You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
40 KiB
40 KiB
| 1 | Id | Name | Data_Source | Description | Data_Component | Data_Component_Description |
|---|---|---|---|---|---|---|
| 2 | DS0014 | Pod | Pod: Pod Creation | A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) | Pod Creation | Initial construction of a new pod (ex: kubectl apply|run) |
| 3 | DS0014 | Pod | Pod: Pod Modification | A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) | Pod Modification | Changes made to a pod, including its settings and/or control data (ex: kubectl set|patch|edit) |
| 4 | DS0014 | Pod | Pod: Pod Metadata | A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) | Pod Metadata | Contextual data about a pod and activity around it such as name, ID, namespace, or status |
| 5 | DS0014 | Pod | Pod: Pod Enumeration | A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) | Pod Enumeration | An extracted list of pods within a cluster (ex: kubectl get pods) |
| 6 | DS0032 | Container | Container: Container Creation | A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another(Citation: Docker Docs Container) | Container Creation | Initial construction of a new container (ex: docker create <container_name>) |
| 7 | DS0032 | Container | Container: Container Metadata | A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another(Citation: Docker Docs Container) | Container Metadata | Contextual data about a container and activity around it such as name, ID, image, or status |
| 8 | DS0032 | Container | Container: Container Enumeration | A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another(Citation: Docker Docs Container) | Container Enumeration | An extracted list of containers (ex: docker ps) |
| 9 | DS0032 | Container | Container: Container Start | A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another(Citation: Docker Docs Container) | Container Start | Activation or invocation of a container (ex: docker start or docker restart) |
| 10 | DS0002 | User Account | User Account: User Account Metadata | A profile representing a user, device, service, or application used to authenticate and access resources | User Account Metadata | Contextual data about an account, which may include a username, user ID, environmental data, etc. |
| 11 | DS0002 | User Account | User Account: User Account Creation | A profile representing a user, device, service, or application used to authenticate and access resources | User Account Creation | Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs) |
| 12 | DS0002 | User Account | User Account: User Account Deletion | A profile representing a user, device, service, or application used to authenticate and access resources | User Account Deletion | Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs) |
| 13 | DS0002 | User Account | User Account: User Account Modification | A profile representing a user, device, service, or application used to authenticate and access resources | User Account Modification | Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs) |
| 14 | DS0002 | User Account | User Account: User Account Authentication | A profile representing a user, device, service, or application used to authenticate and access resources | User Account Authentication | An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log) |
| 15 | DS0024 | Windows Registry | Windows Registry: Windows Registry Key Creation | A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry) | Windows Registry Key Creation | Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12) |
| 16 | DS0024 | Windows Registry | Windows Registry: Windows Registry Key Deletion | A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry) | Windows Registry Key Deletion | Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12) |
| 17 | DS0024 | Windows Registry | Windows Registry: Windows Registry Key Modification | A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry) | Windows Registry Key Modification | Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14) |
| 18 | DS0024 | Windows Registry | Windows Registry: Windows Registry Key Access | A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry) | Windows Registry Key Access | Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656) |
| 19 | DS0012 | Script | Script: Script Execution | A file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell Logging)(Citation: Microsoft AMSI) | Script Execution | Launching a list of commands through a script file (ex: Windows EID 4104) |
| 20 | DS0007 | Image | Image: Image Creation | A single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment(Citation: Microsoft Image)(Citation: Amazon AMI) | Image Creation | Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT) |
| 21 | DS0007 | Image | Image: Image Modification | A single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment(Citation: Microsoft Image)(Citation: Amazon AMI) | Image Modification | Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH) |
| 22 | DS0007 | Image | Image: Image Deletion | A single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment(Citation: Microsoft Image)(Citation: Amazon AMI) | Image Deletion | Removal of a virtual machine image (ex: Azure Compute Service Images DELETE) |
| 23 | DS0007 | Image | Image: Image Metadata | A single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment(Citation: Microsoft Image)(Citation: Amazon AMI) | Image Metadata | Contextual data about a virtual machine image such as name, resource group, state, or type |
| 24 | DS0006 | Web Credential | Web Credential: Web Credential Creation | Credential material, such as session cookies or tokens, used to authenticate to web applications and services(Citation: Medium Authentication Tokens)(Citation: Auth0 Access Tokens) | Web Credential Creation | Initial construction of new web credential material (ex: Windows EID 1200 or 4769) |
| 25 | DS0006 | Web Credential | Web Credential: Web Credential Usage | Credential material, such as session cookies or tokens, used to authenticate to web applications and services(Citation: Medium Authentication Tokens)(Citation: Auth0 Access Tokens) | Web Credential Usage | An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202) |
| 26 | DS0023 | Named Pipe | Named Pipe: Named Pipe Metadata | Mechanisms that allow inter-process communication locally or over the network. A named pipe is usually found as a file and processes attach to it(Citation: Microsoft Named Pipes) | Named Pipe Metadata | Contextual data about a named pipe on a system, including pipe name and creating process (ex: Sysmon EIDs 17-18) |
| 27 | DS0037 | Certificate | Certificate: Certificate Registration | A digital document, which highlights information such as the owner's identity, used to instill trust in public keys used while encrypting network communications | Certificate Registration | Queried or logged information highlighting current and expired digital certificates (ex: Certificate transparency) |
| 28 | DS0005 | WMI | WMI: WMI Creation | The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers(Citation: Microsoft WMI System Classes)(Citation: Microsoft WMI Architecture) | WMI Creation | Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21) |
| 29 | DS0010 | Cloud Storage | Cloud Storage: Cloud Storage Creation | Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage) | Cloud Storage Creation | Initial construction of new cloud storage infrastructure (ex: AWS S3 CreateBucket) |
| 30 | DS0010 | Cloud Storage | Cloud Storage: Cloud Storage Modification | Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage) | Cloud Storage Modification | Changes made to cloud storage infrastructure, including its settings and/or data (ex: AWS S3 PutObject or PutObjectAcl) |
| 31 | DS0010 | Cloud Storage | Cloud Storage: Cloud Storage Deletion | Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage) | Cloud Storage Deletion | Removal of cloud storage infrastructure (ex: AWS S3 DeleteBucket) |
| 32 | DS0010 | Cloud Storage | Cloud Storage: Cloud Storage Metadata | Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage) | Cloud Storage Metadata | Contextual data about cloud storage infrastructure and activity around it such as name, size, or owner |
| 33 | DS0010 | Cloud Storage | Cloud Storage: Cloud Storage Enumeration | Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage) | Cloud Storage Enumeration | An extracted list of cloud storage infrastructure (ex: AWS S3 ListBuckets or ListObjects) |
| 34 | DS0010 | Cloud Storage | Cloud Storage: Cloud Storage Access | Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage) | Cloud Storage Access | Opening of a cloud storage infrastructure, typically to collect/read its value (ex: AWS S3 GetObject) |
| 35 | DS0035 | Internet Scan | Internet Scan: Response Metadata | Information obtained (commonly via active network traffic probes or web crawling) regarding various types of resources and servers connected to the public Internet | Response Metadata | Contextual data about an Internet-facing resource gathered from a scan, such as running services or ports |
| 36 | DS0035 | Internet Scan | Internet Scan: Response Content | Information obtained (commonly via active network traffic probes or web crawling) regarding various types of resources and servers connected to the public Internet | Response Content | Logged network traffic in response to a scan showing both protocol header and body values |
| 37 | DS0021 | Persona | Persona: Social Media | A malicious online profile representing a user commonly used by adversaries to social engineer or otherwise target victims | Social Media | Established, compromised, or otherwise acquired social media personas |
| 38 | DS0036 | Group | Group: Group Metadata | A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights(Citation: Amazon IAM Groups) | Group Metadata | Contextual data about a group which describes group and activity around it, such as name, permissions, or user accounts within the group |
| 39 | DS0036 | Group | Group: Group Enumeration | A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights(Citation: Amazon IAM Groups) | Group Enumeration | An extracted list of available groups and/or their associated settings (ex: AWS list-groups) |
| 40 | DS0036 | Group | Group: Group Modification | A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights(Citation: Amazon IAM Groups) | Group Modification | Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup) |
| 41 | DS0015 | Application Log | Application Log: Application Log Content | Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs) | Application Log Content | Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications) |
| 42 | DS0028 | Logon Session | Logon Session: Logon Session Metadata | Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorizaton(Citation: Microsoft Audit Logon Events) | Logon Session Metadata | Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it |
| 43 | DS0028 | Logon Session | Logon Session: Logon Session Creation | Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorizaton(Citation: Microsoft Audit Logon Events) | Logon Session Creation | Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp) |
| 44 | DS0030 | Instance | Instance: Instance Creation | A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers(Citation: Amazon VM)(Citation: Google VM) | Instance Creation | Initial construction of a new instance (ex: instance.insert within GCP Audit Logs) |
| 45 | DS0030 | Instance | Instance: Instance Modification | A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers(Citation: Amazon VM)(Citation: Google VM) | Instance Modification | Changes made to an instance, including its settings and/or control data (ex: instance.addResourcePolicies or instances.setMetadata within GCP Audit Logs) |
| 46 | DS0030 | Instance | Instance: Instance Deletion | A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers(Citation: Amazon VM)(Citation: Google VM) | Instance Deletion | Removal of an instance (ex: instance.delete within GCP Audit Logs) |
| 47 | DS0030 | Instance | Instance: Instance Metadata | A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers(Citation: Amazon VM)(Citation: Google VM) | Instance Metadata | Contextual data about an instance and activity around it such as name, type, or status |
| 48 | DS0030 | Instance | Instance: Instance Enumeration | A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers(Citation: Amazon VM)(Citation: Google VM) | Instance Enumeration | An extracted list of instances within a cloud environment (ex: instance.list within GCP Audit Logs) |
| 49 | DS0030 | Instance | Instance: Instance Start | A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers(Citation: Amazon VM)(Citation: Google VM) | Instance Start | Activation or invocation of an instance (ex: instance.start within GCP Audit Logs) |
| 50 | DS0030 | Instance | Instance: Instance Stop | A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers(Citation: Amazon VM)(Citation: Google VM) | Instance Stop | Deactivation or stoppage of an instance (ex: instance.stop within GCP Audit Logs) |
| 51 | DS0013 | Sensor Health | Sensor Health: Host Status | Information from host telemetry providing insights about system status, errors, or other notable functional activity | Host Status | Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) |
| 52 | DS0022 | File | File: File Metadata | A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media)(Citation: Microsoft File Mgmt) | File Metadata | Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc. |
| 53 | DS0022 | File | File: File Creation | A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media)(Citation: Microsoft File Mgmt) | File Creation | Initial construction of a new file (ex: Sysmon EID 11) |
| 54 | DS0022 | File | File: File Deletion | A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media)(Citation: Microsoft File Mgmt) | File Deletion | Removal of a file (ex: Sysmon EID 23) |
| 55 | DS0022 | File | File: File Access | A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media)(Citation: Microsoft File Mgmt) | File Access | Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663) |
| 56 | DS0022 | File | File: File Modification | A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media)(Citation: Microsoft File Mgmt) | File Modification | Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2) |
| 57 | DS0016 | Drive | Drive: Drive Creation | A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9) | Drive Creation | Initial construction of a drive letter or mount point to a data storage device |
| 58 | DS0016 | Drive | Drive: Drive Modification | A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9) | Drive Modification | Changes made to a drive letter or mount point of a data storage device |
| 59 | DS0016 | Drive | Drive: Drive Access | A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9) | Drive Access | Opening of a data storage device with an assigned drive letter or mount point |
| 60 | DS0020 | Snapshot | Snapshot: Snapshot Creation | A point-in-time copy of cloud volumes (files, settings, etc.) that can be created and/or deployed in cloud environments(Citation: Microsoft Snapshot)(Citation: Amazon Snapshots) | Snapshot Creation | Initial construction of a new snapshot (ex: AWS create-snapshot) |
| 61 | DS0020 | Snapshot | Snapshot: Snapshot Modification | A point-in-time copy of cloud volumes (files, settings, etc.) that can be created and/or deployed in cloud environments(Citation: Microsoft Snapshot)(Citation: Amazon Snapshots) | Snapshot Modification | Changes made to a snapshop, such as metadata and control data (ex: AWS modify-snapshot-attribute) |
| 62 | DS0020 | Snapshot | Snapshot: Snapshot Deletion | A point-in-time copy of cloud volumes (files, settings, etc.) that can be created and/or deployed in cloud environments(Citation: Microsoft Snapshot)(Citation: Amazon Snapshots) | Snapshot Deletion | Removal of a snapshot (ex: AWS delete-snapshot) |
| 63 | DS0020 | Snapshot | Snapshot: Snapshot Metadata | A point-in-time copy of cloud volumes (files, settings, etc.) that can be created and/or deployed in cloud environments(Citation: Microsoft Snapshot)(Citation: Amazon Snapshots) | Snapshot Metadata | Contextual data about a snapshot, which may include information such as ID, type, and status |
| 64 | DS0020 | Snapshot | Snapshot: Snapshot Enumeration | A point-in-time copy of cloud volumes (files, settings, etc.) that can be created and/or deployed in cloud environments(Citation: Microsoft Snapshot)(Citation: Amazon Snapshots) | Snapshot Enumeration | An extracted list of snapshops within a cloud environment (ex: AWS describe-snapshots) |
| 65 | DS0017 | Command | Command: Command Execution | A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX) | Command Execution | Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history) |
| 66 | DS0008 | Kernel | Kernel: Kernel Module Load | A computer program, at the core of a computer OS, that resides in memory and facilitates interactions between hardware and software components(Citation: STIG Audit Kernel Modules)(Citation: Init Man Page) | Kernel Module Load | An object file that contains code to extend the running kernel of an OS, typically used to add support for new hardware (as device drivers) and/or filesystems, or for adding system calls |
| 67 | DS0027 | Driver | Driver: Driver Metadata | A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used(Citation: IOKit Fundamentals)(Citation: Windows Getting Started Drivers) | Driver Metadata | Contextual data about a driver and activity around it such as driver issues reporting or integrity (page hash, code) checking |
| 68 | DS0027 | Driver | Driver: Driver Load | A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used(Citation: IOKit Fundamentals)(Citation: Windows Getting Started Drivers) | Driver Load | Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6) |
| 69 | DS0034 | Volume | Volume: Volume Creation | Block object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage) | Volume Creation | Initial construction of a cloud volume (ex: AWS create-volume) |
| 70 | DS0034 | Volume | Volume: Volume Modification | Block object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage) | Volume Modification | Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume) |
| 71 | DS0034 | Volume | Volume: Volume Deletion | Block object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage) | Volume Deletion | Removal of a a cloud volume (ex: AWS delete-volume) |
| 72 | DS0034 | Volume | Volume: Volume Metadata | Block object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage) | Volume Metadata | Contextual data about a cloud volume and activity around it, such as id, type, state, and size |
| 73 | DS0034 | Volume | Volume: Volume Enumeration | Block object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage) | Volume Enumeration | An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes) |
| 74 | DS0025 | Cloud Service | Cloud Service: Cloud Service Metadata | Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon AWS)(Citation: Azure Products) | Cloud Service Metadata | Contextual data about a cloud service and activity around it such as name, type, or purpose/function |
| 75 | DS0025 | Cloud Service | Cloud Service: Cloud Service Disable | Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon AWS)(Citation: Azure Products) | Cloud Service Disable | Deactivation or stoppage of a cloud service (ex: AWS Cloudtrail StopLogging) |
| 76 | DS0025 | Cloud Service | Cloud Service: Cloud Service Enumeration | Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon AWS)(Citation: Azure Products) | Cloud Service Enumeration | An extracted list of cloud services (ex: AWS ECS ListServices) |
| 77 | DS0025 | Cloud Service | Cloud Service: Cloud Service Modification | Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon AWS)(Citation: Azure Products) | Cloud Service Modification | Changes made to a cloud service, including its settings and/or data (ex: AWS CloudTrail DeleteTrail or DeleteConfigRule) |
| 78 | DS0004 | Malware Repository | Malware Repository: Malware Metadata | Information obtained (via shared or submitted samples) regarding malicious software (droppers, backdoors, etc.) used by adversaries | Malware Metadata | Contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information |
| 79 | DS0004 | Malware Repository | Malware Repository: Malware Content | Information obtained (via shared or submitted samples) regarding malicious software (droppers, backdoors, etc.) used by adversaries | Malware Content | Code, strings, and other signatures that compromise a malicious payload |
| 80 | DS0033 | Network Share | Network Share: Network Share Access | A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)(Citation: Microsoft NFS Overview) | Network Share Access | Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145) |
| 81 | DS0029 | Network Traffic | Network Traffic: Network Traffic Flow | Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP) | Network Traffic Flow | Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log) |
| 82 | DS0029 | Network Traffic | Network Traffic: Network Traffic Content | Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP) | Network Traffic Content | Logged network traffic data showing both protocol header and body values (ex: PCAP) |
| 83 | DS0029 | Network Traffic | Network Traffic: Network Connection Creation | Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP) | Network Connection Creation | Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log) |
| 84 | DS0031 | Cluster | Cluster: Cluster Metadata | A set of containerized computing resources that are managed together but have separate nodes to execute various tasks and/or applications(Citation: Kube Cluster Admin)(Citation: Kube Cluster Info) | Cluster Metadata | Contextual data about a cluster and activity around it such as name, namespace, age, or status |
| 85 | DS0003 | Scheduled Job | Scheduled Job: Scheduled Job Metadata | Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks) | Scheduled Job Metadata | Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc. |
| 86 | DS0003 | Scheduled Job | Scheduled Job: Scheduled Job Creation | Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks) | Scheduled Job Creation | Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs) |
| 87 | DS0003 | Scheduled Job | Scheduled Job: Scheduled Job Modification | Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks) | Scheduled Job Modification | Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs) |
| 88 | DS0001 | Firmware | Firmware: Firmware Modification | Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI | Firmware Modification | Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record) |
| 89 | DS0026 | Active Directory | Active Directory: Active Directory Object Creation | A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)(Citation: Microsoft AD DS Getting Started) | Active Directory Object Creation | Initial construction of a new active directory object (ex: Windows EID 5137) |
| 90 | DS0026 | Active Directory | Active Directory: Active Directory Object Deletion | A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)(Citation: Microsoft AD DS Getting Started) | Active Directory Object Deletion | Removal of an active directory object (ex: Windows EID 5141) |
| 91 | DS0026 | Active Directory | Active Directory: Active Directory Object Modification | A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)(Citation: Microsoft AD DS Getting Started) | Active Directory Object Modification | Changes made to an active directory object (ex: Windows EID 5163 or 5136) |
| 92 | DS0026 | Active Directory | Active Directory: Active Directory Credential Request | A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)(Citation: Microsoft AD DS Getting Started) | Active Directory Credential Request | A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769) |
| 93 | DS0026 | Active Directory | Active Directory: Active Directory Object Access | A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)(Citation: Microsoft AD DS Getting Started) | Active Directory Object Access | Opening of an active directory object, typically to collect/read its value (ex: Windows EID 4661) |
| 94 | DS0019 | Service | Service: Service Metadata | A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels) | Service Metadata | Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc. |
| 95 | DS0019 | Service | Service: Service Creation | A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels) | Service Creation | Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs) |
| 96 | DS0019 | Service | Service: Service Modification | A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels) | Service Modification | Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs) |
| 97 | DS0038 | Domain Name | Domain Name: Passive DNS | Information obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org) | Passive DNS | Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS) |
| 98 | DS0038 | Domain Name | Domain Name: Active DNS | Information obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org) | Active DNS | Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries) |
| 99 | DS0038 | Domain Name | Domain Name: Domain Registration | Information obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org) | Domain Registration | Information about domain name assignments and other domain metadata (ex: WHOIS) |
| 100 | DS0009 | Process | Process: Process Metadata | Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads) | Process Metadata | Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc. |
| 101 | DS0009 | Process | Process: Process Creation | Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads) | Process Creation | Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688) |
| 102 | DS0009 | Process | Process: Process Termination | Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads) | Process Termination | Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689) |
| 103 | DS0009 | Process | Process: Process Modification | Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads) | Process Modification | Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8) |
| 104 | DS0009 | Process | Process: Process Access | Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads) | Process Access | Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10) |
| 105 | DS0009 | Process | Process: OS API Execution | Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads) | OS API Execution | Operating system function/method calls executed by a process |
| 106 | DS0018 | Firewall | Firewall: Firewall Metadata | A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) | Firewall Metadata | Contextual data about a firewall and activity around it such as name, policy, or status |
| 107 | DS0018 | Firewall | Firewall: Firewall Disable | A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) | Firewall Disable | Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs) |
| 108 | DS0018 | Firewall | Firewall: Firewall Rule Modification | A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) | Firewall Rule Modification | Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs) |
| 109 | DS0018 | Firewall | Firewall: Firewall Enumeration | A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) | Firewall Enumeration | An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands) |
| 110 | DS0011 | Module | Module: Module Load | Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class) | Module Load | Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7) |