MITRE ATT&CK Data Sources
MITRE ATT&CK Data Sources vs. Componentsβ
Data Sources in the context of MITRE ATT&CK refer to the categories of information that can be used to detect specific MITRE ATT&CK Techniques. Examples include application logs, process monitoring data, network traffic logs, and authentication logs.
Data Components are the granular pieces of information that can be derived from Data Sources. Each Data Source is sub-categorized into one or more Data Components. They represent the actual observables or artifacts that can be used to indicate suspicious or malicious activity, such as process creation events, command-line arguments, or network connection details.
Correlation to MITRE ATT&CK Techniquesβ
Each technique detailed in the MITRE ATT&CK matrix is associated with one or more data sources and components - this can be seen under the technique's Detection section. By understanding the relationship between a technique and its data sources, CPTs can tailor their data collection to the specific behaviors exhibited by APTs. For example, the technique T1059.001: PowerShell could be correlated to data sources such as Command and Process logs, and further down to the specifc data components Command: Command Execution and Process: Process Creation.

Shown above is this example technique's Data Sources/Components listed under the Detection section.
MITRE ATT&CK Data Source/Component Tableβ
| ID | Data Source/Component | Description |
|---|---|---|
| DS0026 | Active Directory | A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)(Citation: Microsoft AD DS Getting Started) |
| Active Directory: Active Directory Credential Request | A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769) | |
| Active Directory: Active Directory Object Access | Opening of an active directory object, typically to collect/read its value (ex: Windows EID 4661) | |
| Active Directory: Active Directory Object Creation | Initial construction of a new active directory object (ex: Windows EID 5137) | |
| Active Directory: Active Directory Object Deletion | Removal of an active directory object (ex: Windows EID 5141) | |
| Active Directory: Active Directory Object Modification | Changes made to an active directory object (ex: Windows EID 5163 or 5136) | |
| DS0039 | Asset | Data sources with information about the set of devices found within the network, along with their current software and configurations |
| Asset: Asset Inventory | This includes sources of current and expected devices on the network, including the manufacturer, model, and necessary identifiers (e.g., IP and hardware addresses) | |
| Asset: Software | This includes sources of current and expected software or application programs deployed to a device, along with information on the version and patch level for vendor products, full source code for any application programs, and unique identifiers (e.g., hashes, signatures). | |
| DS0015 | Application Log | Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs) |
| Application Log: Application Log Content | Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications) | |
| DS0037 | Certificate | A digital document, which highlights information such as the owner's identity, used to instill trust in public keys used while encrypting network communications |
| Certificate: Certificate Registration | Queried or logged information highlighting current and expired digital certificates (ex: Certificate transparency) | |
| DS0025 | Cloud Service | Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon AWS)(Citation: Azure Products) |
| Cloud Service: Cloud Service Disable | Deactivation or stoppage of a cloud service (ex: AWS Cloudtrail StopLogging) | |
| Cloud Service: Cloud Service Enumeration | An extracted list of cloud services (ex: AWS ECS ListServices) | |
| Cloud Service: Cloud Service Metadata | Contextual data about a cloud service and activity around it such as name, type, or purpose/function | |
| Cloud Service: Cloud Service Modification | Changes made to a cloud service, including its settings and/or data (ex: AWS CloudTrail DeleteTrail or DeleteConfigRule) | |
| DS0010 | Cloud Storage | Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage) |
| Cloud Storage: Cloud Storage Access | Opening of a cloud storage infrastructure, typically to collect/read its value (ex: AWS S3 GetObject) | |
| Cloud Storage: Cloud Storage Creation | Initial construction of new cloud storage infrastructure (ex: AWS S3 CreateBucket) | |
| Cloud Storage: Cloud Storage Deletion | Removal of cloud storage infrastructure (ex: AWS S3 DeleteBucket) | |
| Cloud Storage: Cloud Storage Enumeration | An extracted list of cloud storage infrastructure (ex: AWS S3 ListBuckets or ListObjects) | |
| Cloud Storage: Cloud Storage Metadata | Contextual data about cloud storage infrastructure and activity around it such as name, size, or owner | |
| Cloud Storage: Cloud Storage Modification | Changes made to cloud storage infrastructure, including its settings and/or data (ex: AWS S3 PutObject or PutObjectAcl) | |
| DS0017 | Command | A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX) |
| Command: Command Execution | The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. ) | |
| DS0032 | Container | A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another(Citation: Docker Docs Container) |
| Container: Container Creation | Initial construction of a new container (ex: docker create <container_name>) | |
| Container: Container Enumeration | An extracted list of containers (ex: docker ps) | |
| Container: Container Start | Activation or invocation of a container (ex: docker start or docker restart) | |
| DS0038 | Domain Name | Information obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org) |
| Domain Name: Active DNS | Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries) | |
| Domain Name: Domain Registration | Information about domain name assignments and other domain metadata (ex: WHOIS) | |
| Domain Name: Passive DNS | Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS) | |
| DS0016 | Drive | A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9) |
| Drive: Drive Access | Opening of a data storage device with an assigned drive letter or mount point | |
| Drive: Drive Creation | Initial construction of a drive letter or mount point to a data storage device | |
| Drive: Drive Modification | Changes made to a drive letter or mount point of a data storage device | |
| DS0027 | Driver | A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used(Citation: IOKit Fundamentals)(Citation: Windows Getting Started Drivers) |
| Driver: Driver Load | Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6) | |
| Driver: Driver Metadata | Contextual data about a driver and activity around it such as driver issues reporting or integrity (page hash, code) checking | |
| DS0022 | File | A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(Citation: Microsoft File Mgmt) |
| File: File Access | Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663) | |
| File: File Creation | Initial construction of a new file (ex: Sysmon EID 11) | |
| File: File Deletion | Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules) | |
| File: File Metadata | Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc. | |
| File: File Modification | Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2) | |
| DS0018 | Firewall | A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) |
| Firewall: Firewall Disable | Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs) | |
| Firewall: Firewall Enumeration | An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands) | |
| Firewall: Firewall Metadata | Contextual data about a firewall and activity around it such as name, policy, or status | |
| Firewall: Firewall Rule Modification | Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs) | |
| DS0001 | Firmware | Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI |
| Firmware: Firmware Modification | Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record) | |
| DS0036 | Group | A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights(Citation: Amazon IAM Groups) |
| Group: Group Enumeration | An extracted list of available groups and/or their associated settings (ex: AWS list-groups) | |
| Group: Group Metadata | Contextual data about a group which describes group and activity around it, such as name, permissions, or user accounts within the group | |
| Group: Group Modification | Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup) | |
| DS0007 | Image | A single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment(Citation: Microsoft Image)(Citation: Amazon AMI) |
| Image: Image Creation | Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT) | |
| Image: Image Deletion | Removal of a virtual machine image (ex: Azure Compute Service Images DELETE) | |
| Image: Image Metadata | Contextual data about a virtual machine image such as name, resource group, state, or type | |
| Image: Image Modification | Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH) | |
| DS0030 | Instance | A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers(Citation: Amazon VM)(Citation: Google VM) |
| Instance: Instance Creation | Initial construction of a new instance (ex: instance.insert within GCP Audit Logs) | |
| Instance: Instance Deletion | Removal of an instance (ex: instance.delete within GCP Audit Logs) | |
| Instance: Instance Enumeration | An extracted list of instances within a cloud environment (ex: instance.list within GCP Audit Logs) | |
| Instance: Instance Metadata | Contextual data about an instance and activity around it such as name, type, or status | |
| Instance: Instance Modification | Changes made to an instance, including its settings and/or control data (ex: instance.addResourcePolicies or instances.setMetadata within GCP Audit Logs) | |
| Instance: Instance Start | Activation or invocation of an instance (ex: instance.start within GCP Audit Logs) | |
| Instance: Instance Stop | Deactivation or stoppage of an instance (ex: instance.stop within GCP Audit Logs) | |
| DS0035 | Internet Scan | Information obtained (commonly via active network traffic probes or web crawling) regarding various types of resources and servers connected to the public Internet |
| Internet Scan: Response Content | Logged network traffic in response to a scan showing both protocol header and body values | |
| Internet Scan: Response Metadata | Contextual data about an Internet-facing resource gathered from a scan, such as running services or ports | |
| DS0008 | Kernel | A computer program, at the core of a computer OS, that resides in memory and facilitates interactions between hardware and software components(Citation: STIG Audit Kernel Modules)(Citation: Init Man Page) |
| Kernel: Kernel Module Load | An object file that contains code to extend the running kernel of an OS, typically used to add support for new hardware (as device drivers) and/or filesystems, or for adding system calls | |
| DS0028 | Logon Session | Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization(Citation: Microsoft Audit Logon Events) |
| Logon Session: Logon Session Creation | Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp) | |
| Logon Session: Logon Session Metadata | Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it | |
| DS0004 | Malware Repository | Information obtained (via shared or submitted samples) regarding malicious software (droppers, backdoors, etc.) used by adversaries |
| Malware Repository: Malware Content | Code, strings, and other signatures that compromise a malicious payload | |
| Malware Repository: Malware Metadata | Contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information | |
| DS0011 | Module | Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class) |
| Module: Module Load | Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7) | |
| DS0023 | Named Pipe | Mechanisms that allow inter-process communication locally or over the network. A named pipe is usually found as a file and processes attach to it(Citation: Microsoft Named Pipes) |
| Named Pipe: Named Pipe Metadata | Contextual data about a named pipe on a system, including pipe name and creating process (ex: Sysmon EIDs 17-18) | |
| DS0033 | Network Share | A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)(Citation: Microsoft NFS Overview) |
| Network Share: Network Share Access | Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145) | |
| DS0029 | Network Traffic | Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP) |
| Network Traffic: Network Connection Creation | Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log) | |
| Network Traffic: Network Traffic Content | Logged network traffic data showing both protocol header and body values (ex: PCAP) | |
| Network Traffic: Network Traffic Flow | Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log) | |
| DS0021 | Persona | A malicious online profile representing a user commonly used by adversaries to social engineer or otherwise target victims |
| Persona: Social Media | Established, compromised, or otherwise acquired social media personas | |
| DS0014 | Pod | A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) |
| Pod: Pod Creation | Initial construction of a new pod (ex: kubectl apply/run) | |
| Pod: Pod Enumeration | An extracted list of pods within a cluster (ex: kubectl get pods) | |
| Pod: Pod Modification | Changes made to a pod, including its settings and/or control data (ex: kubectl set/patch/edit) | |
| DS0009 | Process | Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads) |
| Process: OS API Execution | Operating system function/method calls executed by a process | |
| Process: Process Access | Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10) | |
| Process: Process Creation | The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.) | |
| Process: Process Metadata | Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc. | |
| Process: Process Modification | Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8) | |
| Process: Process Termination | Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689) | |
| DS0003 | Scheduled Job | Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks) |
| Scheduled Job: Scheduled Job Creation | Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs) | |
| Scheduled Job: Scheduled Job Metadata | Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc. | |
| Scheduled Job: Scheduled Job Modification | Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs) | |
| DS0012 | Script | A file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell Logging)(Citation: Microsoft AMSI) |
| Script: Script Execution | The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.) | |
| DS0013 | Sensor Health | Information from host telemetry providing insights about system status, errors, or other notable functional activity |
| Sensor Health: Host Status | Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) | |
| DS0019 | Service | A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels) |
| Service: Service Creation | Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs) | |
| Service: Service Metadata | Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc. | |
| Service: Service Modification | Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs) | |
| DS0020 | Snapshot | A point-in-time copy of cloud volumes (files, settings, etc.) that can be created and/or deployed in cloud environments(Citation: Microsoft Snapshot)(Citation: Amazon Snapshots) |
| Snapshot: Snapshot Creation | Initial construction of a new snapshot (ex: AWS create-snapshot) | |
| Snapshot: Snapshot Deletion | Removal of a snapshot (ex: AWS delete-snapshot) | |
| Snapshot: Snapshot Enumeration | An extracted list of snapshops within a cloud environment (ex: AWS describe-snapshots) | |
| Snapshot: Snapshot Metadata | Contextual data about a snapshot, which may include information such as ID, type, and status | |
| Snapshot: Snapshot Modification | Changes made to a snapshop, such as metadata and control data (ex: AWS modify-snapshot-attribute) | |
| DS0002 | User Account | A profile representing a user, device, service, or application used to authenticate and access resources |
| User Account: User Account Authentication | An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log) | |
| User Account: User Account Creation | Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs) | |
| User Account: User Account Deletion | Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs) | |
| User Account: User Account Metadata | Contextual data about an account, which may include a username, user ID, environmental data, etc. | |
| User Account: User Account Modification | Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs) | |
| DS0034 | Volume | Block object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage) |
| Volume: Volume Creation | Initial construction of a cloud volume (ex: AWS create-volume) | |
| Volume: Volume Deletion | Removal of a a cloud volume (ex: AWS delete-volume) | |
| Volume: Volume Enumeration | An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes) | |
| Volume: Volume Metadata | Contextual data about a cloud volume and activity around it, such as id, type, state, and size | |
| Volume: Volume Modification | Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume) | |
| DS0005 | WMI | The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers(Citation: Microsoft WMI System Classes)(Citation: Microsoft WMI Architecture) |
| WMI: WMI Creation | Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21) | |
| DS0006 | Web Credential | Credential material, such as session cookies or tokens, used to authenticate to web applications and services(Citation: Medium Authentication Tokens)(Citation: Auth0 Access Tokens) |
| Web Credential: Web Credential Creation | Initial construction of new web credential material (ex: Windows EID 1200 or 4769) | |
| Web Credential: Web Credential Usage | An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202) | |
| DS0024 | Windows Registry | A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry) |
| Windows Registry: Windows Registry Key Access | Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656) | |
| Windows Registry: Windows Registry Key Creation | Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12) | |
| Windows Registry: Windows Registry Key Deletion | Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12) | |
| Windows Registry: Windows Registry Key Modification | Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13/14) |