MITRE objects to STIX mapping

STIX is a language for describing cyber threat information in a standardized and structured manner. The parent data model in the Threat Intelligence module are the STIX objects. While the MITRE objects are a subset to the parent STIX data model. In the MITRE-ATT&CK framework, MITRE provides similar STIX information with certain labels and objects.

Extending data in the Threat Intelligence module

You can maintain a list of Threat Intelligence threat sources and import the needed STIX data that includes an extensive set of cyber threat information. You can also use the TAXII profiles to facilitate automated exchange of cyber threat information.

Extending data in the MITRE-ATT&CK module

You can extend the Malware, Group, Mitigation, and Tool objects to a technique in the MITRE-ATT&CK repository.

You can create an object and establish a relationship between a technique and the new object in the MITRE ATT&CK Repository module, but you can't define the relationship type in this module. To define a relationship type, navigate to the Threat Intelligence > IoC Repository > Object-Object Relationships module.

If you map the relationship type between an existing technique and an existing object, then you must define the technique as the target object and the object as the source object. To do so, navigate to the IoC Repository > Object-Object Relationships module.

You can create a group and associate it with an attack pattern, but in the MITRE ATT&CK Repository, you can only establish the relationship between the group and the attack pattern. To define the object-to-object relationship type, you must do so in the IoC Repository.