Data Components identify the specific properties/values relevant to detecting a given ATT&CK technique or sub-technique.
| ID | Name |
Domain
|
Description |
|---|---|---|---|
| DC0084 | Active Directory Credential Request |
Enterprise
|
Requests for authentication credentials via Kerberos or other methods like NTLM and LDAP queries. Examples: |
| DC0071 | Active Directory Object Access |
Enterprise
|
Object access refers to activities where AD objects (e.g., user accounts, groups, policies) are accessed or queried. Example: Windows Event ID 4661 logs object access attempts. Examples: |
| DC0087 | Active Directory Object Creation |
Enterprise
|
Creating new objects in AD, such as user accounts, groups, organizational units (OUs), or trust relationships. Logged as Event ID 5137. Examples: |
| DC0068 | Active Directory Object Deletion |
Enterprise
|
Object deletion in AD (e.g., user accounts, groups, OUs) is logged as Event ID 5141. Examples: |
| DC0066 | Active Directory Object Modification |
Enterprise
|
Changes to AD objects (e.g., users, groups, OUs) are logged as Event ID 5136 (Object Modification) or 5163 (Attribute Changes). Examples: |
| DC0103 | Active DNS |
Enterprise
|
"Domain Name: Active DNS" data component captures queried DNS registry data that highlights current domain-to-IP address resolutions. This data includes both direct queries to DNS servers and records that provide mappings between domain names and associated IP addresses. It serves as a critical resource for tracking active infrastructure and understanding the network footprint of an organization or adversary. Examples: |
| DC0112 | API Calls |
Mobile
|
API calls utilized by an application that could indicate malicious activity |
| DC0119 | Application Assets |
Mobile
|
Additional assets included with an application |
| DC0038 | Application Log Content |
ICS
Enterprise |
Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples: |
| DC0110 | Asset Inventory |
ICS
|
This includes sources of current and expected devices on the network, including the manufacturer, model, and necessary identifiers (e.g., IP and hardware addresses) |
| DC0093 | Certificate Registration |
Enterprise
|
Certificate Registration refers to the collection and analysis of information about digital certificates, including current, revoked, and expired certificates. Sources such as Certificate Transparency logs and other public resources provide visibility into certificates issued for specific domains or organizations. Monitoring certificate registrations can help identify potential misuse, such as unauthorized certificates or signs of adversary reconnaissance. Examples: |
| DC0090 | Cloud Service Disable |
Enterprise
|
This data component refers to monitoring actions that deactivate or stop a cloud service in a cloud control plane. Examples include disabling essential logging services like AWS CloudTrail (StopLogging API call), Microsoft Azure Monitor Logs, or Google Cloud's Operations Suite (formerly Stackdriver). Disabling such services can hinder visibility into adversary activities within the cloud environment. Examples:
|
| DC0083 | Cloud Service Enumeration |
Enterprise
|
Cloud service enumeration involves listing or querying available cloud services in a cloud control plane. This activity is often performed to identify resources such as virtual machines, storage buckets, compute clusters, or other services within a cloud environment. Examples include API calls like AWS ECS ListServices, Azure ListAllResources, or Google Cloud ListInstances. Examples:
|
| DC0070 | Cloud Service Metadata |
Enterprise
|
Cloud service metadata refers to the contextual and descriptive information about cloud services, including their name, type, purpose, configuration, and activity around them. This metadata is essential for understanding the roles and functions of cloud services, their operational status, and their potential misuse. Examples: |
| DC0069 | Cloud Service Modification |
Enterprise
|
Cloud service modification refers to changes made to the configuration, settings, or data of a cloud service. These modifications can include administrative changes such as enabling or disabling features, altering permissions, or deleting critical components. Monitoring these changes is critical to detect potential misconfigurations or malicious activity. Examples: |
| DC0025 | Cloud Storage Access |
Enterprise
|
Cloud storage access refers to the retrieval or interaction with data stored in cloud infrastructure. This data component includes activities such as reading, downloading, or accessing files and objects within cloud storage systems. Common examples include API calls like GetObject in AWS S3, which retrieves objects from cloud buckets. Examples: |
| DC0024 | Cloud Storage Creation |
Enterprise
|
Cloud Storage Creation refers to the initial creation of a new cloud storage resource, such as buckets, containers, or directories, within a cloud environment. This action is critical to track as it might indicate the legitimate provisioning of resources or unauthorized actions taken by adversaries to stage, store, or exfiltrate data. Examples: |
| DC0022 | Cloud Storage Deletion |
Enterprise
|
Cloud Storage Deletion refers to the removal or destruction of cloud storage infrastructure, such as buckets, containers, or directories, within a cloud environment. Monitoring this activity is critical to detecting potential unauthorized or malicious actions, such as data destruction by adversaries or accidental deletions that may lead to data loss. Examples: |
| DC0017 | Cloud Storage Enumeration |
Enterprise
|
Cloud Storage Enumeration involves retrieving a list of available cloud storage infrastructure, such as buckets, containers, or objects, within a cloud environment. This activity may be performed for legitimate administrative purposes or malicious reconnaissance by adversaries seeking to identify accessible storage resources.Examples: |
| DC0027 | Cloud Storage Metadata |
Enterprise
|
Cloud Storage Metadata provides contextual information about cloud storage infrastructure and its associated activity. This data may include attributes such as storage name, size, owner, permissions, creation date, region, and activity metadata. It is essential for monitoring, auditing, and identifying anomalies in cloud storage environments. Examples: |
| DC0023 | Cloud Storage Modification |
Enterprise
|
Cloud Storage Modification involves tracking changes made to cloud storage infrastructure, including updates to settings, permissions, or stored data. Examples include modifying object access control lists (ACLs), uploading new objects, or updating bucket policies. Examples: |
| DC0064 | Command Execution |
ICS
Mobile Enterprise |
Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as cmd.exe, bash, zsh, PowerShell, or programmatic execution. Examples:
|
| DC0072 | Container Creation |
Enterprise
|
"Container Creation" data component captures details about the initial construction of a container in a containerized environment. This includes events where a new container is instantiated, such as through Docker, Kubernetes, or other container orchestration platforms. Monitoring these events helps detect unauthorized or potentially malicious container creation. Examples: |
| DC0091 | Container Enumeration |
Enterprise
|
"Container Enumeration" data component captures events and actions related to listing and identifying active or available containers within a containerized environment. This includes information about running, stopped, or configured containers, such as their names, IDs, statuses, or associated images. Monitoring this activity is crucial for detecting unauthorized discovery or reconnaissance efforts. Examples: |
| DC0077 | Container Start |
Enterprise
|
"Container Start" data component captures events related to the activation or invocation of a container within a containerized environment. This includes starting a previously stopped container, restarting an existing container, or initializing a container for runtime. Monitoring these activities is critical for identifying unauthorized or unexpected container activations, which may indicate potential adversarial activity or misconfigurations. Examples: |
| DC0108 | Device Alarm |
ICS
|
This includes alarms associated with unexpected device functions, such as shutdowns, restarts, failures, or configuration changes |
| DC0101 | Domain Registration |
Enterprise
|
"Domain Name: Domain Registration" data component captures information about the assignment, ownership, and metadata of domain names. This information is often sourced from registries like WHOIS and includes details such as registrant names, contact information, registration dates, expiration dates, and registrar details. This data is invaluable for tracking domain ownership, detecting malicious domain registrations, and identifying trends in adversary behavior. Examples: |
| DC0054 | Drive Access |
Enterprise
|
Refers to the act of accessing a data storage device, such as a hard drive, SSD, USB, or network-mounted drive. This data component logs the opening or mounting of drives, capturing activities such as reading, writing, or executing files within an assigned drive letter (e.g., C:\, /mnt/drive) or mount point. Examples:
|
| DC0042 | Drive Creation |
ICS
Enterprise |
The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples: |
| DC0046 | Drive Modification |
Enterprise
ICS |
The alteration of a drive letter, mount point, or other attributes of a data storage device, which could involve reassignment, renaming, permissions changes, or other modifications. Examples: |
| DC0079 | Driver Load |
Enterprise
|
The process of attaching a driver, which is a software component that allows the operating system and applications to interact with hardware devices, to either user-mode or kernel-mode of a system. This can include benign actions (e.g., hardware drivers) or malicious behavior (e.g., rootkits or unsigned drivers). Examples: |
| DC0074 | Driver Metadata |
Enterprise
|
to contextual data about a driver, including its attributes, functionality, and activity. This can involve details such as the driver's origin, integrity, cryptographic signature, issues reported during its use, and runtime behavior. Examples include metadata captured during driver integrity checks, hash validation, or error reporting. Examples: |
| DC0055 | File Access |
ICS
Enterprise |
To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples: |
| DC0039 | File Creation |
ICS
Enterprise |
A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs). |
| DC0040 | File Deletion |
ICS
Enterprise |
Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities. |
| DC0059 | File Metadata |
ICS
Enterprise |
contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples: |
| DC0061 | File Modification |
ICS
Enterprise |
Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples: |
| DC0043 | Firewall Disable |
Enterprise
|
The deactivation, misconfiguration, or complete stoppage of firewall services, either on a host or in a cloud control plane. Such activity may involve turning off firewalls, modifying rules to disable protection, or deleting firewall-related configurations and activity logs. Examples: |
| DC0044 | Firewall Enumeration |
Enterprise
|
Querying and extracting a list of available firewalls or their associated configurations and rules. This activity can occur across host systems and cloud control planes, providing insight into the state and configuration of firewalls that protect the environment. Examples: |
| DC0053 | Firewall Metadata |
Enterprise
|
Contextual information about firewalls, including their configurations, policies, status, and other details such as names and associated rules. This metadata provides valuable insights into the operational state and configurations of firewalls, both in cloud control planes and host systems. Examples: |
| DC0051 | Firewall Rule Modification |
Enterprise
|
The creation, deletion, or alteration of firewall rules to allow or block specific network traffic. Monitoring changes to these rules is critical for detecting misconfigurations, unauthorized access, or malicious attempts to bypass network protections. Examples: |
| DC0004 | Firmware Modification |
ICS
Enterprise |
Changes made to firmware, which may include its settings, configurations, or underlying data. This can encompass alterations to the Master Boot Record (MBR), Volume Boot Record (VBR), or other firmware components critical to system boot and functionality. Such modifications are often indicators of adversary activity, including malware persistence and system compromise. Examples: |
| DC0099 | Group Enumeration |
Enterprise
|
Extracting group lists from identity systems identifies permissions, roles, or configurations. Adversaries may exploit high-privilege groups or misconfigurations. Examples: |
| DC0105 | Group Metadata |
Enterprise
|
Group metadata includes attributes like name, permissions, purpose, and associated user accounts or roles, which adversaries may exploit for privilege escalation. Examples: |
| DC0094 | Group Modification |
Enterprise
|
Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup). Examples: |
| DC0018 | Host Status |
Mobile
Enterprise |
Logging, messaging, and other artifacts that highlight the health and operational state of host-based security sensors, such as Endpoint Detection and Response (EDR) agents, antivirus software, logging services, and system monitoring tools. Monitoring sensor health is essential for detecting misconfigurations, sensor failures, tampering, or deliberate security control evasion by adversaries. |
| DC0015 | Image Creation |
Enterprise
|
Initial construction of a virtual machine image within a cloud environment. Virtual machine images are templates containing an operating system and installed applications, which can be deployed to create new virtual machines. Monitoring the creation of these images is important because adversaries may create custom images to include malicious software or misconfigurations for later exploitation. Examples: |
| DC0026 | Image Deletion |
Enterprise
|
Removal of a virtual machine image in a cloud infrastructure (ex: Azure Compute Service Images DELETE) Examples: |
| DC0028 | Image Metadata |
Enterprise
|
contextual information associated with a virtual machine image, such as its name, resource group, status (active or inactive), type (custom or prebuilt), size, creation date, and permissions. This metadata is critical for understanding the state and configuration of virtual machine images in cloud environments. Examples: |
| DC0036 | Image Modification |
Enterprise
|
Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH) |
| DC0076 | Instance Creation |
Enterprise
|
The initial provisioning and construction of a virtual machine (VM) or compute instance within a cloud infrastructure environment. This activity involves defining and allocating resources such as CPU, memory, storage, and networking to spin up a new compute instance. Examples: |
| DC0081 | Instance Deletion |
Enterprise
|
Removal of a virtual machine (VM) or compute instance within a cloud infrastructure. This activity results in the termination and deletion of the allocated resources (e.g., CPU, memory, storage), making the instance unavailable for future use. Examples: |
| DC0075 | Instance Enumeration |
Enterprise
|
The process of retrieving or querying a list of virtual machine instances or compute instances within a cloud infrastructure. This activity provides a view of all available or running instances, typically including their associated metadata such as instance ID, name, state, and configuration details. Examples: |
| DC0086 | Instance Metadata |
Enterprise
|
Contextual data about an instance and activity around it such as name, type, or status |
| DC0073 | Instance Modification |
Enterprise
|
Changes made to a virtual machine (VM) or compute instance, including alterations to its configuration, metadata, attached policies, or operational state. Such modifications can include updating metadata, attaching or detaching resource policies, resizing instances, or modifying network configurations. Examples: |
| DC0080 | Instance Start |
Enterprise
|
The initiation or activation of a virtual machine instance within a cloud infrastructure. This action typically involves starting an existing instance that had been stopped or paused, allowing it to resume operation. Examples: |
| DC0089 | Instance Stop |
Enterprise
|
The deactivation or shutdown of a virtual machine instance within a cloud infrastructure. This action typically involves stopping a running instance, which halts its operation and releases certain associated resources, such as CPU and memory. Examples: |
| DC0031 | Kernel Module Load |
Enterprise
|
The process of loading a kernel module into the operating system kernel. Kernel modules are object files that extend the kernel’s functionality, such as adding support for device drivers, new filesystems, or additional system calls. This action can be legitimate (e.g., loading a driver) or malicious (e.g., adding a rootkit). |
| DC0067 | Logon Session Creation |
ICS
Enterprise |
The successful establishment of a new user session following a successful authentication attempt. This typically signifies that a user has provided valid credentials or authentication tokens, and the system has initiated a session associated with that user account. This data is crucial for tracking authentication events and identifying potential unauthorized access. Examples: |
| DC0088 | Logon Session Metadata |
ICS
Enterprise |
Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it |
| DC0011 | Malware Content |
Enterprise
|
Code, strings, signatures, and other identifying characteristics of a malicious payload stored within a malware repository. It includes both static (file-based) and dynamic (behavioral or execution-based) components that can be analyzed for threat intelligence, detection, and prevention purposes. Examples: |
| DC0003 | Malware Metadata |
Enterprise
|
Contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information |
| DC0016 | Module Load |
ICS
Enterprise |
When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components. |
| DC0048 | Named Pipe Metadata |
Enterprise
|
Contextual data about a named pipe on a system, including pipe name and creating process (ex: Sysmon EIDs 17-18) |
| DC0113 | Network Communication |
Mobile
|
Network requests made by an application or domains contacted |
| DC0082 | Network Connection Creation |
ICS
Mobile Enterprise |
The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities. |
| DC0102 | Network Share Access |
ICS
Enterprise |
Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145) |
| DC0085 | Network Traffic Content |
ICS
Mobile Enterprise |
The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations. |
| DC0078 | Network Traffic Flow |
ICS
Mobile Enterprise |
Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring. |
| DC0021 | OS API Execution |
ICS
Mobile Enterprise |
Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious. |
| DC0096 | Passive DNS |
Enterprise
|
"Domain Name: Passive DNS" captures logged historical and real-time domain name system (DNS) data. This includes records of domain-to-IP address resolutions over time, enabling analysts to track the evolution of domain infrastructure, uncover historical patterns of use, and detect malicious activities tied to domains and their associated IP addresses. Examples: |
| DC0116 | Permissions Request |
Mobile
|
System prompts triggered when an application requests new or additional permissions |
| DC0114 | Permissions Requests |
Mobile
|
Permissions declared in an application's manifest or property list file |
| DC0019 | Pod Creation |
Enterprise
|
The initial deployment or instantiation of a new pod in a containerized environment. This includes creating a pod manually, through orchestration tools (Kubernetes), or via Infrastructure-as-Code (IaC) configurations. A Pod is the smallest deployable unit in Kubernetes, typically containing one or more containers. Creation methods include: - Direct pod deployment ( kubectl run, kubectl apply)- Automated deployment via CI/CD pipelines (e.g., ArgoCD, Jenkins, GitOps) - Infrastructure-as-Code (IaC) templates (e.g., Terraform, Helm Charts) - API-based deployments via Kubernetes control plane (create_pod API calls) - Pods can be ephemeral (short-lived) or persistent (part of a StatefulSet or Deployment). |
| DC0037 | Pod Enumeration |
Enterprise
|
Extracting a list of running or existing pods within a containerized cluster environment. Pods are the smallest deployable units in a Kubernetes cluster and typically represent an application or workload. Enumeration of pods provides insight into the structure and state of applications running in the cluster, such as the names of pods, their namespaces, and their associated metadata. |
| DC0030 | Pod Modification |
Enterprise
|
Changes made to a pod’s configuration or control data within a containerized cluster. This can include updating settings such as resource limits, environment variables, annotations, labels, or even the containers running within the pod. Pod modifications are often executed using commands like kubectl set, kubectl patch, or kubectl edit. |
| DC0035 | Process Access |
Enterprise
|
Refers to an event where one process attempts to open another process, typically to inspect or manipulate its memory, access handles, or modify execution flow. Monitoring these access attempts can provide valuable insight into both benign and malicious behaviors, such as debugging, inter-process communication (IPC), or process injection. |
| DC0032 | Process Creation |
ICS
Mobile Enterprise |
Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts. |
| DC0107 | Process History/Live Data |
ICS
|
This includes any data stores that maintain historical or real-time events and telemetry recorded from various sensors or devices |
| DC0034 | Process Metadata |
ICS
Mobile Enterprise |
Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc. |
| DC0020 | Process Modification |
Enterprise
|
Changes made to a running process, such as writing data into memory, modifying execution behavior, or injecting code into an existing process. Adversaries frequently modify processes to execute malicious payloads, evade detection, or gain escalated privileges. |
| DC0033 | Process Termination |
ICS
Mobile Enterprise |
The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls. |
| DC0109 | Process/Event Alarm |
ICS
|
This includes a list of any process alarms or alerts produced to indicate unusual or concerning activity within the operational process (e.g., increased temperature/pressure) |
| DC0115 | Protected Configuration |
Mobile
|
Device configuration options that are not typically utilized by benign applications |
| DC0104 | Response Content |
Enterprise
|
Captured network traffic that provides details about responses received during an internet scan. This data includes both protocol header values (e.g., HTTP status codes, IP headers, or DNS response codes) and response body content (e.g., HTML, JSON, or raw data). Examples: |
| DC0106 | Response Metadata |
Enterprise
|
Contextual information about an Internet-facing resource collected during a scan, including details such as open ports, running services, protocols, and versions. This metadata is typically derived from interpreting scan results and helps build a profile of the targeted system. Examples: |
| DC0001 | Scheduled Job Creation |
ICS
Enterprise |
The establishment of a task or job that will execute at a predefined time or based on specific triggers. |
| DC0005 | Scheduled Job Metadata |
Enterprise
ICS |
Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc. |
| DC0012 | Scheduled Job Modification |
ICS
Enterprise |
Changes made to an existing scheduled job, including modifications to its execution parameters, command payload, or execution timing. |
| DC0029 | Script Execution |
ICS
Enterprise |
The execution of a text file that contains code via the interpreter. |
| DC0060 | Service Creation |
ICS
Enterprise |
The registration of a new service or daemon on an operating system. |
| DC0041 | Service Metadata |
ICS
Enterprise |
Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc. |
| DC0065 | Service Modification |
ICS
Enterprise |
Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations. |
| DC0057 | Snapshot Creation |
Enterprise
|
The process of taking a point-in-time copy of a cloud storage volume (files, settings, configurations, etc.), virtual machine (VM), or database that can be created and deployed in cloud environments. |
| DC0049 | Snapshot Deletion |
Enterprise
|
The removal of a point-in-time backup of a cloud storage volume, virtual machine (VM), or database. |
| DC0047 | Snapshot Enumeration |
Enterprise
|
The process of listing or retrieving metadata about existing snapshots in a cloud environment. |
| DC0062 | Snapshot Metadata |
Enterprise
|
Contextual data about a snapshot, which may include information such as ID, type, and status |
| DC0058 | Snapshot Modification |
Enterprise
|
Changes made to a cloud snapshot's metadata, attributes, or control settings. These modifications may involve adjusting access permissions, changing retention policies, or altering encryption settings. |
| DC0052 | Social Media |
Enterprise
|
Established, compromised, or otherwise acquired by adversaries to conduct reconnaissance, influence operations, social engineering, or other cyber threats. |
| DC0111 | Software |
ICS
|
This includes sources of current and expected software or application programs deployed to a device, along with information on the version and patch level for vendor products, full source code for any application programs, and unique identifiers (e.g., hashes, signatures). |
| DC0117 | System Notifications |
Mobile
|
Notifications generated by the OS |
| DC0118 | System Settings |
Mobile
|
Settings visible to the user on the device |
| DC0002 | User Account Authentication |
ICS
Enterprise |
An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation. |
| DC0014 | User Account Creation |
Enterprise
|
The initial establishment of a new user, service, or machine account within an operating system, cloud environment, or identity management system. |
| DC0009 | User Account Deletion |
Enterprise
|
The removal of a user, service, or machine account from an operating system, cloud identity management system, or directory service. |
| DC0013 | User Account Metadata |
Enterprise
|
Contextual data about an account, which may include a username, user ID, environmental data, etc. |
| DC0010 | User Account Modification |
Enterprise
|
Changes made to an existing user, service, or machine account, including alterations to attributes, permissions, roles, authentication methods, or group memberships. |
| DC0097 | Volume Creation |
Enterprise
|
The initial provisioning of block storage volumes in cloud or on-prem environments, typically used for data storage, backup, or workload scaling. |
| DC0098 | Volume Deletion |
Enterprise
|
The removal of a cloud-based or on-premise block storage volume. This action permanently deletes the allocated storage and may result in data loss if not backed up. |
| DC0095 | Volume Enumeration |
Enterprise
|
An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes) |
| DC0100 | Volume Metadata |
Enterprise
|
Contextual data about a cloud volume and activity around it, such as id, type, state, and size |
| DC0092 | Volume Modification |
Enterprise
|
Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume) |
| DC0006 | Web Credential Creation |
Enterprise
|
Initial construction of new web credential material (ex: Windows EID 1200 or 4769) |
| DC0007 | Web Credential Usage |
Enterprise
|
An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202) |
| DC0050 | Windows Registry Key Access |
Enterprise
|
The action of opening a specific Windows Registry key, typically to read its associated value. This activity can be used for system configuration, application settings retrieval, and security policies. |
| DC0056 | Windows Registry Key Creation |
Enterprise
|
Initial construction of a new registry key within the Windows operating system. |
| DC0045 | Windows Registry Key Deletion |
ICS
Enterprise |
The removal of a registry key within the Windows operating system. |
| DC0063 | Windows Registry Key Modification |
ICS
Enterprise |
Changes made to an existing registry key or its values. These modifications can include altering permissions, modifying stored data, or updating configuration settings. |
| DC0008 | WMI Creation |
Enterprise
|
Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or providers. |