Internal Data

Internal Data Acquisition

1. Internal Data Sources:

   • Host Data (Endpoint Data): This includes data from devices like mobile phones, laptops, desktop PCs, and servers. Key types of host data are:

     • Process Execution Metadata: Information on processes running on endpoints.

     • Registry Access Data: Data related to registry objects on Windows-based endpoints.

     • File Data: Information on file creation/modification dates, size, type, and location.

     • Network Data: Parent process information for network connections.

2. Network Data:

   • Firewall Logs: Information on network traffic at the network's border.

   • Proxy Logs: HTTP data on outgoing web requests.

   • DNS Logs: Data on domain name server resolution, including domain to IP address mapping.

   • Web Server Logs: Records of user requests processed by the server.

   • Authentication Server Logs: Logs of sign-in failures, successful logins, and invalid requests.

3. Threat Intelligence Data:

   • Internal Threat Intelligence: Leveraging intelligence from your own network, especially during campaign analysis.

   • Historical Knowledge: Maintaining historical data from past investigations to enhance threat awareness.

Why is this important:

• Context Building: Understanding internal data sources helps in building context during incident investigations.

• Detection and Prevention: By leveraging threat data from your own network, you can detect and stop threats more effectively.

• Collaboration: Threat intelligence analysts need to know what data to request from other teams to build a comprehensive analysis.