# Best Data Sources for Detection | **Log Source** | **Detections** | | ------------------------------------ | -------------- | | Command Execution | 255 | | Process Creation | 206 | | File Modification | 98 | | File Creation | 88 | | Network Traffic Flow | 82 | | OS API Execution | 78 | | Network Traffic Content | 70 | | Windows Registry Key Modification | 58 | | Network Connection Creation | 58 | | Application Log Content | 55 | | Module Load | 50 | | File Access | 46 | | Web | 46 | | File Metadata | 37 | | Logon Session Creation | 32 | | Script Execution | 26 | | Response Content | 22 | | Internal DNS | 21 | | User Account Authentication | 20 | | Process Access | 18 | | Windows Registry Key Creation | 17 | | Email | 17 | | Service Creation | 15 | | Host Status | 15 | | Active Directory Object Modification | 13 | | Service Metadata | 12 | | Process Metadata | 11 | | Driver Load | 10 | | File Deletion | 10 | | Firmware Modification | 9 | | Logon Session Metadata | 9 | | Process Modification | 9 | | User Account Metadata | 8 | | Windows Registry Key Access | 7 | | Scheduled Job Creation | 7 | | Malware Metadata | 7 | | Active Directory Credential Request | 7 | | Container Creation | 6 | | Web Credential Usage | 6 | | Response Metadata | 6 | | User Account Creation | 6 | | Drive Modification | 6 | | User Account Modification | 6 | | Instance Creation | 5 | | Active DNS | 5 | | Passive DNS | 5 | | Network Share Access | 5 | | Drive Access | 5 | | Service Modification | 5 | | Image Creation | 4 | | Instance Start | 4 | | Active Directory Object Creation | 4 | | Malware Content | 4 | | Social Media | 4 | | Domain Registration | 4 | | Drive Creation | 4 | | Windows Registry Key Deletion | 4 | | Active Directory Object Access | 3 | | Instance Metadata | 3 | | Container Start | 3 | | Web Credential Creation | 3 | | Firewall Rule Modification | 3 | | Firewall Disable | 3 | | Instance Deletion | 3 | | Snapshot Creation | 3 | | Process Termination | 3 | | Cloud Storage Enumeration | 2 | | Cloud Storage Access | 2 | | Pod Metadata | 2 | | Active Directory Object Deletion | 2 | | Cloud Service Modification | 2 | | Cloud Service Disable | 2 | | Certificate Registration | 2 | | Cloud Storage Metadata | 2 | | Instance Modification | 2 | | Instance Stop | 2 | | Firewall Metadata | 2 | | Firewall Enumeration | 2 | | Group Enumeration | 2 | | Group Metadata | 2 | | Image Metadata | 2 | | Scheduled Job Metadata | 2 | | Scheduled Job Modification | 2 | | Kernel Module Load | 2 | | WMI Creation | 2 | | Group Modification | 2 | | Driver Metadata | 2 | | Snapshot Modification | 2 | | Snapshot Deletion | 2 | | Volume Deletion | 2 | | Cloud Storage Modification | 2 | | Cloud Service Enumeration | 2 | | Cluster Metadata | 1 | | Container Enumeration | 1 | | Container Metadata | 1 | | Pod Enumeration | 1 | | Pod Creation | 1 | | Pod Modification | 1 | | Instance Enumeration | 1 | | Snapshot Metadata | 1 | | Snapshot Enumeration | 1 | | Volume Metadata | 1 | | Volume Enumeration | 1 | | Named Pipe Metadata | 1 | | User Account Deletion | 1 | | Image Modification | 1 | | Volume Creation | 1 | | Volume Modification | 1 | | Cloud Storage Creation | 1 | | Cloud Service Metadata | 1 | | Image Deletion | 1 | | Cloud Storage Deletion | 1 | | DHCP | 1 | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.blusapphire.io/16_best-practices/best-data-sources-for-detection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.