-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
Log Sources
frack113 edited this page Jul 3, 2022
·
5 revisions
this is a summary of the logsource used in the rules to help understand them better
Warning: This is a verison in progress
Please feel free to complete or correct it
| Product | Logsource | Event |
|---|---|---|
| Aws | product: aws service: cloudtrail |
|
| Azure | product: azure service: activitylogs |
|
| Azure | product: azure service: signinlogs |
|
| Gcp | ||
| Gworkspace | ||
| M365 | ||
| Okta | ||
| Onelogin |
| Product | Logsource | Event |
|---|---|---|
| Linux | category: file_create product: linux |
|
| Linux | category: network_connection product: linux |
EventID: 3 service: sysmon |
| Linux | category: process_creation product: linux |
EventID: 1 service: sysmon |
| Linux | product: linux service: auditd |
auditd.log |
| Linux | product: linux service: auth |
auth.log |
| Linux | product: linux service: clamav |
|
| Linux | product: linux service: guacamole |
|
| Linux | product: linux service: modsecurity |
|
| Linux | product: linux service: sshd |
|
| Linux | product: linux service: syslog |
|
| Linux | product: linux service: vsftpd |
| Product | Logsource | Event |
|---|---|---|
| Macos | category: file_event product: macos |
|
| Macos | category: process_creation product: macos |
| Product | Logsource | Event |
|---|---|---|
| windows | category: clipboard_capture product: windows |
EventID: 24 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: create_remote_thread product: windows |
EventID: 8 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: create_stream_hash product: windows |
EventID: 15 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: dns_query product: windows |
EventID: 22 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: driver_load product: windows |
EventID: 6 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: file_change product: windows |
EventID: 2 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: file_delete product: windows |
EventID: - 23 - 26 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: file_event product: windows |
EventID: 11 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: image_load product: windows |
EventID: 7 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: network_connection product: windows |
EventID: 3 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: pipe_created product: windows |
EventID: - 17 - 18 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: process_access product: windows |
EventID: 10 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: process_creation product: windows |
EventID: 1 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: process_tampering product: windows |
EventID: 25 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: process_termination product: windows |
EventID: 5 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: ps_classic_provider_start product: windows |
EventID: 600 Channel: 'Windows PowerShell' |
| windows | category: ps_classic_script product: windows |
EventID: 800 Channel: 'Windows PowerShell' |
| windows | category: ps_classic_start product: windows |
EventID: 400 Channel: 'Windows PowerShell' |
| windows | category: ps_module product: windows |
EventID: 4103 Channel: 'Microsoft-Windows-PowerShell/Operational' |
| windows | category: ps_script product: windows |
EventID: 4104 Channel: 'Microsoft-Windows-PowerShell/Operational' |
| windows | category: raw_access_thread product: windows |
EventID: 9 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: registry_add product: windows |
EventID: 12 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: registry_delete product: windows |
EventID: 12 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: registry_event product: windows |
EventID: - 12 - 13 - 14 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: registry_rename product: windows |
EventID: 14 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: registry_set product: windows |
EventID: 13 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: sysmon_error product: windows |
EventID: 255 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: sysmon_status product: windows |
EventID: - 4 - 16 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | category: wmi_event product: windows |
EventID: - 19 - 20 - 21 Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | product: windows service: application |
Channel: Application |
| windows | product: windows service: applocker |
Channel: - 'Microsoft-Windows-AppLocker/MSI and Script' - 'Microsoft-Windows-AppLocker/EXE and DLL' - Microsoft-Windows-AppLocker/Packaged app-Deployment' - 'Microsoft-Windows-AppLocker/Packaged app-Execution' |
| windows | product: windows service: bits-client |
Channel: 'Microsoft-Windows-Bits-Client/Operational' |
| windows | product: windows service: codeintegrity-operational |
Channel: 'Microsoft-Windows-CodeIntegrity/Operational' |
| windows | product: windows service: dhcp |
Channel: 'Microsoft-Windows-DHCP-Server/Operational' |
| windows | product: windows service: dns-server |
Channel: 'DNS Server' |
| windows | product: windows service: driver-framework |
Channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' |
| windows | product: windows service: firewall-as |
Channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' |
| windows | product: windows service: ldap_debug |
Channel: 'Microsoft-Windows-LDAP-Client/Debug' |
| windows | product: windows service: microsoft-servicebus-client |
Channel: 'Microsoft-ServiceBus-Client' |
| windows | product: windows service: msexchange-management |
Channel: 'MSExchange Management' |
| windows | product: windows service: ntlm |
Channel: 'Microsoft-Windows-NTLM/Operational' |
| windows | product: windows service: powershell |
Channel: 'Microsoft-Windows-PowerShell/Operational' |
| windows | product: windows service: powershell-classic |
Channel: 'Windows PowerShell' |
| windows | product: windows service: printservice-admin |
Channel: 'Microsoft-Windows-PrintService/Admin' |
| windows | product: windows service: printservice-operational |
Channel: 'Microsoft-Windows-PrintService/Operational' |
| windows | product: windows service: security |
Channel: Security |
| windows | product: windows service: smbclient-security |
Channel: 'Microsoft-Windows-SmbClient/Security' |
| windows | product: windows service: sysmon |
Channel: 'Microsoft-Windows-Sysmon/Operational' |
| windows | product: windows service: system |
Channel: System |
| windows | product: windows service: taskscheduler |
Channel: 'Microsoft-Windows-TaskScheduler/Operational' |
| windows | product: windows service: terminalservices-localsessionmanager |
Channel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' |
| windows | product: windows service: windefend |
Channel: 'Microsoft-Windows-Windows Defender/Operational' |
| windows | product: windows service: wmi |
Channel: 'Microsoft-Windows-WMI-Activity/Operational' |