Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/mitre-attack/attack-data-model

ATT&CK Data Model (ADM): A TypeScript library for structured interaction with MITRE ATT&CK datasets. Uses Zod schemas, TypeScript types, and ES6 classes to provide a type-safe, object-oriented interface for STIX 2.1 formatted ATT&CK data. Features parsing, validation, and serialization capabilities.
https://github.com/mitre-attack/attack-data-model

Last synced: 2 months ago
JSON representation

ATT&CK Data Model (ADM): A TypeScript library for structured interaction with MITRE ATT&CK datasets. Uses Zod schemas, TypeScript types, and ES6 classes to provide a type-safe, object-oriented interface for STIX 2.1 formatted ATT&CK data. Features parsing, validation, and serialization capabilities.

Awesome Lists containing this project

README 

          
# MITRE ATT&CK® Data Model



**A TypeScript library for working with MITRE ATT&CK data using STIX 2.1**



The ATT&CK Data Model (ADM) provides a type-safe, object-oriented interface for working with MITRE ATT&CK datasets.

Built on STIX 2.1 compliance, it uses Zod schemas and TypeScript types to ensure data integrity while providing intuitive relationship navigation between ATT&CK objects.



**[CLICK HERE](https://mitre-attack.github.io/attack-data-model) [1](#footnotes)** to browse the ATT&CK schemas in a user-friendly interface.



## Key Features



- **Type-Safe Data Parsing**: ADM validates STIX 2.1 bundles using Zod schemas, ensuring data model compliance and type safety.

- **Easy Relationship Navigation**: Each object instance contains pointers to related objects, simplifying the process of navigating between techniques, tactics, and other ATT&CK elements.

- **Supports Multiple Data Sources**: Load ATT&CK datasets from different sources, including GitHub, local files, URLs, and TAXII 2.1 servers (more data sources in development).

- Parsing, validation, and serialization of ATT&CK data

- ES6 classes for object-oriented data manipulation



## Supported Data Sources



- **`attack`**: Load ATT&CK data from the official MITRE ATT&CK STIX 2.1 GitHub repository. This serves as the source of truth for MITRE ATT&CK content.

- **`file`**: Load ATT&CK data from a local JSON file containing a STIX 2.1 bundle.

- **`url`**: Load ATT&CK data from a URL endpoint serving STIX 2.1 content.

- **`taxii`**: (Coming soon) Load ATT&CK data from a TAXII 2.1 server.



## Installation



### Quick Start (Latest Version)



To install the latest version of the ADM from npm:



```bash

npm install @mitre-attack/attack-data-model

```



### Choosing the Right Version



The ADM library version you need depends on which version of the ATT&CK dataset you're working with. The library follows its own versioning scheme (separate from ATT&CK releases) to support ongoing development while maintaining compatibility with specific ATT&CK data versions.



#### Version Compatibility Guide



| If you're working with...    | Install ADM version | Command                                              |

| ---------------------------- | ------------------- | ---------------------------------------------------- |

| ATT&CK v18.x (upcoming)      | 5.x (upcoming)      | `npm install @mitre-attack/attack-data-model@^5.0.0` |

| ATT&CK v15.x to v17.x        | 4.x (latest)        | `npm install @mitre-attack/attack-data-model@^4.0.0` |

| Older ATT&CK versions ( {

  // Instantiating a DataSourceRegistration object will validate that the data source is accessible and readable

  const dataSource = new DataSourceRegistration({

    source: 'attack', // Built-in index to retrieve ATT&CK content from the official MITRE ATT&CK STIX 2.1 GitHub repository

    domain: 'enterprise-attack',

    version: '15.1', // Omitting 'version' will default to the latest version available in the repository

    parsingMode: 'relaxed', // 'strict' or 'relaxed' - 'relaxed' mode will attempt to parse and serialize data even if it contains errors or warnings

  });



  try {

    // Register the data source and retrieve the unique ID

    const uuid = await registerDataSource(dataSource);

    if (uuid) {

      // Load the dataset using the unique ID

      const attackEnterpriseLatest = loadDataModel(uuid);



      // Access ATT&CK objects by type using object properties

      const techniques = attackEnterpriseLatest.techniques;

      const tactics = attackEnterpriseLatest.tactics;



      const technique = techniques[0];



      // Type hinting is supported for all object properties

      if (technique.x_mitre_is_subtechnique) {

        // Access related objects with helpful getter methods

        console.log(technique.getParentTechnique());

      }

    }

  } catch (error) {

    console.error(error);

  }

})();

```



### Parsing and Validating a Tactic



```typescript

import { tacticSchema } from '@mitre-attack/attack-data-model';



const validTactic = {

  id: 'x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5',

  type: 'x-mitre-tactic',

  name: 'Execution',

  description: 'The adversary is trying to run malicious code.',

  x_mitre_shortname: 'execution',

  // ... other required fields

};



try {

  const parsedTactic = tacticSchema.parse(validTactic);

  console.log('Tactic parsed successfully:', parsedTactic.name);

} catch (error) {

  console.error('Validation error:', error);

}

```



### Handling Invalid Data



```typescript

import { tacticSchema } from '@mitre-attack/attack-data-model';

import { z } from 'zod';



const invalidTactic = {

  // Missing required fields

  id: 'x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5',

  type: 'x-mitre-tactic',

};



try {

  tacticSchema.parse(invalidTactic);

} catch (error) {

  if (error instanceof z.ZodError) {

    console.log('Validation errors:', error.errors);

  }

}

```



For more detailed examples, please refer to the [examples](./examples/README.md) folder in the repository.



## How It Works



1. **Data Registration**: Datasets are registered via `registerDataSource`. You specify the source of the data (e.g., `attack`, `file`, `url`, `taxii`) and provide any necessary options (such as `domain` and `version` for ATT&CK datasets). This function returns a unique identifier for the registered data source.

2. **Data Loading**: The `loadDataModel` function is used to load registered data models by their unique identifier.

3. **Parsing and Validation**: Once the data is loaded, it is parsed by Zod schemas, ensuring that the data conforms to the expected STIX 2.1 specification.

4. **Serialization**: Valid objects are converted into TypeScript class instances, allowing for type-safe interaction and relationship navigation.

5. **Relationship Mapping**: The library automatically processes all "relationship" objects in the dataset, creating links between techniques, tactics, groups, and other ATT&CK objects.



## Parsing Modes



- **Strict Mode**: Data must pass all validation checks to be ingested. If any objects are rejected, the registration is aborted.

- **Relaxed Mode**: Invalid objects are logged, but the library will ignore parsing errors and attempt to load the dataset anyway. Use with caution, as this may cause unexpected downstream usage errors.



## Compatibility Matrix



Our [Compatibility documentation](https://mitre-attack.github.io/attack-data-model/principles/versioning-philosophy) tracks the compatibility between versions of the ATT&CK Data Model (ADM) TypeScript API (`@mitre-attack/attack-data-model`) and versions of the MITRE ATT&CK dataset (`mitre-attack/attack-stix-data`).



## Contributing



We welcome contributions! Please see our contributor guide for more information: 



## Footnotes



1 The [schemas site](https://mitre-attack.github.io/attack-data-model) is dynamically generated from the contents of the `@latest` distribution channel / `main` branch. We do not currently maintain separate documentation for previous releases, though we hope to in the future.



## License



This project is licensed under the Apache 2.0 License.



## Notice



Copyright 2020-2025 The MITRE Corporation.



This project makes use of ATT&CK



[ATT&CK Terms of Use](https://attack.mitre.org/resources/terms-of-use/)