Best Data Sources for Detection
This page attempts to provide the reader an understanding of the best data sources that provide detection based on Mitre ATT&CK framework
Log Source | Detections |
Command Execution | 255 |
Process Creation | 206 |
File Modification | 98 |
File Creation | 88 |
Network Traffic Flow | 82 |
OS API Execution | 78 |
Network Traffic Content | 70 |
Windows Registry Key Modification | 58 |
Network Connection Creation | 58 |
Application Log Content | 55 |
Module Load | 50 |
File Access | 46 |
Web | 46 |
File Metadata | 37 |
Logon Session Creation | 32 |
Script Execution | 26 |
Response Content | 22 |
Internal DNS | 21 |
User Account Authentication | 20 |
Process Access | 18 |
Windows Registry Key Creation | 17 |
17 | |
Service Creation | 15 |
Host Status | 15 |
Active Directory Object Modification | 13 |
Service Metadata | 12 |
Process Metadata | 11 |
Driver Load | 10 |
File Deletion | 10 |
Firmware Modification | 9 |
Logon Session Metadata | 9 |
Process Modification | 9 |
User Account Metadata | 8 |
Windows Registry Key Access | 7 |
Scheduled Job Creation | 7 |
Malware Metadata | 7 |
Active Directory Credential Request | 7 |
Container Creation | 6 |
Web Credential Usage | 6 |
Response Metadata | 6 |
User Account Creation | 6 |
Drive Modification | 6 |
User Account Modification | 6 |
Instance Creation | 5 |
Active DNS | 5 |
Passive DNS | 5 |
Network Share Access | 5 |
Drive Access | 5 |
Service Modification | 5 |
Image Creation | 4 |
Instance Start | 4 |
Active Directory Object Creation | 4 |
Malware Content | 4 |
Social Media | 4 |
Domain Registration | 4 |
Drive Creation | 4 |
Windows Registry Key Deletion | 4 |
Active Directory Object Access | 3 |
Instance Metadata | 3 |
Container Start | 3 |
Web Credential Creation | 3 |
Firewall Rule Modification | 3 |
Firewall Disable | 3 |
Instance Deletion | 3 |
Snapshot Creation | 3 |
Process Termination | 3 |
Cloud Storage Enumeration | 2 |
Cloud Storage Access | 2 |
Pod Metadata | 2 |
Active Directory Object Deletion | 2 |
Cloud Service Modification | 2 |
Cloud Service Disable | 2 |
Certificate Registration | 2 |
Cloud Storage Metadata | 2 |
Instance Modification | 2 |
Instance Stop | 2 |
Firewall Metadata | 2 |
Firewall Enumeration | 2 |
Group Enumeration | 2 |
Group Metadata | 2 |
Image Metadata | 2 |
Scheduled Job Metadata | 2 |
Scheduled Job Modification | 2 |
Kernel Module Load | 2 |
WMI Creation | 2 |
Group Modification | 2 |
Driver Metadata | 2 |
Snapshot Modification | 2 |
Snapshot Deletion | 2 |
Volume Deletion | 2 |
Cloud Storage Modification | 2 |
Cloud Service Enumeration | 2 |
Cluster Metadata | 1 |
Container Enumeration | 1 |
Container Metadata | 1 |
Pod Enumeration | 1 |
Pod Creation | 1 |
Pod Modification | 1 |
Instance Enumeration | 1 |
Snapshot Metadata | 1 |
Snapshot Enumeration | 1 |
Volume Metadata | 1 |
Volume Enumeration | 1 |
Named Pipe Metadata | 1 |
User Account Deletion | 1 |
Image Modification | 1 |
Volume Creation | 1 |
Volume Modification | 1 |
Cloud Storage Creation | 1 |
Cloud Service Metadata | 1 |
Image Deletion | 1 |
Cloud Storage Deletion | 1 |
DHCP | 1 |
Last updated