The establishment of a task or job that will execute at a predefined time or based on specific triggers.

An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation.

When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components.

Refers to an event where one process attempts to open another process, typically to inspect or manipulate its memory, access handles, or modify execution flow. Monitoring these access attempts can provide valuable insight into both benign and malicious behaviors, such as debugging, inter-process communication (IPC), or process injection.

Data Collection Measures:

• Endpoint Detection and Response (EDR) Tools:
  • EDR solutions that provide telemetry on inter-process access and memory manipulation.
• Sysmon (Windows):
  • Event ID 10: Captures process access attempts, including:
    • Source process (initiator)
    • Target process (victim)
    • Access rights requested
    • Process ID correlation
• Windows Event Logs:
  • Event ID 4656 (Audit Handle to an Object): Logs access attempts to system objects.
  • Event ID 4690 (Attempted Process Modification): Can help identify unauthorized process changes.
• Linux/macOS Monitoring:
  • AuditD: Monitors process access through syscall tracing (e.g., ptrace, open, read, write).
  • eBPF/XDP: Used for low-level monitoring of kernel process access.
  • OSQuery: Query process access behavior via structured SQL-like logging.
• Procmon (Process Monitor) and Debugging Tools:
  • Windows Procmon: Captures real-time process interactions.
  • Linux strace / ptrace: Useful for tracking process behavior at the system call level.

Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples:

• Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts).
• Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs).
• SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources.
• Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes.
• System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies.

A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs).

Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities.

To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples:

• File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive.
• File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory).
• Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., /etc/passwd on Linux or System32 files on Windows).
• File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server).
• File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access).

contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples:

• File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\Windows\System32\config\SAM on Windows.
• Timestamps: Analyzing the creation, modification, and access timestamps of a file.
• File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation.
• File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows.
• File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds.
• File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders.

Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples:

• Content Modifications: Changes to the content of a configuration file, such as modifying /etc/ssh/sshd_config on Linux or C:\Windows\System32\drivers\etc\hosts on Windows.
• Permission Changes: Altering file permissions to allow broader access, such as changing a file from 644 to 777 on Linux or modifying NTFS permissions on Windows.
• Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows.
• Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like touch in Linux or timestomping tools on Windows.
• Software or System File Changes: Modifying system files such as boot.ini, kernel modules, or application binaries.

Cloud service enumeration involves listing or querying available cloud services in a cloud control plane. This activity is often performed to identify resources such as virtual machines, storage buckets, compute clusters, or other services within a cloud environment. Examples include API calls like AWS ECS ListServices, Azure ListAllResources, or Google Cloud ListInstances. Examples:

AWS Cloud Service Enumeration: The adversary gathers details about existing ECS services to identify opportunities for privilege escalation or exfiltration. - Azure Resource Enumeration: The adversary collects information about virtual machines, resource groups, and other Azure assets for reconnaissance purposes. - Google Cloud Resource Enumeration: The attacker seeks to map the environment and find misconfigured or underutilized resources for exploitation. - Office 365 Service Enumeration: The attacker may look for data repositories or collaboration tools to exfiltrate sensitive information.

Application State represents the operational status and lifecycle context of a mobile application at a given point in time. This includes whether the application is running in the foreground or background, its activity state, recent user interaction, and transitions between lifecycle states.

Monitoring application state helps defenders identify suspicious behavior where an application performs sensitive actions while inactive, in the background, or without recent user interaction.

Application state is particularly useful when detecting malicious activity that occurs outside normal user-driven workflows.

Examples Android

• Application transitions from foreground to background
• Application running as a background service
• Application started via broadcast receiver
• Application launched automatically after device boot

iOS

• Application entering active, inactive, or background state
• Background task execution
• Background fetch activity
• Application wake events triggered by push notifications or system services

Data Collection Measures - Mobile EDR / MTD runtime monitoring - OS lifecycle event telemetry - Application runtime instrumentation - Mobile security platform behavioral monitoring

Logging, messaging, and other artifacts that highlight the health and operational state of host-based security sensors, such as Endpoint Detection and Response (EDR) agents, antivirus software, logging services, and system monitoring tools. Monitoring sensor health is essential for detecting misconfigurations, sensor failures, tampering, or deliberate security control evasion by adversaries.

Data Collection Measures:

• Windows Event Logs:
  • Event ID 1074 (System Shutdown): Detects unexpected system reboots/shutdowns.
  • Event ID 6006 (Event Log Stopped): Logs when Windows event logging is stopped.
  • Event ID 16 (Sysmon): Detects configuration state changes that may indicate log tampering.
  • Event ID 12 (Windows Defender Status Change) – Detects changes in Windows Defender state.
• Linux/macOS Monitoring:
  • /var/log/syslog, /var/log/auth.log, /var/log/kern.log
  • Journald (journalctl) for kernel and system alerts.
• Endpoint Detection and Response (EDR) Tools:
  • Monitor agent health status, detect sensor tampering, and alert on missing telemetry.
• Mobile Threat Intelligence Logs:
  • Samsung Knox, SafetyNet, iOS Secure Enclave provide sensor health status for mobile endpoints.

Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.

The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.

Data Collection Measures:

• Windows:
  • Event ID 5156 – Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP).
  • Sysmon Event ID 3 – Network Connection Initiated - Captures process, source/destination IP, ports, and parent process.
• Linux/macOS:
  • Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections.
  • AuditD (connect syscall) - Logs TCP, UDP, and ICMP connections.
  • Zeek (conn.log) - Captures protocol, duration, and bytes transferred.
• Cloud & Network Infrastructure:
  • AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments.
  • Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation.
• Endpoint Detection & Response (EDR):
  • Detect anomalous network activity such as new C2 connections or data exfiltration attempts.

The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.

Data Collection Measures:

• Network Packet Capture (Full Content Logging)
  • Wireshark / tcpdump / tshark
    • Full packet captures (PCAP files) for manual analysis or IDS correlation. tcpdump -i eth0 -w capture.pcap
  • Zeek (formerly Bro)
    • Extracts protocol headers and payload details into structured logs. echo "redef Log::default_store = Log::ASCII;" > local.zeek | zeek -Cr capture.pcap local.zeek
  • Suricata / Snort (IDS/IPS with PCAP Logging)
    • Deep packet inspection (DPI) with signature-based and behavioral analysis. suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata
• Host-Based Collection
  • Sysmon Event ID 22 – DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains.
  • Sysmon Event ID 3 – Network Connection Initiated, Logs process-to-network connection relationships.
  • AuditD (Linux) – syscall=connect, Monitors outbound network requests from processes. auditctl -a always,exit -F arch=b64 -S connect -k network_activity
• Cloud & SaaS Traffic Collection
  • AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic.
  • Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns.

API calls utilized by an application that could indicate malicious activity