# Data Components MITRE ATT&CK > Componentes de dados para detecção de técnicas adversárias — telemetria essencial para operações de Blue Team e SOC. ## Visão Geral > [!abstract] Cobertura > **106 data components** documentados — cobrindo processos, rede, arquivos, registro, autenticação, containers e cloud. Data Components são a telemetria fundamental que alimenta a detecção de técnicas MITRE ATT&CK. Cada componente representa um tipo específico de dado observável (criação de processo, tráfego de rede, modificação de arquivo, etc.) que pode revelar atividade adversária. ## Navegar por Categoria | Categoria | Notas | Página | |-----------|-------|--------| | Processos | 13 | [[_cat-process\|Processos]] | | Rede | 10 | [[_cat-network\|Rede]] | | Arquivos | 6 | [[_cat-file\|Arquivos]] | | Registro | 4 | [[_cat-registry\|Registro]] | | Autenticação | 10 | [[_cat-auth\|Autenticação]] | | Cloud | 23 | [[_cat-cloud\|Cloud]] | | Linha de Comando | 3 | [[_cat-command\|Linha de Comando]] | | Containers | 10 | [[_cat-container\|Containers]] | | Outros | 27 | [[_cat-other\|Outros]] | ## Taxonomia de Data Components ```mermaid mindmap root((Data Components)) Processos Process Creation Process Termination OS API Execution Process Access Process Modification Rede Network Traffic Content Network Traffic Flow Network Connection Creation Arquivos File Creation File Modification File Deletion File Access File Metadata Registro Windows Registry Key Creation Windows Registry Key Modification Windows Registry Key Deletion Autenticação Logon Session Creation Logon Session Metadata Active Directory Credential Request Cloud Cloud Service Enumeration Cloud Service Modification Cloud Storage Access Linha de Comando Command Execution Script Execution Containers Container Creation Container Start Container Enumeration ``` ## Todos os Data Components %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Componente", mitre-id AS "ID", parent-data-source AS "Fonte de Dados", length(techniques-detected) AS "Técnicas Detectadas" FROM "defenses/detections/data-components" WHERE type = "data-component" SORT mitre-id ASC ``` %% <!-- QueryToSerialize: TABLE WITHOUT ID link(file.link, title) AS "Componente", mitre-id AS "ID", parent-data-source AS "Fonte de Dados", length(techniques-detected) AS "Técnicas Detectadas" FROM "defenses/detections/data-components" WHERE type = "data-component" SORT mitre-id ASC --> <!-- SerializedQuery: TABLE WITHOUT ID link(file.link, title) AS "Componente", mitre-id AS "ID", parent-data-source AS "Fonte de Dados", length(techniques-detected) AS "Técnicas Detectadas" FROM "defenses/detections/data-components" WHERE type = "data-component" SORT mitre-id ASC --> | Componente | ID | Fonte de Dados | Técnicas Detectadas | | ------------------------------------------------------------------------------------------------------------------------------------------ | ------ | ------------------------------------------------------------------------------- | ------------------- | | [[dc0001-scheduled-job-creation\|DC0001 - Scheduled Job Creation]] | DC0001 | [[ds0003-scheduled-job\|DS0003 - Scheduled Job]] | 3 | | [[dc0001-process-creation\|DC0001 - Process Creation]] | DC0001 | Process | 6 | | [[defenses/detections/data-components/auth/dc0002-user-account-authentication.md\|DC0002 - User Account Authentication]] | DC0002 | [[ds0002-user-account\|DS0002 - User Account]] | 4 | | [[defenses/detections/data-components/dc0002-user-account-authentication.md\|DC0002 - User Account Authentication]] | DC0002 | User Account | 5 | | [[dc0003-malware-metadata\|DC0003 - Malware Metadata]] | DC0003 | [[ds0015-application-log\|DS0015 - Application Log]] | 4 | | [[dc0003-network-connection-creation\|DC0003 - Network Connection Creation]] | DC0003 | Network Traffic | 5 | | [[dc0004-firmware-modification\|DC0004 - Firmware Modification]] | DC0004 | [[ds0001-firmware\|DS0001 - Firmware]] | 3 | | [[dc0004-network-traffic-flow\|DC0004 - Network Traffic Flow]] | DC0004 | Network Traffic | 5 | | [[dc0005-scheduled-job-metadata\|DC0005 - Scheduled Job Metadata]] | DC0005 | [[ds0003-scheduled-job\|DS0003 - Scheduled Job]] | 3 | | [[dc0005-network-traffic-content\|DC0005 - Network Traffic Content]] | DC0005 | Network Traffic | 5 | | [[dc0006-web-credential-creation\|DC0006 - Web Credential Creation]] | DC0006 | [[ds0006-web-credential\|DS0006 - Web Credential]] | 3 | | [[dc0006-file-creation\|DC0006 - File Creation]] | DC0006 | File | 5 | | [[dc0007-web-credential-usage\|DC0007 - Web Credential Usage]] | DC0007 | [[ds0006-web-credential\|DS0006 - Web Credential]] | 4 | | [[dc0007-file-modification\|DC0007 - File Modification]] | DC0007 | File | 5 | | [[dc0008-wmi-creation\|DC0008 - WMI Creation]] | DC0008 | [[ds0005-wmi\|DS0005 - WMI]] | 3 | | [[dc0008-file-deletion\|DC0008 - File Deletion]] | DC0008 | File | 4 | | [[dc0009-user-account-deletion\|DC0009 - User Account Deletion]] | DC0009 | [[ds0002-user-account\|DS0002 - User Account]] | 3 | | [[dc0009-process-access\|DC0009 - Process Access]] | DC0009 | Process | 4 | | [[dc0010-user-account-modification\|DC0010 - User Account Modification]] | DC0010 | [[ds0002-user-account\|DS0002 - User Account]] | 4 | | [[dc0010-os-api-execution\|DC0010 - OS API Execution]] | DC0010 | Process | 5 | | [[dc0011-malware-content\|DC0011 - Malware Content]] | DC0011 | [[ds0015-application-log\|DS0015 - Application Log]] | 4 | | [[dc0011-module-load\|DC0011 - Module Load]] | DC0011 | Module | 5 | | [[dc0012-scheduled-job-modification\|DC0012 - Scheduled Job Modification]] | DC0012 | [[ds0003-scheduled-job\|DS0003 - Scheduled Job]] | 3 | | [[dc0012-script-execution\|DC0012 - Script Execution]] | DC0012 | Script | 5 | | [[dc0013-user-account-metadata\|DC0013 - User Account Metadata]] | DC0013 | [[ds0002-user-account\|DS0002 - User Account]] | 3 | | [[dc0013-command-execution\|DC0013 - Command Execution]] | DC0013 | Command | 5 | | [[dc0014-user-account-creation\|DC0014 - User Account Creation]] | DC0014 | [[ds0002-user-account\|DS0002 - User Account]] | 3 | | [[dc0014-windows-registry-key-modification\|DC0014 - Windows Registry Key Modification]] | DC0014 | Windows Registry | 5 | | [[dc0015-image-creation\|DC0015 - Image Creation]] | DC0015 | [[ds0007-image\|DS0007 - Image]] | 3 | | [[dc0015-windows-registry-key-creation\|DC0015 - Windows Registry Key Creation]] | DC0015 | Windows Registry | 4 | | [[dc0016-logon-session-creation\|DC0016 - Logon Session Creation]] | DC0016 | Logon Session | 5 | | [[dc0016-module-load\|DC0016 - Module Load]] | DC0016 | [[ds0011-module\|DS0011 - Module]] | 3 | | [[dc0017-cloud-storage-enumeration\|DC0017 - Cloud Storage Enumeration]] | DC0017 | [[ds0010-cloud-storage\|DS0010 - Cloud Storage]] | 3 | | [[dc0017-service-creation\|DC0017 - Service Creation]] | DC0017 | Service | 4 | | [[dc0018-host-status\|DC0018 - Host Status]] | DC0018 | [[ds0013-sensor-health\|DS0013 — Sensor Health]] | 3 | | [[dc0018-scheduled-task-job-creation\|DC0018 - Scheduled Task/Job Creation]] | DC0018 | Scheduled Job | 4 | | [[dc0019-pod-creation\|DC0019 - Pod Creation]] | DC0019 | [[ds0014-pod\|DS0014 - Pod]] | 3 | | [[dc0019-driver-load\|DC0019 - Driver Load]] | DC0019 | Driver | 4 | | [[dc0020-firmware-modification\|DC0020 - Firmware Modification]] | DC0020 | Firmware | 4 | | [[dc0020-process-modification\|DC0020 - Process Modification]] | DC0020 | [[ds0009-process\|DS0009 - Process]] | 3 | | [[dc0021-active-directory-object-modification\|DC0021 - Active Directory Object Modification]] | DC0021 | Active Directory | 5 | | [[dc0021-os-api-execution\|DC0021 - OS API Execution]] | DC0021 | [[ds0009-process\|DS0009 - Process]] | 3 | | [[dc0022-cloud-storage-deletion\|DC0022 - Cloud Storage Deletion]] | DC0022 | [[ds0010-cloud-storage\|DS0010 - Cloud Storage]] | 3 | | [[dc0022-file-access\|DC0022 - File Access]] | DC0022 | File | 5 | | [[dc0023-cloud-storage-modification\|DC0023 - Cloud Storage Modification]] | DC0023 | [[ds0010-cloud-storage\|DS0010 - Cloud Storage]] | 3 | | [[dc0023-named-pipe-creation\|DC0023 - Named Pipe Creation]] | DC0023 | Named Pipe | 4 | | [[dc0024-cloud-storage-creation\|DC0024 - Cloud Storage Creation]] | DC0024 | [[ds0010-cloud-storage\|DS0010 - Cloud Storage]] | 3 | | [[dc0024-group-modification\|DC0024 - Group Modification]] | DC0024 | Group | 4 | | [[dc0025-cloud-storage-access\|DC0025 - Cloud Storage Access]] | DC0025 | [[ds0010-cloud-storage\|DS0010 - Cloud Storage]] | 3 | | [[dc0025-firewall-rule-modification\|DC0025 - Firewall Rule Modification]] | DC0025 | Firewall | 4 | | [[dc0026-image-deletion\|DC0026 - Image Deletion]] | DC0026 | [[ds0007-image\|DS0007 - Image]] | 3 | | [[dc0026-cloud-service-modification\|DC0026 - Cloud Service Modification]] | DC0026 | Cloud Service | 5 | | [[dc0027-cloud-storage-metadata\|DC0027 - Cloud Storage Metadata]] | DC0027 | [[ds0010-cloud-storage\|DS0010 - Cloud Storage]] | 3 | | [[dc0027-instance-creation\|DC0027 - Instance Creation]] | DC0027 | Instance | 4 | | [[dc0028-image-metadata\|DC0028 - Image Metadata]] | DC0028 | [[ds0007-image\|DS0007 - Image]] | 3 | | [[dc0028-snapshot-creation\|DC0028 - Snapshot Creation]] | DC0028 | Snapshot | 3 | | [[dc0029-script-execution\|DC0029 - Script Execution]] | DC0029 | [[ds0012-script\|DS0012 - Script]] | 4 | | [[dc0029-network-share-access\|DC0029 - Network Share Access]] | DC0029 | Network Share | 4 | | [[dc0030-pod-modification\|DC0030 - Pod Modification]] | DC0030 | [[ds0014-pod\|DS0014 - Pod]] | 3 | | [[dc0030-wmi-creation\|DC0030 - WMI Creation]] | DC0030 | WMI | 4 | | [[dc0031-kernel-module-load\|DC0031 - Kernel Module Load]] | DC0031 | [[ds0008-kernel\|DS0008 - Kernel]] | 3 | | [[dc0032-process-creation\|DC0032 - Process Creation]] | DC0032 | [[ds0009-process\|DS0009 - Process]] | 5 | | [[dc0033-process-termination\|DC0033 - Process Termination]] | DC0033 | [[ds0009-process\|DS0009 - Process]] | 3 | | [[dc0034-process-metadata\|DC0034 - Process Metadata]] | DC0034 | [[ds0009-process\|DS0009 - Process]] | 3 | | [[dc0035-process-access\|DC0035 - Process Access]] | DC0035 | [[ds0009-process\|DS0009 - Process]] | 3 | | [[dc0036-image-modification\|DC0036 - Image Modification]] | DC0036 | [[ds0007-image\|DS0007 - Image]] | 3 | | [[dc0037-pod-enumeration\|DC0037 - Pod Enumeration]] | DC0037 | [[ds0014-pod\|DS0014 — Pod]] | 3 | | [[dc0038-application-log-content\|DC0038 - Application Log Content]] | DC0038 | [[ds0015-application-log\|DS0015 — Application Log]] | 3 | | [[dc0039-file-creation\|DC0039 - File Creation]] | DC0039 | [[ds0022-file\|DS0022 - File]] | 5 | | [[dc0040-file-deletion\|DC0040 - File Deletion]] | DC0040 | [[ds0022-file\|DS0022 - File]] | 5 | | [[dc0041-service-metadata\|DC0041 - Service Metadata]] | DC0041 | [[ds0019-service\|DS0019 - Service]] | 3 | | [[dc0042-drive-creation\|DC0042 - Drive Creation]] | DC0042 | [[ds0016-drive\|DS0016 - Drive]] | 4 | | [[dc0043-firewall-disable\|DC0043 - Firewall Disable]] | DC0043 | [[ds0018-firewall\|DS0018 - Firewall]] | 3 | | [[dc0044-firewall-enumeration\|DC0044 - Firewall Enumeration]] | DC0044 | [[ds0018-firewall\|DS0018 - Firewall]] | 4 | | [[dc0045-windows-registry-key-deletion\|DC0045 - Windows Registry Key Deletion]] | DC0045 | [[ds0024-windows-registry\|DS0024 — Windows Registry]] | 4 | | [[dc0046-drive-modification\|DC0046 - Drive Modification]] | DC0046 | [[ds0016-drive\|DS0016 - Drive]] | 4 | | [[dc0047-snapshot-enumeration\|DC0047 - Snapshot Enumeration]] | DC0047 | [[ds0020-snapshot\|DS0020 — Snapshot]] | 3 | | [[dc0048-named-pipe-metadata\|DC0048 - Named Pipe Metadata]] | DC0048 | [[ds0023-named-pipe\|DS0023 - Named Pipe]] | 4 | | [[dc0049-snapshot-deletion\|DC0049 - Snapshot Deletion]] | DC0049 | [[ds0020-snapshot\|DS0020 — Snapshot]] | 3 | | [[dc0050-windows-registry-key-access\|DC0050 - Windows Registry Key Access]] | DC0050 | [[ds0024-windows-registry\|DS0024 — Windows Registry]] | 4 | | [[dc0051-firewall-rule-modification\|DC0051 - Firewall Rule Modification]] | DC0051 | [[ds0018-firewall\|DS0018 - Firewall]] | 4 | | [[dc0052-social-media\|DC0052 - Social Media]] | DC0052 | [[ds0015-application-log\|DS0015 — Application Log]] | 3 | | [[dc0053-firewall-metadata\|DC0053 - Firewall Metadata]] | DC0053 | [[ds0018-firewall\|DS0018 — Firewall]] | 5 | | [[dc0054-drive-access\|DC0054 - Drive Access]] | DC0054 | [[ds0016-drive\|DS0016 - Drive]] | 4 | | [[dc0055-file-access\|DC0055 - File Access]] | DC0055 | [[ds0022-file\|DS0022 - File]] | 5 | | [[dc0056-windows-registry-key-creation\|DC0056 - Windows Registry Key Creation]] | DC0056 | [[ds0024-windows-registry\|DS0024 — Windows Registry]] | 4 | | [[dc0057-snapshot-creation\|DC0057 - Snapshot Creation]] | DC0057 | [[ds0020-snapshot\|DS0020 — Snapshot]] | 3 | | [[dc0058-snapshot-modification\|DC0058 - Snapshot Modification]] | DC0058 | [[ds0020-snapshot\|DS0020 — Snapshot]] | 3 | | [[dc0059-file-metadata\|DC0059 - File Metadata]] | DC0059 | [[ds0022-file\|DS0022 - File]] | 4 | | [[dc0060-service-creation\|DC0060 - Service Creation]] | DC0060 | [[ds0019-service\|DS0019 - Service]] | 3 | | [[dc0061-file-modification\|DC0061 - File Modification]] | DC0061 | [[ds0022-file\|DS0022 - File]] | 5 | | [[dc0062-snapshot-metadata\|DC0062 - Snapshot Metadata]] | DC0062 | [[ds0020-snapshot\|DS0020 — Snapshot]] | 3 | | [[dc0063-windows-registry-key-modification\|DC0063 - Windows Registry Key Modification]] | DC0063 | [[ds0024-windows-registry\|DS0024 — Windows Registry]] | 5 | | [[dc0064-command-execution\|DC0064 - Command Execution]] | DC0064 | [[ds0017-command\|DS0017 - Command]] | 4 | | [[dc0065-service-modification\|DC0065 - Service Modification]] | DC0065 | [[ds0019-service\|DS0019 - Service]] | 3 | | [[dc0066-active-directory-object-modification\|DC0066 - Active Directory Object Modification]] | DC0066 | [[ds0026-active-directory\|DS0026 - Active Directory]] | 4 | | [[dc0067-logon-session-creation\|DC0067 - Logon Session Creation]] | DC0067 | [[ds0028-logon-session\|DS0028 - Logon Session]] | 4 | | [[dc0068-active-directory-object-deletion\|DC0068 - Active Directory Object Deletion]] | DC0068 | [[ds0026-active-directory\|DS0026 - Active Directory]] | 3 | | [[dc0069-cloud-service-modification\|DC0069 - Cloud Service Modification]] | DC0069 | [[ds0025-cloud-service\|DS0025 - Cloud Service]] | 3 | | [[dc0070-cloud-service-metadata\|DC0070 - Cloud Service Metadata]] | DC0070 | [[ds0025-cloud-service\|DS0025 — Cloud Service]] | 4 | | [[dc0071-active-directory-object-access\|DC0071 - Active Directory Object Access]] | DC0071 | [[ds0026-active-directory\|DS0026 - Active Directory]] | 4 | | [[dc0072-container-creation\|DC0072 - Container Creation]] | DC0072 | [[ds0032-container\|DS0032 — Container]] | 3 | | [[dc0073-instance-modification\|DC0073 - Instance Modification]] | DC0073 | [[ds0030-instance\|DS0030 — Instance]] | 3 | | [[dc0074-driver-metadata\|DC0074 - Driver Metadata]] | DC0074 | [[ds0027-driver\|DS0027 — Driver]] | 4 | | [[dc0075-instance-enumeration\|DC0075 - Instance Enumeration]] | DC0075 | [[ds0030-instance\|DS0030 — Instance]] | 3 | | [[dc0076-instance-creation\|DC0076 - Instance Creation]] | DC0076 | [[ds0030-instance\|DS0030 — Instance]] | 3 | | [[dc0077-container-start\|DC0077 - Container Start]] | DC0077 | [[ds0032-container\|DS0032 — Container]] | 3 | | [[dc0078-network-traffic-flow\|DC0078 - Network Traffic Flow]] | DC0078 | [[ds0029-network-traffic\|DS0029 — Network Traffic]] | 5 | | [[dc0079-driver-load\|DC0079 - Driver Load]] | DC0079 | [[ds0027-driver\|DS0027 — Driver]] | 5 | | [[dc0080-instance-start\|DC0080 - Instance Start]] | DC0080 | [[ds0030-instance\|DS0030 — Instance]] | 3 | | [[dc0081-instance-deletion\|DC0081 - Instance Deletion]] | DC0081 | [[ds0030-instance\|DS0030 — Instance]] | 3 | | [[dc0082-network-connection-creation\|DC0082 - Network Connection Creation]] | DC0082 | [[ds0029-network-traffic\|DS0029 — Network Traffic]] | 5 | | [[dc0083-cloud-service-enumeration\|DC0083 - Cloud Service Enumeration]] | DC0083 | [[ds0025-cloud-service\|DS0025 — Cloud Service]] | 5 | | [[dc0084-active-directory-credential-request\|DC0084 - Active Directory Credential Request]] | DC0084 | [[ds0026-active-directory\|DS0026 - Active Directory]] | 3 | | [[dc0085-network-traffic-content\|DC0085 - Network Traffic Content]] | DC0085 | [[ds0029-network-traffic\|DS0029 — Network Traffic]] | 5 | | [[dc0086-instance-metadata\|DC0086 - Instance Metadata]] | DC0086 | [[ds0030-instance\|DS0030 — Instance]] | 3 | | [[dc0087-active-directory-object-creation\|DC0087 - Active Directory Object Creation]] | DC0087 | [[ds0026-active-directory\|DS0026 - Active Directory]] | 3 | | [[dc0088-logon-session-metadata\|DC0088 - Logon Session Metadata]] | DC0088 | [[ds0028-logon-session\|DS0028 - Logon Session]] | 3 | | [[dc0089-instance-stop\|DC0089 - Instance Stop]] | DC0089 | [[ds0030-instance\|DS0030 — Instance]] | 3 | | [[dc0090-cloud-service-disable\|DC0090 - Cloud Service Disable]] | DC0090 | [[ds0025-cloud-service\|DS0025 — Cloud Service]] | 4 | | [[dc0091-container-enumeration\|DC0091 - Container Enumeration]] | DC0091 | [[ds0032-container\|DS0032 — Container]] | 3 | | [[dc0092-volume-modification\|DC0092 - Volume Modification]] | DC0092 | [[ds0034-volume\|DS0034 — Volume]] | 3 | | [[dc0093-certificate-registration\|DC0093 - Certificaté Registration]] | DC0093 | [[ds0026-active-directory\|DS0026 - Active Directory]] | 3 | | [[dc0094-group-modification\|DC0094 - Group Modification]] | DC0094 | [[ds0036-group\|DS0036 - Group]] | 3 | | [[dc0095-volume-enumeration\|DC0095 - Volume Enumeration]] | DC0095 | [[ds0034-volume\|DS0034 — Volume]] | 3 | | [[dc0096-passive-dns\|DC0096 - Passive DNS]] | DC0096 | [[ds0029-network-traffic\|DS0029 — Network Traffic]] | 5 | | [[dc0097-volume-creation\|DC0097 - Volume Creation]] | DC0097 | [[ds0034-volume\|DS0034 — Volume]] | 3 | | [[dc0098-volume-deletion\|DC0098 - Volume Deletion]] | DC0098 | [[ds0034-volume\|DS0034 — Volume]] | 3 | | [[dc0099-group-enumeration\|DC0099 - Group Enumeration]] | DC0099 | [[ds0036-group\|DS0036 - Group]] | 3 | | [[dc0100-volume-metadata\|DC0100 - Volume Metadata]] | DC0100 | [[ds0034-volume\|DS0034 — Volume]] | 3 | | [[dc0101-domain-registration\|DC0101 - Domain Registration]] | DC0101 | [[ds0029-network-traffic\|DS0029 — Network Traffic]] | 3 | | [[dc0102-network-share-access\|DC0102 - Network Share Access]] | DC0102 | [[ds0033-network-share\|DS0033 — Network Share]] | 5 | | [[dc0103-active-dns\|DC0103 - Active DNS]] | DC0103 | [[ds0029-network-traffic\|DS0029 — Network Traffic]] | 5 | | [[dc0104-response-content\|DC0104 - Response Content]] | DC0104 | [[ds0029-network-traffic\|DS0029 — Network Traffic]] | 3 | | [[dc0105-group-metadata\|DC0105 - Group Metadata]] | DC0105 | [[ds0036-group\|DS0036 - Group]] | 3 | | [[dc0106-response-metadata\|DC0106 - Response Metadata]] | DC0106 | [[ds0029-network-traffic\|DS0029 — Network Traffic]] | 3 | <!-- SerializedQuery END --> > [!tip] Prioridade de Implementação para SOC > Os data components com maior cobertura de detecção são: > - **Process Creation** — detecta a maior quantidade de técnicas ATT&CK > - **Command Execution** — visibilidade em execução de comandos e scripts > - **Network Traffic Flow** — detecta C2, exfiltração e movimentação lateral > - **File Creation/Modification** — detecta persistência, staging e payloads > - **Logon Session Creation** — detecta uso de credenciais comprometidas > > Comece por estes 5 componentes para máxima cobertura com mínimo esforço. ## Cobertura por Plataforma | Plataforma | Data Components | Fonte Principal | |-----------|----------------|-----------------| | Windows | 73 | Sysmon + Security Event Log + ETW | | Linux | 59 | auditd + syslog + eBPF | | macOS | 59 | Unified Log + Endpoint Security Framework | | IaaS (AWS/Azure/GCP) | 57 | CloudTrail, Azure Monitor, GCP Audit | | ESXi | 42 | vCenter logs, ESXi syslog | | Identity Provider | 26 | Azure AD, Okta, Active Directory | | SaaS | 24 | M365 Audit, Google Workspace | | Office Suite | 24 | Exchange Online, SharePoint, Teams | | Android | 16 | Device Admin, MDM telemetry | | iOS | 16 | MDM, Endpoint Security | | Containers | 15 | Docker daemon, Kubernetes API audit | | Network Devices | 6 | SNMP, syslog, NetFlow | ## Referências - [MITRE ATT&CK — Data Sources](https://attack.mitre.org/datasources/) - [MITRE ATT&CK — Data Components](https://attack.mitre.org/datacomponents/) - [Sigma Rules](https://github.com/SigmaHQ/sigma) — regras de detecção baseadas em data components