Best Data Sources for Detection

This page attempts to provide the reader an understanding of the best data sources that provide detection based on Mitre ATT&CK framework

Log Source

Detections

Command Execution

255

Process Creation

206

File Modification

98

File Creation

88

Network Traffic Flow

82

OS API Execution

78

Network Traffic Content

70

Windows Registry Key Modification

58

Network Connection Creation

58

Application Log Content

55

Module Load

50

File Access

46

Web

46

File Metadata

37

Logon Session Creation

32

Script Execution

26

Response Content

22

Internal DNS

21

User Account Authentication

20

Process Access

18

Windows Registry Key Creation

17

Email

17

Service Creation

15

Host Status

15

Active Directory Object Modification

13

Service Metadata

12

Process Metadata

11

Driver Load

10

File Deletion

10

Firmware Modification

9

Logon Session Metadata

9

Process Modification

9

User Account Metadata

8

Windows Registry Key Access

7

Scheduled Job Creation

7

Malware Metadata

7

Active Directory Credential Request

7

Container Creation

6

Web Credential Usage

6

Response Metadata

6

User Account Creation

6

Drive Modification

6

User Account Modification

6

Instance Creation

5

Active DNS

5

Passive DNS

5

Network Share Access

5

Drive Access

5

Service Modification

5

Image Creation

4

Instance Start

4

Active Directory Object Creation

4

Malware Content

4

Social Media

4

Domain Registration

4

Drive Creation

4

Windows Registry Key Deletion

4

Active Directory Object Access

3

Instance Metadata

3

Container Start

3

Web Credential Creation

3

Firewall Rule Modification

3

Firewall Disable

3

Instance Deletion

3

Snapshot Creation

3

Process Termination

3

Cloud Storage Enumeration

2

Cloud Storage Access

2

Pod Metadata

2

Active Directory Object Deletion

2

Cloud Service Modification

2

Cloud Service Disable

2

Certificate Registration

2

Cloud Storage Metadata

2

Instance Modification

2

Instance Stop

2

Firewall Metadata

2

Firewall Enumeration

2

Group Enumeration

2

Group Metadata

2

Image Metadata

2

Scheduled Job Metadata

2

Scheduled Job Modification

2

Kernel Module Load

2

WMI Creation

2

Group Modification

2

Driver Metadata

2

Snapshot Modification

2

Snapshot Deletion

2

Volume Deletion

2

Cloud Storage Modification

2

Cloud Service Enumeration

2

Cluster Metadata

1

Container Enumeration

1

Container Metadata

1

Pod Enumeration

1

Pod Creation

1

Pod Modification

1

Instance Enumeration

1

Snapshot Metadata

1

Snapshot Enumeration

1

Volume Metadata

1

Volume Enumeration

1

Named Pipe Metadata

1

User Account Deletion

1

Image Modification

1

Volume Creation

1

Volume Modification

1

Cloud Storage Creation

1

Cloud Service Metadata

1

Image Deletion

1

Cloud Storage Deletion

1

DHCP

1

PreviousLateral Movement Logging RecommendationsNext17_Threat Hunt

Last updated