Table 4 Data categories and representative artifacts used in compromise assessments, including system, user, application, network, security-solution, domain, and cloud sources. Abbreviations: DNS, domain name system; DLP, data loss prevention; MDM, mobile device management; IAM, identity and access management.

System data and artifacts

● Endpoints System Logs

● Application Logs

● Running Processes

● Processes threads creation/termination

● Persistence and Autoruns Artifacts

● Console and Shell Commands History

● Memory & Disk Scanning Results

● File System Metadata

● Network share access

● System Configurations

User-related data and artifacts

● User logons/logout

● User attributes change

● User interactions’ artifacts

● User privileges and access configurations

● User browsing activities

● User downloads artifacts

● User execution artifacts

Application-related data and artifacts

● Application User Activities Logs

● Application Security Configuration Audit Logs

● Application Configuration

● Email-Related artifacts

Network traffic data

● Network traffic Full-Packet capture

● Network Flow (NetFlow)

● DNS queries

Security solutions data

● Firewall logs

● Web Application Firewall logs

● Antivirus Logs

● IPS & IDS logs

● DLP logs

● MDM logs

Domain-related data

● User login/logout activities

● Created and deleted user accounts

● Created and deleted service accounts

● User configuration changes

● Endpoints configurations

● Group Policy Objects configurations

Cloud-related data

● Cloud resources audit logs

● Identity and Access Management (IAM) logs

● Container and Orchestration Management Logs

● Virtual Network Traffic Logs