Definitions

This page defines the key terms used throughout our research.

Data Component

Data Components are constituent pieces of the data source, which are best described separately. Components may have their own set of metadata (describing the associated fields/values associated with the source) and activities (describing actions of the source). ATT&CK Data Sources and Data Components can be found here.

Data Elements

Data Elements are names, definitions, and attributes that are being used or captured in an event.

../_images/msdn_4688_ex.png
Data Source

Data Sources represents information collected by a sensor or logging system that may identify properties or values relevant to identifying the adversarial action being ATT&CK Data Sources and Data Components can be found here. performed, sequence of actions, or the results of those actions.

MITRE ATT&CK

MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK focuses on how external adversaries compromise and operate within computer networks.

Sensor

A sensor is an agent or service capable of detecting or measuring information across many different sources on a host or network in real-time. Sensors provide raw data with high precision and accuracy.

[Sub-]Technique

Techniques represent the “how” of cyber intrusions, i.e. the means by which adversaries achieve tactical objective. Sub-techniques break down techniques into more fine-grained descriptions of adversary behaviors.

Telemetry

Telemetry consists of discrete events that are generated by sensors, e.g. log data. Telemetry may be delivered in various formats (e.g., json, csv, etc.) and is often streamed in near real-time.

../_images/4688_ex.png