Data Sources

Data sources represent the various subjects/topics of information that can be collected by sensors/logs. Data sources also include data components, which identify specific properties/values of a data source relevant to detecting a given ATT&CK technique or sub-technique.

ID Name Domain Description
DS0026 Active Directory Enterprise

A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)

DS0015 Application Log Enterprise
ICS

Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)

DS0041 Application Vetting Mobile

Application vetting report generated by an external cloud service.

DS0039 Asset ICS

Data sources with information about the set of devices found within the network, along with their current software and configurations

DS0037 Certificate Enterprise

A digital document, which highlights information such as the owner's identity, used to instill trust in public keys used while encrypting network communications

DS0025 Cloud Service Enterprise

Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs

DS0010 Cloud Storage Enterprise

Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs

DS0017 Command Enterprise
Mobile

A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task

DS0032 Container Enterprise

A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another

DS0038 Domain Name Enterprise

Information obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org)

DS0016 Drive Enterprise

A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter

DS0027 Driver Enterprise

A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used

DS0022 File Enterprise

A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).

DS0018 Firewall Enterprise

A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules

DS0001 Firmware Enterprise

Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI

DS0036 Group Enterprise

A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights

DS0007 Image Enterprise

A single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment

DS0030 Instance Enterprise

A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers

DS0035 Internet Scan Enterprise

Information obtained (commonly via active network traffic probes or web crawling) regarding various types of resources and servers connected to the public Internet

DS0008 Kernel Enterprise

A computer program, at the core of a computer OS, that resides in memory and facilitates interactions between hardware and software components

DS0028 Logon Session Enterprise

Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization

DS0004 Malware Repository Enterprise

Information obtained (via shared or submitted samples) regarding malicious software (droppers, backdoors, etc.) used by adversaries

DS0011 Module Enterprise

Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries

DS0023 Named Pipe Enterprise

Mechanisms that allow inter-process communication locally or over the network. A named pipe is usually found as a file and processes attach to it

DS0033 Network Share Enterprise

A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)

DS0029 Network Traffic Enterprise
Mobile

Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)

DS0040 Operational Databases ICS

Operational databases contain information about the status of the operational process and associated devices, including any measurements, events, history, or alarms that have occurred

DS0021 Persona Enterprise

A malicious online profile representing a user commonly used by adversaries to social engineer or otherwise target victims

DS0014 Pod Enterprise

A single unit of shared resources within a cluster, comprised of one or more containers

DS0009 Process Enterprise
Mobile

Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures

DS0003 Scheduled Job Enterprise

Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)

DS0012 Script Enterprise

A file or stream containing a list of commands, allowing them to be launched in sequence

DS0013 Sensor Health Enterprise
Mobile

Information from host telemetry providing insights about system status, errors, or other notable functional activity

DS0019 Service Enterprise

A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in

DS0020 Snapshot Enterprise

A point-in-time copy of cloud volumes (files, settings, etc.) that can be created and/or deployed in cloud environments

DS0002 User Account Enterprise

A profile representing a user, device, service, or application used to authenticate and access resources

DS0042 User Interface Mobile

Visual activity on the device that could alert the user to potentially malicious behavior.

DS0034 Volume Enterprise

Block object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives

DS0006 Web Credential Enterprise

Credential material, such as session cookies or tokens, used to authenticate to web applications and services

DS0024 Windows Registry Enterprise
ICS

A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations

DS0005 WMI Enterprise

The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers