Data sources per platform

Content:

• Enterprise
• Mobile
• ICS

Enterprise

The below mapping from data sources/data components to platforms is created on the information provided by MITRE within the data source objects. Also, note that the below is only listing data components that are actually referenced by a technique. Therefore it does not include all data components as referenced in the STIX repository.

Data source	PRE	Windows	macOS	Linux	Office 365	Azure AD	Google Workspace	SaaS	IaaS	Network	Containers
DHCP [DeTT&CT data source]		X	X	X
Email [DeTT&CT data source]		X	X	X	X		X	X
Internal DNS [DeTT&CT data source]		X	X	X					X	X	X
Web [DeTT&CT data source]		X	X	X	X		X	X	X	X	X
Active Directory: Active Directory Credential Request		X				X
Active Directory: Active Directory Object Access		X				X
Active Directory: Active Directory Object Creation		X				X
Active Directory: Active Directory Object Deletion		X				X
Active Directory: Active Directory Object Modification		X				X
Application Log: Application Log Content		X	X	X	X		X	X	X
Certificate: Certificate Registration	X
Cloud Service: Cloud Service Disable					X	X	X	X	X
Cloud Service: Cloud Service Enumeration					X	X	X	X	X
Cloud Service: Cloud Service Metadata					X	X	X	X	X
Cloud Service: Cloud Service Modification					X	X	X	X	X
Cloud Storage: Cloud Storage Access									X
Cloud Storage: Cloud Storage Creation									X
Cloud Storage: Cloud Storage Deletion									X
Cloud Storage: Cloud Storage Enumeration									X
Cloud Storage: Cloud Storage Metadata									X
Cloud Storage: Cloud Storage Modification									X
Command: Command Execution		X	X	X						X	X
Container: Container Creation											X
Container: Container Enumeration											X
Container: Container Start											X
Domain Name: Active DNS	X
Domain Name: Domain Registration	X
Domain Name: Passive DNS	X
Drive: Drive Access		X	X	X
Drive: Drive Creation		X	X	X
Drive: Drive Modification		X	X	X
Driver: Driver Load		X	X	X
Driver: Driver Metadata		X	X	X
File: File Access		X	X	X						X
File: File Creation		X	X	X						X
File: File Deletion		X	X	X						X
File: File Metadata		X	X	X						X
File: File Modification		X	X	X						X
Firewall: Firewall Disable		X	X	X	X	X	X	X	X
Firewall: Firewall Enumeration		X	X	X	X	X	X	X	X
Firewall: Firewall Metadata		X	X	X	X	X	X	X	X
Firewall: Firewall Rule Modification		X	X	X	X	X	X	X	X
Firmware: Firmware Modification		X	X	X
Group: Group Enumeration		X			X	X	X	X	X
Group: Group Metadata		X			X	X	X	X	X
Group: Group Modification		X			X	X	X	X	X
Image: Image Creation									X
Image: Image Deletion									X
Image: Image Metadata									X
Image: Image Modification									X
Instance: Instance Creation									X
Instance: Instance Deletion									X
Instance: Instance Enumeration									X
Instance: Instance Metadata									X
Instance: Instance Modification									X
Instance: Instance Start									X
Instance: Instance Stop									X
Internet Scan: Response Content	X
Internet Scan: Response Metadata	X
Kernel: Kernel Module Load			X	X
Logon Session: Logon Session Creation		X	X	X	X	X	X	X	X
Logon Session: Logon Session Metadata		X	X	X	X	X	X	X	X
Malware Repository: Malware Content	X
Malware Repository: Malware Metadata	X
Module: Module Load		X	X	X
Named Pipe: Named Pipe Metadata		X	X	X
Network Share: Network Share Access		X	X	X
Network Traffic: Network Connection Creation		X	X	X					X
Network Traffic: Network Traffic Content		X	X	X					X
Network Traffic: Network Traffic Flow		X	X	X					X
Persona: Social Media	X
Pod: Pod Creation											X
Pod: Pod Enumeration											X
Pod: Pod Modification											X
Process: OS API Execution		X	X	X
Process: Process Access		X	X	X
Process: Process Creation		X	X	X
Process: Process Metadata		X	X	X
Process: Process Modification		X	X	X
Process: Process Termination		X	X	X
Scheduled Job: Scheduled Job Creation		X	X	X							X
Scheduled Job: Scheduled Job Metadata		X	X	X							X
Scheduled Job: Scheduled Job Modification		X	X	X							X
Script: Script Execution		X
Sensor Health: Host Status		X	X	X
Service: Service Creation		X	X	X
Service: Service Metadata		X	X	X
Service: Service Modification		X	X	X
Snapshot: Snapshot Creation									X
Snapshot: Snapshot Deletion									X
Snapshot: Snapshot Enumeration									X
Snapshot: Snapshot Metadata									X
Snapshot: Snapshot Modification									X
User Account: User Account Authentication		X	X	X	X	X	X	X	X		X
User Account: User Account Creation		X	X	X	X	X	X	X	X		X
User Account: User Account Deletion		X	X	X	X	X	X	X	X		X
User Account: User Account Metadata		X	X	X	X	X	X	X	X		X
User Account: User Account Modification		X	X	X	X	X	X	X	X		X
Volume: Volume Creation		X	X	X					X
Volume: Volume Deletion		X	X	X					X
Volume: Volume Enumeration		X	X	X					X
Volume: Volume Metadata		X	X	X					X
Volume: Volume Modification		X	X	X					X
WMI: WMI Creation		X
Web Credential: Web Credential Creation		X	X	X	X	X	X	X
Web Credential: Web Credential Usage		X	X	X	X	X	X	X
Windows Registry: Windows Registry Key Access		X
Windows Registry: Windows Registry Key Creation		X
Windows Registry: Windows Registry Key Deletion		X
Windows Registry: Windows Registry Key Modification		X

Mobile

The below mapping from data sources/data components to platforms is created on the information provided by MITRE within the data source objects. Also, note that the below is only listing data components that are actually referenced by a technique. Therefore it does not include all data components as referenced in the STIX repository.

DeTT&CT data sources

At this moment we do not have any DeTT&CT data sources for Mobile. If there is a need or if you do have a suggestion, we will look into this.

Data source	Android	iOS
Application Vetting: API Calls	X	X
Application Vetting: Network Communication	X	X
Application Vetting: Permissions Requests	X	X
Application Vetting: Protected Configuration	X	X
Command: Command Execution	X	X
Network Traffic: Network Connection Creation	X	X
Network Traffic: Network Traffic Content	X	X
Network Traffic: Network Traffic Flow	X	X
Process: Process Creation	X	X
Process: Process Metadata	X	X
Process: Process Termination	X	X
Sensor Health: Host Status	X	X
User Interface: Permissions Request	X	X
User Interface: System Notifications	X	X
User Interface: System Settings	X	X

ICS

Official platform mapping is missing

An official mapping for ICS sources/data components to platforms is currently missing. Since v14 release of ATT&CK platforms are not being used anymore for ICS. Therefor we cannot generate data source - platform mappings for ICS.

DeTT&CT data sources

As we do not consider ourselves experts in the field of ICS, we have not included the DeTT&CT data sources. Any help and thus contributions on that matter are very much appreciated. Possibly, with future developments of ATT&CK ICS, we could automate this part when Detection objects are introduced. However, it is not certain whether this will provide good results.