%YAML 1.2 --- version: 1.0 file_type: data-source-administration name: endpoints-example platform: ['Windows', 'Azure', 'Azure AD', 'Office 365'] # The list only contains data sources that are applicable to the above platforms. For more info see: # - https://github.com/rabobank-cdc/DeTTECT/wiki/Data-sources-per-platform data_sources: # A data source is treated as not available when all dimensions of the data quality have a score of 0. # If desired you are free to add any key-value pairs. - data_source_name: Process monitoring date_registered: 2019-03-01 date_connected: 2017-01-01 products: [Windows event log] available_for_data_analytics: True comment: '' data_quality: device_completeness: 5 data_field_completeness: 5 timeliness: 5 consistency: 5 retention: 5 - data_source_name: File monitoring date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Process command-line parameters date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: API monitoring date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Process use of network date_registered: 2019-07-25 date_connected: 2019-07-25 products: [Sysmon] available_for_data_analytics: True comment: '' data_quality: device_completeness: 5 data_field_completeness: 5 timeliness: 5 consistency: 5 retention: 5 - data_source_name: Windows Registry date_registered: 2019-03-01 date_connected: 2017-02-01 products: [Windows event log] available_for_data_analytics: True comment: '' data_quality: device_completeness: 5 data_field_completeness: 5 timeliness: 5 consistency: 5 retention: 5 - data_source_name: Packet capture date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Authentication logs date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Netflow/Enclave netflow date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Windows event logs date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Binary file metadata date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Network protocol analysis date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: DLL monitoring date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Loaded DLLs date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: System calls date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Malware reverse engineering date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: SSL/TLS inspection date_registered: 2019-01-10 date_connected: 2000-01-01 products: [Proxy Product] available_for_data_analytics: True comment: '' data_quality: device_completeness: 5 data_field_completeness: 5 timeliness: 5 consistency: 5 retention: 5 - data_source_name: Anti-virus date_registered: 2019-01-10 date_connected: 2000-01-01 products: [AV Product] available_for_data_analytics: True comment: '' data_quality: device_completeness: 4 data_field_completeness: 2 timeliness: 3 consistency: 5 retention: 5 - data_source_name: Network intrusion detection system date_registered: 2019-01-10 date_connected: 2016-01-01 products: [NIDS] available_for_data_analytics: True comment: '' data_quality: device_completeness: 4 data_field_completeness: 3 timeliness: 3 consistency: 4 retention: 4 - data_source_name: Data loss prevention date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Application logs date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Email gateway date_registered: 2019-01-10 date_connected: 2000-01-01 products: [Email Gateway Product] available_for_data_analytics: True comment: '' data_quality: device_completeness: 4 data_field_completeness: 3 timeliness: 3 consistency: 5 retention: 3 - data_source_name: Network device logs date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Web proxy date_registered: 2019-01-10 date_connected: 2000-01-01 products: [Proxy Product] available_for_data_analytics: True comment: '' data_quality: device_completeness: 5 data_field_completeness: 5 timeliness: 5 consistency: 5 retention: 5 - data_source_name: Windows Error Reporting date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Kernel drivers date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: User interface date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Host network interface date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Third-party application logs date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Services date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Web logs date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Detonation chamber date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Mail server date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Environment variable date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: MBR date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: BIOS date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Web application firewall logs date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Asset management date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: DHCP date_registered: date_connected: products: [] available_for_data_analytics: True comment: 'At the time of writing: unknown data source within ATT&CK' data_quality: device_completeness: 5 data_field_completeness: 5 timeliness: 5 consistency: 5 retention: 5 - data_source_name: DNS records date_registered: 2019-03-01 date_connected: 2017-04-01 products: [Windows DNS server] available_for_data_analytics: True comment: '' data_quality: device_completeness: 5 data_field_completeness: 5 timeliness: 5 consistency: 5 retention: 5 - data_source_name: Browser extensions date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Access tokens date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Digital certificate logs date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Disk forensics date_registered: 2019-01-10 date_connected: 2019-01-01 products: [Manual, Commercial tool] available_for_data_analytics: True comment: '' data_quality: device_completeness: 5 data_field_completeness: 5 timeliness: 1 consistency: 5 retention: 0 - data_source_name: Component firmware date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: WMI Objects date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: VBR date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Named Pipes date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: Sensor health and status date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: EFI date_registered: date_connected: products: [] available_for_data_analytics: False comment: '' data_quality: device_completeness: 0 data_field_completeness: 0 timeliness: 0 consistency: 0 retention: 0 - data_source_name: PowerShell logs date_registered: 2019-03-01 date_connected: 2018-05-01 products: [Windows event log] available_for_data_analytics: True comment: 'Script block logging is enabled' data_quality: device_completeness: 5 data_field_completeness: 5 timeliness: 5 consistency: 5 retention: 4 - data_source_name: Azure OS logs date_registered: 2019-11-01 date_connected: 2019-11-01 products: [Log Analytics agent] available_for_data_analytics: True comment: '' data_quality: device_completeness: 5 data_field_completeness: 4 timeliness: 5 consistency: 5 retention: 3 - data_source_name: Azure activity logs date_registered: 2019-11-01 date_connected: 2019-11-01 products: [Azure] available_for_data_analytics: True comment: '' data_quality: device_completeness: 5 data_field_completeness: 4 timeliness: 5 consistency: 5 retention: 3 - data_source_name: Office 365 account logs date_registered: 2019-11-01 date_connected: 2019-11-01 products: [O365] available_for_data_analytics: True comment: '' data_quality: device_completeness: 5 data_field_completeness: 4 timeliness: 5 consistency: 5 retention: 3 - data_source_name: Office 365 audit logs date_registered: 2019-11-01 date_connected: 2019-11-01 products: [O365] available_for_data_analytics: True comment: '' data_quality: device_completeness: 5 data_field_completeness: 3 timeliness: 5 consistency: 5 retention: 3 - data_source_name: Office 365 trace logs date_registered: 2019-11-01 date_connected: 2019-11-01 products: [O365] available_for_data_analytics: True comment: '' data_quality: device_completeness: 5 data_field_completeness: 4 timeliness: 5 consistency: 5 retention: 3 exceptions: # Adding a technique ID below will result in removing that technique in the heat map (meaning not enough data source or quality is available for proper detection). # Please note that the below is just an example, many more can exists. # Filling in the key-value pair name is optional. - technique_id: T1130 name: Install Root Certificate