, where thesource_refis theidof the control and thetarget_refis theidof the technique or sub-technique. The optionaldescriptionfield on the relationship is taken from the input spreadsheet if a description is given there, and is used to justify the mapping.
- Tooling for more information about how the STIX data was created.
- Visualization for more information about how to visualize the mappings.