-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
Log Sources
frack113 edited this page Aug 13, 2022
·
5 revisions
this is a summary of the logsource used in the rules to help understand them better
Warning: This is a verison in progress
Please feel free to complete or correct it
| Product | Logsource | Event |
|---|---|---|
| category: antivirus | antivirus detection message (format depends on the editor) | |
| django | category: application product: django |
|
| python | category: application product: python |
|
| rpc_firewall | product: rpc_firewall category: application |
|
| ruby_on_rails | category: application product: ruby_on_rails |
|
| spring | category: application product: spring |
|
| sql | category: application product: sql |
| Product | Logsource | Event |
|---|---|---|
| Aws | product: aws service: cloudtrail |
|
| Azure | product: azure service: activitylogs |
|
| Azure | product: azure service: signinlogs |
|
| Gcp | product: gcp service: gcp.audit |
|
| Gworkspace | product: google_workspace service: google_workspace.admin |
|
| M365 | product: m365 service: threat_management |
|
| Okta | product: okta service: okta |
|
| Onelogin | product: onelogin service: onelogin.events |
| Product | Logsource | Event |
|---|---|---|
| Linux | category: file_create product: linux |
|
| Linux | category: network_connection product: linux |
EventID: 3 service: sysmon |
| Linux | category: process_creation product: linux |
EventID: 1 service: sysmon |
| Linux | product:linux | any logs |
| Linux | product: linux service: auditd |
auditd.log |
| Linux | product: linux service: auth |
auth.log |
| Linux | product: linux service: clamav |
|
| Linux | product: linux service: cron |
|
| Linux | product: linux service: guacamole |
|
| Linux | product: linux service: modsecurity |
|
| Linux | product: linux service: sudo |
|
| Linux | product: linux service: sshd |
|
| Linux | product: linux service: syslog |
|
| Linux | product: linux service: vsftpd |
| Product | Logsource | Event |
|---|---|---|
| Macos | category: file_event product: macos |
|
| Macos | category: process_creation product: macos |
| Product | Logsource | Event |
|---|---|---|
| Cisco | product: cisco service: aaa category: accounting |
|
| category: dns | ||
| category: firewall | ||
| Zeek | product: zeek service: dce_rpc |
|
| Zeek | product: zeek service: dns |
|
| Zeek | product: zeek service: http |
|
| Zeek | product: zeek service: kerberos |
|
| Zeek | product: zeek service: rdp |
|
| Zeek | product: zeek service: smb_files |
|
| Zeek | product: zeek service: x509 |
|
| category: proxy | ||
| category: webserver |
| Product | Logsource | Event |
|---|---|---|
| windows | category: clipboard_capture product: windows |
EventID: 24 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: create_remote_thread product: windows |
EventID: 8 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: create_stream_hash product: windows |
EventID: 15 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: dns_query product: windows |
EventID: 22 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: driver_load product: windows |
EventID: 6 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: file_change product: windows |
EventID: 2 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: file_delete product: windows |
EventID: - 23 - 26 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: file_event product: windows |
EventID: 11 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: image_load product: windows |
EventID: 7 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: network_connection product: windows |
EventID: 3 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: pipe_created product: windows |
EventID: - 17 - 18 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: process_access product: windows |
EventID: 10 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: process_creation product: windows |
EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: process_tampering product: windows |
EventID: 25 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: process_termination product: windows |
EventID: 5 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: ps_classic_provider_start product: windows |
EventID: 600 Channel: Windows PowerShell |
| windows | category: ps_classic_script product: windows |
EventID: 800 Channel: Windows PowerShell |
| windows | category: ps_classic_start product: windows |
EventID: 400 Channel: Windows PowerShell |
| windows | category: ps_module product: windows |
EventID: 4103 Channel: Microsoft-Windows-PowerShell/Operational |
| windows | category: ps_script product: windows |
EventID: 4104 Channel: Microsoft-Windows-PowerShell/Operational |
| windows | category: raw_access_thread product: windows |
EventID: 9 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: registry_add product: windows |
EventID: 12 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: registry_delete product: windows |
EventID: 12 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: registry_event product: windows |
EventID: - 12 - 13 - 14 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: registry_rename product: windows |
EventID: 14 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: registry_set product: windows |
EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: sysmon_error product: windows |
EventID: 255 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: sysmon_status product: windows |
EventID: - 4 - 16 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | category: wmi_event product: windows |
EventID: - 19 - 20 - 21 Channel: Microsoft-Windows-Sysmon/Operational |
| windows | product: windows service: application |
Channel: - Application |
| windows | product: windows service: applocker |
Channel: - Microsoft-Windows-AppLocker/MSI and Script - Microsoft-Windows-AppLocker/EXE and DLL - Microsoft-Windows-AppLocker/Packaged app-Deployment - Microsoft-Windows-AppLocker/Packaged app-Execution |
| windows | product: windows service: bits-client |
Channel: - Microsoft-Windows-Bits-Client/Operational |
| windows | product: windows service: codeintegrity-operational |
Channel: - Microsoft-Windows-CodeIntegrity/Operational |
| windows | product: windows service: dhcp |
Channel: - Microsoft-Windows-DHCP-Server/Operational |
| windows | product: windows service: dns-server |
Channel: - DNS Server |
| windows | product: windows service: driver-framework |
Channel: - Microsoft-Windows-DriverFrameworks-UserMode/Operational |
| windows | product: windows service: firewall-as |
Channel: - Microsoft-Windows-Windows Firewall With Advanced Security/Firewall |
| windows | product: windows service: ldap_debug |
Channel: - Microsoft-Windows-LDAP-Client/Debug |
| windows | product: windows service: microsoft-servicebus-client |
Channel: - Microsoft-ServiceBus-Client |
| windows | product: windows service: msexchange-management |
Channel: - MSExchange Management |
| windows | product: windows service: ntlm |
Channel: - Microsoft-Windows-NTLM/Operational |
| windows | product: windows service: powershell |
Channel: - Microsoft-Windows-PowerShell/Operational |
| windows | product: windows service: powershell-classic |
Channel: - Windows PowerShell |
| windows | product: windows service: printservice-admin |
Channel: - Microsoft-Windows-PrintService/Admin |
| windows | product: windows service: printservice-operational |
Channel: - Microsoft-Windows-PrintService/Operational |
| windows | product: windows service: security |
Channel: - Security |
| windows | product: windows service: security-mitigations |
Channel: - Microsoft-Windows-Security-Mitigations/Kernel Mode - Microsoft-Windows-Security-Mitigations/User Mode |
| windows | product: windows service: smbclient-security |
Channel: - Microsoft-Windows-SmbClient/Security |
| windows | product: windows service: sysmon |
Channel: - Microsoft-Windows-Sysmon/Operational |
| windows | product: windows service: system |
Channel: - System |
| windows | product: windows service: taskscheduler |
Channel: - Microsoft-Windows-TaskScheduler/Operational |
| windows | product: windows service: terminalservices-localsessionmanager |
Channel: - Microsoft-Windows-TerminalServices-LocalSessionManager/Operational |
| windows | product: windows service: windefend |
Channel: - Microsoft-Windows-Windows Defender/Operational |
| windows | product: windows service: wmi |
Channel: - Microsoft-Windows-WMI-Activity/Operational |