YAML administration groups

In this YAML file you can administrate information you have on threat actor groups.

Sample file: groups.yaml

Current version: version 1.0

File content

Name	Type	Required	Description
version	string	yes	Version of this group administration file. The current version is 1.0.
file_type	string	yes	Used to indicate what type of YAML file it is. Possible values: data-source-administration, technique-administration and group-administration. For data source administration the value should be: group-administration.
domain	string	yes (defaults to enterprise-attack)	Specify the ATT&CK domain using the value enterprise-attack, ics-attack or mobile-attack
platform	string or list of strings	yes	Indicates the type of platform you describe the techniques for. Possible values (in the list) are the MITRE ATT&CK platform values or 'all' to select all platforms: PRE, Windows, Linux, macOS, Office 365, Azure AD, Google Workspace, IaaS, SaaS, Network, Containers.
groups	list with group objects	yes	Contains all the information on threat actor groups. See the description of the group object.
notes	string	no	An optional field to include notes on this groups administration file.

Group object

Name	Type	Required	Description
group_name	string	yes	The name of the threat actor.
campaign	string	no	The name of a possible specific threat actor campaign.
technique_id	list of techniques IDs (optionally followed by a count)	yes	Techniques used by this threat actor (within this campaign). It is also possible to add a count to a technique. For an example see the first group object in the file: 20190319-RedCanary.yaml
software_id	list of software IDs	no	Software used by this threat actor (within this campaign).
enabled	boolean (True or False)	true	Enable or disable the group. Having it disabled will cause it from not being loaded by the DeTT&CT Python tool.