Understanding ATT&CK Data Sources
MITRE ATT&CK data sources describe the types of information needed to detect or prevent specific techniques. Rather than telling you how to detect something, ATT&CK tells you what data you need to detect it.
A data source represents a category of system or application events that can provide evidence of adversary activity. For example, "Process Creation" is a data source encompassing all operating system events related to process creation.
Data sources enable a key insight: you can assess your detection capability by checking if you're collecting the right data sources. If you can't collect a required data source, you can't detect that technique.
The Importance of Data Sources
Data sources bridge the gap between "I want to detect technique X" and "What monitoring do I actually need?"
Traditional detection development starts with a specific attack and works backward to data sources. ATT&CK data sources work forward: given a technique, what data sources do you need?
This forward approach ensures you're not missing important monitoring. Before building a detection, confirm you have access to required data sources.
Examples of ATT&CK Data Sources
Process Creation: Operating system events when new processes start. All Windows process execution goes through this data source.
Windows Registry: Changes to the Windows Registry, which stores system and application configuration.
File Creation: When new files are created on the file system.
API Calls/System Calls: Function calls to operating system APIs or kernel functions.
Network Traffic: All network communication, including DNS, HTTP, and custom protocols.
Authentication Logs: User authentication events (successful and failed logons).
DNS Query Data: Domain name resolution requests and responses.
Email: Email message metadata, headers, and content.
Application Logs: Logs generated by applications, web servers, and services.
Command Execution: Commands executed via shells or scripting interpreters.
Data Sources and Techniques Relationship
Each ATT&CK technique is mapped to data sources required for detection. For example:
T1566.002 (Phishing: Spearphishing Link) requires:
- Email metadata (to identify phishing emails)
- Network Traffic (to detect user clicking links)
- Process Creation (if the link launches applications)
- Application Logs (if the application logs suspicious behavior)
To detect this technique comprehensively, you need all relevant data sources.
T1087.001 (Account Discovery: Local Account) requires:
- Process Creation (to detect account enumeration commands)
- Command Execution (to see actual commands run)
- API Calls (to monitor account enumeration APIs)
Without these data sources, you can't detect this technique.
Assessing Your Data Source Coverage
Comprehensive threat detection requires assessing which data sources you can collect:
Windows Event Logs:
- Event ID 1 (Process Creation)
- Event ID 3 (Network Connection)
- Event ID 5 (Process Terminated)
- Event ID 11 (File Created)
- Event ID 13 (Registry Object Added/Deleted)
Document exactly which event IDs you're collecting and which are missing.
Network-Level Data Sources:
- Packet capture (full network traffic)
- Netflow (connection summaries)
- DNS logs
- Proxy logs
- Firewall logs
Each reveals different aspects of network activity.
Endpoint Detection and Response (EDR):
- Process execution with full command lines
- File system activity
- Registry changes
- Network connections
- Memory access
- API calls
EDR provides rich data sources unavailable through standard logging.
Create a Data Source Inventory:
| Data Source | Currently Collected? | Collection Method | Retention Period | Challenges |
|---|---|---|---|---|
| Process Creation | Yes | Sysmon + Windows Event Log | 90 days | No command-line arguments captured |
| File Creation | Yes | Sysmon | 90 days | High volume creates performance impact |
| Registry | Partial | Windows Event Log only | 7 days | Advanced registry operations not logged |
| API Calls | No | Not collected | N/A | Too much data volume |
| Network Traffic | Yes | NetFlow | 30 days | No payload inspection |
This inventory reveals which data sources you have and which are missing.
Overcoming Data Source Gaps
If you're missing important data sources, address gaps:
Add Process Command-Line Logging: Many organizations log process creation but don't capture command-line arguments. Enable command-line argument logging in Windows Event Log and Sysmon.
Enable Event ID 1 (Process Creation) with CommandLine field populated
Implement DNS Logging: Most organizations don't log DNS queries. Implement DNS logging in your network to capture all DNS requests.
Enable DNS query logging on authoritative DNS servers
Configure DHCP servers to log DNS-related events
Deploy EDR: Endpoint Detection and Response solutions like CrowdStrike, Carbon Black, or Microsoft Defender provide rich data sources traditional logging misses.
Capture Network Traffic: Implement packet capture or network behavior analytics for suspicious traffic detection.
Enable API Logging: Windows API Auditing can monitor API calls but generates enormous data volume. Use selectively for critical APIs.
Data Source Limitations
Even with comprehensive data collection, limitations exist:
Encryption: Encrypted traffic (HTTPS, TLS) can't be inspected for payload content. You see connection endpoints but not data transmitted.
Volume: Some data sources generate enormous volumes. API call logging might generate terabytes of data daily.
Performance Impact: Comprehensive logging can significantly impact system performance.
Tool Limitations: Not all tools can collect all data sources. Verify capability before deployment.
Retention Costs: Long-term retention of comprehensive data sources becomes expensive.
Balance comprehensive data collection against practical limitations.
Data Sources and Detection Maturity
Mature detection programs progressively improve data source collection:
Level 1: Standard operating system event logs
- Process Creation
- Authentication
- File Creation
Level 2: Endpoint instrumentation (Sysmon, EDR)
- Command-line arguments
- Registry operations
- Network connections
- API calls
Level 3: Network-wide data sources
- DNS logging
- Proxy logs
- Firewall logs
- Network flow data
Level 4: Application-specific data sources
- Web server logs
- Database logs
- Custom application logs
Level 5: Integrated data sources
- Correlation across data sources
- Behavior analytics
- Anomaly detection
Most organizations operate at Levels 1-2. Advanced organizations progress toward Levels 3-5.
Planning Data Source Collection
When building a detection program:
- Identify critical techniques you must detect
- Determine required data sources for those techniques
- Assess current collection capabilities
- Prioritize gaps based on technique importance
- Plan implementation of missing data sources
- Validate collection to confirm data is actually available
This systematic approach prevents collecting irrelevant data while missing critical sources.
Data Sources for Specific Environments
Different environments require different data sources:
On-Premises Windows:
- Windows Event Logs
- Sysmon
- File system events
- Registry events
Cloud (AWS, Azure, Google Cloud):
- Cloud provider native logs (CloudTrail, Activity logs)
- Virtual machine logs
- Network security group logs
- Identity and access logs
Linux Environments:
- Auditd logs
- Syslog
- Application-specific logs
- Process accounting
Mobile Devices:
- Mobile device management (MDM) logs
- Application logs
- Network connections
- Authentication events
Data Source Tools
Several tools help collect and manage data sources:
Sysmon: Windows system monitoring tool capturing process creation, file operations, registry changes, and network connections.
Auditd: Linux auditing framework capturing system events and API calls.
Endpoint Detection and Response (EDR): Provides comprehensive data sources across endpoints.
SIEM Platforms: Aggregate data sources from multiple systems for analysis.
Data Integration Tools: Splunk Forwarders, Logstash, or other tools ingest and forward logs.
Documentation and Communication
Document your data source strategy:
- Which data sources do you collect?
- How long do you retain each source?
- What detection coverage does each source enable?
- What gaps exist?
- What's your plan for closing gaps?
This documentation:
- Guides security team priorities
- Justifies tool and infrastructure investments
- Enables objective assessment of detection capabilities
- Communicates limitations to leadership
Data Source Mapping to Detections
Create explicit mappings between data sources and detections:
Data Source: Process Creation Detections:
- Suspicious process parents
- Known malware process names
- Encoded command execution
- Suspicious API calls from processes
Data Source: Registry Changes Detections:
- Persistence mechanisms (run keys, services)
- Accessibility features abused for persistence
- Security tool configuration changes
Data Source: Network Connections Detections:
- Connections to known malicious IPs
- DNS queries to known malicious domains
- Unusual outbound connections
These mappings ensure detections align with available data sources.
Conclusion
MITRE ATT&CK data sources specify what information you need to detect specific techniques. Understanding data sources enables objective assessment of your detection capabilities: if you can't collect a required data source, you can't detect the technique. Systematically assess your current data source collection, identify gaps against critical techniques, and prioritize improvements. This data-source-first approach ensures your monitoring infrastructure aligns with realistic detection needs rather than collecting irrelevant data while missing critical sources.
