Best Data Sources for Detection
This page attempts to provide the reader an understanding of the best data sources that provide detection based on Mitre ATT&CK framework
Log Source
Detections
Command Execution
255
Process Creation
206
File Modification
98
File Creation
88
Network Traffic Flow
82
OS API Execution
78
Network Traffic Content
70
Windows Registry Key Modification
58
Network Connection Creation
58
Application Log Content
55
Module Load
50
File Access
46
Web
46
File Metadata
37
Logon Session Creation
32
Script Execution
26
Response Content
22
Internal DNS
21
User Account Authentication
20
Process Access
18
Windows Registry Key Creation
17
17
Service Creation
15
Host Status
15
Active Directory Object Modification
13
Service Metadata
12
Process Metadata
11
Driver Load
10
File Deletion
10
Firmware Modification
9
Logon Session Metadata
9
Process Modification
9
User Account Metadata
8
Windows Registry Key Access
7
Scheduled Job Creation
7
Malware Metadata
7
Active Directory Credential Request
7
Container Creation
6
Web Credential Usage
6
Response Metadata
6
User Account Creation
6
Drive Modification
6
User Account Modification
6
Instance Creation
5
Active DNS
5
Passive DNS
5
Network Share Access
5
Drive Access
5
Service Modification
5
Image Creation
4
Instance Start
4
Active Directory Object Creation
4
Malware Content
4
Social Media
4
Domain Registration
4
Drive Creation
4
Windows Registry Key Deletion
4
Active Directory Object Access
3
Instance Metadata
3
Container Start
3
Web Credential Creation
3
Firewall Rule Modification
3
Firewall Disable
3
Instance Deletion
3
Snapshot Creation
3
Process Termination
3
Cloud Storage Enumeration
2
Cloud Storage Access
2
Pod Metadata
2
Active Directory Object Deletion
2
Cloud Service Modification
2
Cloud Service Disable
2
Certificate Registration
2
Cloud Storage Metadata
2
Instance Modification
2
Instance Stop
2
Firewall Metadata
2
Firewall Enumeration
2
Group Enumeration
2
Group Metadata
2
Image Metadata
2
Scheduled Job Metadata
2
Scheduled Job Modification
2
Kernel Module Load
2
WMI Creation
2
Group Modification
2
Driver Metadata
2
Snapshot Modification
2
Snapshot Deletion
2
Volume Deletion
2
Cloud Storage Modification
2
Cloud Service Enumeration
2
Cluster Metadata
1
Container Enumeration
1
Container Metadata
1
Pod Enumeration
1
Pod Creation
1
Pod Modification
1
Instance Enumeration
1
Snapshot Metadata
1
Snapshot Enumeration
1
Volume Metadata
1
Volume Enumeration
1
Named Pipe Metadata
1
User Account Deletion
1
Image Modification
1
Volume Creation
1
Volume Modification
1
Cloud Storage Creation
1
Cloud Service Metadata
1
Image Deletion
1
Cloud Storage Deletion
1
DHCP
1
Last updated