Skip to content

Enum: AttackCollectionLayerEnum

Closed enumeration of collection layers for ATT&CK Data Sources. A collection layer identifies the location or tier within a technology stack where telemetry for a data source can be collected for detection purposes.

URI: attack:AttackCollectionLayerEnum

Permissible Values

Value Meaning Description
Cloud Control Plane None Cloud provider API and management plane logs (e
Host None Host-based collection from endpoint agents, OS audit logs, and EDR sensors
Container None Container runtime logs and orchestration platform events (Docker, Kubernetes)
Network None Network traffic capture, flow records, and packet data (PCAP, NetFlow, DNS lo...
Device None Device-level logs from hardware sensors, embedded systems, or field devices
OSINT None Open-source intelligence gathered from publicly available sources
Report None Third-party threat intelligence reports and publications

Slots

Name Description
x_mitre_collection_layers The technology stack layers from which telemetry for this Data Source can be ...

Identifier and Mapping Information

Schema Source

  • from schema: https://w3id.org/lmodel/attack

LinkML Source

name: AttackCollectionLayerEnum
description: Closed enumeration of collection layers for ATT&CK Data Sources. A collection
  layer identifies the location or tier within a technology stack where telemetry
  for a data source can be collected for detection purposes.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
permissible_values:
  Cloud Control Plane:
    text: Cloud Control Plane
    description: Cloud provider API and management plane logs (e.g., AWS CloudTrail,
      Azure Activity Log).
  Host:
    text: Host
    description: Host-based collection from endpoint agents, OS audit logs, and EDR
      sensors.
  Container:
    text: Container
    description: Container runtime logs and orchestration platform events (Docker,
      Kubernetes).
  Network:
    text: Network
    description: Network traffic capture, flow records, and packet data (PCAP, NetFlow,
      DNS logs).
  Device:
    text: Device
    description: Device-level logs from hardware sensors, embedded systems, or field
      devices.
  OSINT:
    text: OSINT
    description: Open-source intelligence gathered from publicly available sources.
  Report:
    text: Report
    description: Third-party threat intelligence reports and publications.