-
Notifications
You must be signed in to change notification settings - Fork 2
Home
The Mappings Editor is a web application designed to streamline the creation of Mapping Files. These files consist of Mappings, each of which associate a security control, vulnerability, or capability to an adversary behavior catalogued by MITRE ATT&CK®. The Editor makes it quick and easy to create, edit, and review Mappings and includes several features specially engineered to enhance the mapping process.
Using the Mappings Editor, Mapping Files can even be exported as ATT&CK Navigator Layers or as .CSV, .JSON, .YAML, or Microsoft Excel (.XLSX) Files.
To get started, simply open the Editor in your browser of choice — no installation required:
From here, you can either choose to open one of our example Mapping Files or create your own.
Click one of the following links to open an example Mapping File from our corpus:
Mapping Framework | Framework Version | Technology Domain | ATT&CK Version | Link |
---|---|---|---|---|
Amazon Web Services (AWS) | 09/21/2021 | Enterprise | v9.0 | Open Editor ↗ |
Microsoft Azure | 06/29/2021 | Enterprise | v8.2 | Open Editor ↗ |
CVE | 10/21/2021 | Enterprise | v9.0 | Open Editor ↗ |
Google Cloud Platform (GCP) | 06/28/2022 | Enterprise | v10.0 | Open Editor ↗ |
M365 | 12/11/2023 | Enterprise | v14.1 | Open Editor ↗ |
NIST 800-53 | Revision 5 | Enterprise | v14.1 | Open Editor ↗ |
VERIS | v1.3.7 | Enterprise | v12.1 | Open Editor ↗ |
Or, if you prefer, you can download one of the many Mapping Files available from our corpus.
Before work can start in the Mappings Editor, a fresh Mapping File is needed. Currently, the best way to create one is by downloading a blank Mapping File and configuring it yourself. In the future, this process will be built directly into the Editor.
Download a blank Mapping File and open it in your text editor of choice. If you're unsure, simply use Notepad if on Windows, TextEdit if on MacOS, or gedit if on Linux. Once open, the text file should look something like this:
{
"metadata": {
"mapping_version": "1.0.0",
"technology_domain": "",
"attack_version": "",
"mapping_framework": "",
"mapping_framework_version": "",
"mapping_types": {
"example_type": {
"name": "Example Mapping Type",
"description": "Use this description to explain the semantics of the mapping type."
}
},
"capability_groups": {
"example_group": "Example Group"
}
}
}
To start, configure the Mapping Framework's identifier and version. The Mapping Framework is the set of controls, vulnerabilities, or capabilities being mapped. For the purposes of this guide, we'll use NIST 800-53 (Revision 5).
"mapping_framework": "nist_800-53",
"mapping_framework_version": "rev5",
The Mapping Framework's identifier (mapping_framework
) should ONLY contain lowercase letters, numbers, or special characters and all spaces should be replaced with underscores (_
).
The Mapping Framework's version (mapping_framework_version
) should uniquely identify the specific set of capabilities being mapped. When sourcing the Mapping Framework data, attempt to identify the framework's version number, document revision number, date of publication, or anything that can uniquely identify the exact data being used. If the Mapping Framework is not versioned by the publisher, use the date you accessed the data. (e.g. "2/20/24"
)
Next, configure the Technology Domain and ATT&CK version being mapped to.
"technology_domain": "enterprise",
"attack_version": "14.1",
Supported Technology Domains and ATT&CK Versions include:
technology_domain |
attack_version |
---|---|
enterprise |
14.1 , 14.0 , 13.1 , 13.0 , 12.1 , 12.0 , 11.2 , 11.1 , 11.0 , 10.1 , 10.0 , 9.0 , 8.2 , 8.1 , 8.0
|
ics |
14.1 , 14.0 , 13.1 , 13.0 , 12.1 , 12.0 , 11.3 , 11.2 , 11.1 , 11.0 , 10.1 , 10.0 , 9.0 , 8.2 , 8.1 , 8.0
|
mobile |
14.1 , 14.0 , 13.1 , 13.0 , 12.1 , 12.0 , 11.3 , 10.1 , 10.0 , 9.0 , 8.2 , 8.1 , 8.0
|
Next, decide the semantics of each valid Mapping Type. In this example, NIST 800-53 Controls are being mapped to ATT&CK (Enterprise) Techniques and each link (from a Control to a Technique) represents protection offered by a Control against a Technique.
"mapping_types": {
"protects": {
"name": "Protects",
"description": "The benefit an adversary loses when the control is employed."
}
},
Notice, there are three pieces of information needed to properly define a Mapping Type:
"mapping_types": {
"[TYPE ID]": {
"name": "[TYPE NAME]",
"description": "[TYPE DESCRIPTION]"
}
},
-
[TYPE ID]
: The Mapping Type's machine-readable identifier. This ID should ONLY contain lowercase alphanumerics and all spaces should be replaced with underscores (_
). -
[TYPE NAME]
: The Mapping Type's human-readable name. -
[TYPE DESCRIPTION]
: A description of the Mapping Type's semantics.
Keep in mind, you can define multiple link types (each with their own semantics) in a single Mapping File. For instance, CVE Mappings define three distinct link types.
"mapping_types": {
"primary_impact": {
"name": "Primary Impact",
"description": "The initial benefit gained through exploitation of a vulnerability."
},
"secondary_impact": {
"name": "Secondary Impact",
"description": "What the adversary can do by gaining the benefit of the primary impact."
},
"exploitation_technique": {
"name": "Exploitation Technique",
"description": "The method used to exploit the vulnerability."
}
},
The list of valid Mapping Types will appear between every Mapping:
Finally, decide how to organize your Mappings. Mapping Files can contain thousands of individual Mappings. For this reason, the Mappings Editor allows you to collect Mappings into Capability Groups (which act like folders). A Mapping can be placed into a single Capability Group and a Capability Group can contain any number of Mappings. It's up to you to decide the best way to separate your Mappings and it will largely depend on the specifics of your Mappings Project.
NIST 800-53 already organizes its Controls into Control Families so, for our example, it makes sense to organize the Mappings by those same families as well:
"capability_groups": {
"AC": "Access Control",
"CA": "Security Assessment and Authorization",
"CM": "Configuration Management",
"SC": "System and Communications Protection",
"SI": "System and Information Integrity",
"CP": "Contingency Planning",
"IA": "Identification and Authentication",
"SA": "System and Services Acquisition",
"RA": "Risk Assessment",
"MP": "Media Protection",
"SR": "Supply Chain Risk Management",
"AU": "Audit and Accountability",
"IR": "Incident Response"
}
Notice, there are two pieces of information needed to properly define a Capability Group:
"capability_groups": {
"[GROUP ID]": "[GROUP NAME]"
}
-
[GROUP ID]
: The Capability Group's machine-readable identifier. This ID should ONLY contain alphanumerics and all spaces should be replaced with underscores (_
). -
[GROUP NAME]
: The Capability Group's human-readable name.
The list of Capability Groups will appear in the body of the Editor:
You can optionally configure the file's authorship by specifying one or more of the following properties:
"author": "Jane Doe"
"contact": "[email protected]",
"organization": "Center for Threat Informed Defense",
Save the configured Mapping File. In this example, it would look something like:
{
"metadata": {
"mapping_version": "1.0.0",
"author": "Jane Doe"
"contact": "[email protected]",
"organization": "Center for Threat Informed Defense",
"technology_domain": "enterprise",
"attack_version": "14.1",
"mapping_framework": "nist_800-53",
"mapping_framework_version": "rev5",
"mapping_types": {
"protects": {
"name": "Protects",
"description": "The benefit an adversary loses when the control is employed."
}
},
"capability_groups": {
"AC": "Access Control",
"CA": "Security Assessment and Authorization",
"CM": "Configuration Management",
"SC": "System and Communications Protection",
"SI": "System and Information Integrity",
"CP": "Contingency Planning",
"IA": "Identification and Authentication",
"SA": "System and Services Acquisition",
"RA": "Risk Assessment",
"MP": "Media Protection",
"SR": "Supply Chain Risk Management",
"AU": "Audit and Accountability",
"IR": "Incident Response"
}
}
}
Open the Mappings Editor, navigate to File > Open Mapping File...
, select the saved Mapping File, and start mapping!