forked from SigmaHQ/sigma
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlogsource.json
410 lines (410 loc) · 21 KB
/
logsource.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
{
"title": "Field name by logsource",
"version": "20230113",
"legit":{
"windows":{
"commun": ["EventID", "Provider_Name"],
"empty": [],
"category":{
"process_creation": ["CommandLine", "Company", "CurrentDirectory", "Description", "FileVersion",
"Hashes", "Image", "IntegrityLevel", "LogonGuid", "LogonId", "OriginalFileName",
"ParentCommandLine", "ParentImage", "ParentProcessGuid", "ParentProcessId",
"ParentUser", "ProcessGuid", "ProcessId", "Product", "TerminalSessionId", "User", "GrandParentImage"],
"file_change": ["CreationUtcTime", "Image", "PreviousCreationUtcTime", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
"network_connection": ["DestinationHostname", "DestinationIp", "DestinationIsIpv6", "DestinationPort",
"DestinationPortName", "Image", "Initiated", "ProcessGuid", "ProcessId", "Protocol", "SourceHostname",
"SourceIp", "SourceIsIpv6", "SourcePort", "SourcePortName", "User", "ParentImage"],
"sysmon_status": ["Configuration", "ConfigurationFileHash", "SchemaVersion", "State", "Version"],
"process_termination":["Image", "ProcessGuid", "ProcessId", "User"],
"driver_load":["Hashes", "ImageLoaded", "Signature", "SignatureStatus", "Signed"],
"image_load":["Company", "Description", "FileVersion", "Hashes", "Image", "ImageLoaded", "OriginalFileName", "ProcessGuid",
"ProcessId", "Product", "Signature", "SignatureStatus", "Signed", "User"],
"create_remote_thread":["NewThreadId", "SourceImage", "SourceProcessGuid", "SourceProcessId", "SourceUser", "StartAddress",
"StartFunction", "StartModule", "TargetImage", "TargetProcessGuid", "TargetProcessId", "TargetUser"],
"raw_access_thread":["Device", "Image", "ProcessGuid", "ProcessId", "User"],
"process_access":["CallTrace", "GrantedAccess", "SourceImage", "SourceProcessGUID", "SourceProcessId", "SourceThreadId",
"SourceUser", "TargetImage", "TargetProcessGUID", "TargetProcessId", "TargetUser"],
"raw_access_read":["CreationUtcTime", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
"file_event":["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"],
"file_executable_detected":["ProcessGuid", "ProcessId", "Image", "TargetFilename", "Hashes", "User"],
"registry_add":["EventType", "ProcessGuid", "ProcessId", "Image", "TargetObject", "User"],
"registry_delete":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject"],
"registry_set":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject", "User"],
"registry_rename":["EventType", "Image", "NewName", "ProcessGuid", "ProcessId", "TargetObject", "User"],
"registry_event":["Details", "EventType", "Image", "NewName", "ProcessGuid", "ProcessId", "TargetObject", "User"],
"create_stream_hash":["Contents", "CreationUtcTime", "Hash", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
"pipe_created":["EventType", "Image", "PipeName", "ProcessGuid", "ProcessId", "User"],
"wmi_event":["Consumer", "Destination", "EventNamespace", "EventType", "Filter", "Name", "Operation", "Query", "Type", "User"],
"dns_query":["Image", "ProcessGuid", "ProcessId", "QueryName", "QueryResults", "QueryStatus", "User"],
"file_delete":["Archived", "Hashes", "Image", "IsExecutable", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
"clipboard_capture":["Archived", "ClientInfo", "Hashes", "Image", "ProcessGuid", "ProcessId", "Session", "User"],
"process_tampering":["Image", "ProcessGuid", "ProcessId", "Type", "User"],
"file_block":["Hashes", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
"ps_module":["ContextInfo", "UserData", "Payload"],
"ps_script":["MessageNumber", "MessageTotal", "ScriptBlockText", "ScriptBlockId", "Path"],
"file_access":["Irp", "FileObject", "IssuingThreadId", "CreateOptions", "CreateAttributes", "ShareAccess", "FileName"],
"file_rename":["Irp", "FileObject", "FileKey", "ExtraInformation", "IssuingThreadId", "InfoClass", "FilePath"],
"ps_classic_start":[],
"ps_classic_provider_start":[],
"sysmon_error":[]
},
"service":{
"bitlocker": ["VolumeName", "VolumeMountPoint", "ProtectorGUID", "ProtectorType"],
"bits-client":["RemoteName", "LocalName", "processPath", "processId"],
"codeintegrity-operational":["FileNameLength", "FileNameBuffer", "ProcessNameLength", "ProcessNameBuffer",
"RequestedPolicy", "ValidatedPolicy", "Status"],
"diagnosis-scripted": ["PackagePath", "PackageId"],
"firewall-as":["Action", "ApplicationPath", "ModifyingApplication"],
"ldap":["ScopeOfSearch", "SearchFilter", "DistinguishedName", "AttributeList", "ProcessId"],
"ntlm":["CallerPID", "ClientDomainName", "ClientLUID", "ClientUserName", "DomainName", "MechanismOID",
"ProcessName", "SChannelName", "SChannelType", "TargetName", "UserName", "WorkstationName"],
"openssh":["process", "payload"],
"security-mitigations":["ProcessPathLength", "ProcessPath", "ProcessCommandLineLength", "ProcessCommandLine",
"ProcessId", "ProcessCreateTime", "ProcessStartKey", "ProcessSignatureLevel",
"ProcessSectionSignatureLevel", "ProcessProtection", "TargetThreadId", "TargetThreadCreateTime",
"RequiredSignatureLevel", "SignatureLevel", "ImageNameLength", "ImageName"],
"shell-core":["Name", "AppID", "Flags"],
"smbclient-security":["Reason", "Status", "ShareNameLength", "ShareName", "ObjectNameLength", "ObjectName",
"UserNameLength", "UserName", "ServerNameLength", "ServerName"],
"smbclient-connectivity":[],
"taskscheduler":["TaskName", "UserContext", "Path", "ProcessID", "Priority", "UserName"],
"terminalservices-localsessionmanager":["User", "SessionID", "Address"],
"iis":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method",
"cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status",
"sc-bytes", "cs-bytes", "time-taken", "cs-version", "cs-host", "cs-user-agent",
"cs-referer", "cs-cookie"],
"application":[],
"sysmon":[],
"powershell":[],
"powershell-classic":[],
"security":[],
"system":[],
"windefend":[],
"wmi":[],
"microsoft-servicebus-client":[],
"printservice-operational":[],
"driver-framework":[],
"dns-server-analytic":[],
"dns-server":[],
"printservice-admin":[],
"msexchange-management":[],
"applocker":[],
"vhdmp":[],
"appxdeployment-server":["Path", "AppId", "FilePath", "ErrorCode", "DeploymentOperation", "PackageFullName", "PackageSourceUri", "PackageDisplayName", "CallingProcess"],
"appxpackaging-om":["subjectName"],
"lsa-server":["TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", "TargetLogonGuid", "EventOrginal", "EventCountTotal", "SidList"],
"dns-client":["QueryName", "QueryType", "QueryOptions", "QueryStatus", "QueryResults", "NetworkIndex", "InterfaceIndex", "Status", "ClientPID", "QueryBlob", "DnsServerIpAddress", "ResponseStatus", "SendBlob", "SendBlobContext", "AddressLength", "Address"],
"appmodel-runtime":["ProcessID", "PackageName", "ImageName", "ApplicationName", "Message"],
"capi2":[],
"certificateservicesclient-lifecycle-system":[]
}
},
"linux":{
"commun": [],
"empty": [],
"category":{
"process_creation": ["ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName",
"CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes",
"ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"],
"network_connection": ["ProcessGuid", "ProcessId", "Image", "User", "Protocol", "Initiated", "SourceIsIpv6", "SourceIp", "SourceHostname",
"SourcePort", "SourcePortName", "DestinationIsIpv6", "DestinationIp", "DestinationHostname", "DestinationPort",
"DestinationPortName"],
"process_termination": ["ProcessGuid", "ProcessId", "Image", "User"],
"raw_access_read": ["ProcessGuid", "ProcessId", "Image", "Device", "User"],
"file_event": ["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"],
"sysmon_status": ["Configuration", "ConfigurationFileHash"],
"file_delete": ["ProcessGuid", "ProcessId", "User", "Image", "TargetFilename", "Hashes", "IsExecutable", "Archived"]
},
"service":{
"auditd": ["a0", "a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9",
"acct", "acl", "action", "added", "addr", "apparmor", "arch", "argc", "audit_backlog_limit", "audit_backlog_wait_time",
"audit_enabled", "audit_failure", "auid", "banners", "bool", "bus", "cap_fe,cap_fi", "cap_fp", "cap_fver", "cap_pa", "cap_pe", "cap_pi",
"cap_pp", "capability", "category", "cgroup", "changed", "cipher", "class", "cmd", "code", "comm", "compat", "cwd", "daddr", "data",
"default-context", "dev", "dev", "device", "dir", "direction", "dmac", "dport", "egid", "enforcing", "entries", "errno", "euid", "exe",
"exit", "fam", "family", "fd", "fe", "feature", "fi", "file", "flags", "format", "fp", "fsgid", "fsuid", "fver", "gid", "grantors", "grp",
"hook", "hostname", "icmp_type", "id", "igid", "img-ctx", "inif", "ino", "inode", "inode_gid", "inode_uid", "invalid_context", "ioctlcmd",
"ip", "ipid", "ipx-net", "item", "items", "iuid", "kernel", "key", "kind", "ksize", "laddr", "len", "list", "lport", "mac", "macproto", "maj",
"major", "minor", "mode", "model", "msg", "name", "nametype", "nargs", "net", "new", "new_gid", "new_lock", "new_pe", "new_pi", "new_pp",
"new-chardev", "new-disk", "new-enabled", "new-fs", "new-level", "new-log_passwd", "new-mem", "new-net", "new-range", "new-rng", "new-role",
"new-seuser", "new-vcpu", "nlnk-fam", "nlnk-grp", "nlnk-pid", "oauid", "obj", "obj_gid", "obj_uid", "ocomm", "oflag", "ogid", "old", "old_enforcing",
"old_lock", "old_pa", "old_pe", "old_pi", "old_pp", "old_prom", "old_val", "old-auid", "old-chardev", "old-disk", "old-enabled", "old-fs",
"old-level", "old-log_passwd", "old-mem", "old-net", "old-range", "old-rng", "old-role", "old-ses", "old-seuser", "old-vcpu", "op", "opid",
"oses", "ouid", "outif", "pa", "parent", "path", "pe", "per", "perm", "perm_mask", "permissive", "pfs", "pi", "pid", "pp", "ppid", "printer",
"proctitle", "prom", "proto", "qbytes", "range", "rdev", "reason", "removed", "res", "resrc", "result", "role", "rport", "saddr", "sauid",
"scontext", "selected-context", "seperm", "seperms", "seqno", "seresult", "ses", "seuser", "sgid", "sig", "sigev_signo", "smac", "spid",
"sport", "state", "subj", "success", "suid", "syscall", "table", "tclass", "tcontext", "terminal", "tty", "type", "uid", "unit", "uri", "user",
"uuid", "val", "val", "ver", "virt", "vm", "vm-ctx", "vm-pid", "watch"],
"vsftpd":[],
"sshd":[],
"syslog":[],
"guacamole":[],
"auth":[],
"clamav":[],
"modsecurity":[],
"sudo":[],
"cron":[]
}
},
"empty":{
"commun": [],
"empty": ["not_found"],
"category":{
"proxy":["c-uri", "c-uri-extension", "c-uri-query", "c-uri-stem", "c-useragent", "cs-bytes", "cs-cookie",
"cs-host", "cs-method", "r-dns", "cs-referrer", "cs-version", "sc-bytes", "sc-status", "src_ip", "dst_ip",
"cs-uri"],
"webserver":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method",
"cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status",
"sc-bytes", "cs-bytes", "time-taken", "cs-version", "cs-host", "cs-user-agent",
"cs-referer", "cs-cookie"],
"antivirus":[],
"database":[],
"dns":[],
"firewall":[]
},
"service":{
"apache":[],
"netflow":[],
"nginx":[]
}
},
"cisco":{
"commun": [],
"empty": [],
"category":{},
"service":{
"aaa":[],
"bgp":[],
"ldp":[],
"syslog":[]
}
},
"fortios":{
"commun": [],
"empty": [],
"category":{},
"service":{
"sslvpnd": []
}
},
"django":{
"commun": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"python":{
"commun": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"qualys":{
"commun": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"rpc_firewall":{
"commun": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"ruby_on_rails":{
"commun": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"modsecurity":{
"commun": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"spring":{
"commun": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"sql":{
"commun": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"jvm":{
"commun": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"nodejs":{
"commun": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"velocity":{
"commun": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"aws":{
"commun": [],
"empty": [],
"category":{},
"service":{
"cloudtrail":[]
}
},
"azure":{
"commun": [],
"empty": [],
"category":{},
"service":{
"activitylogs":[],
"auditlogs":[],
"riskdetection":[],
"pim":[],
"signinlogs":[]
}
},
"gcp":{
"commun": [],
"empty": [],
"category":{},
"service":{
"gcp.audit":[],
"google_workspace.admin":[]
}
},
"github":{
"commun": [],
"empty": [],
"category":{},
"service":{
"audit":[]
}
},
"m365":{
"commun": [],
"empty": [],
"category":{},
"service":{
"audit":[],
"exchange":[],
"threat_detection":[],
"threat_management":[]
}
},
"okta":{
"commun": [],
"empty": [],
"category":{},
"service":{
"okta":[]
}
},
"onelogin":{
"commun": [],
"empty": [],
"category":{},
"service":{
"onelogin.events":[]
}
},
"huawei":{
"commun": [],
"empty": [],
"category":{},
"service":{
"bgp":[]
}
},
"juniper":{
"commun": [],
"empty": [],
"category":{},
"service":{
"bgp":[]
}
},
"zeek":{
"commun": [],
"empty": [],
"category":{
},
"service":{
"kerberos":[],
"smb_files":[],
"rdp":[],
"http":[],
"dns":[],
"dce_rpc":[],
"x509":[]
}
},
"macos":{
"commun": [],
"empty": [],
"category":{
"process_creation": ["ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName",
"CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes",
"ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"],
"network_connection": ["ProcessGuid", "ProcessId", "Image", "User", "Protocol", "Initiated", "SourceIsIpv6", "SourceIp", "SourceHostname",
"SourcePort", "SourcePortName", "DestinationIsIpv6", "DestinationIp", "DestinationHostname", "DestinationPort",
"DestinationPortName"],
"process_termination": ["ProcessGuid", "ProcessId", "Image", "User"],
"raw_access_read": ["ProcessGuid", "ProcessId", "Image", "Device", "User"],
"file_event": ["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"],
"sysmon_status": ["Configuration", "ConfigurationFileHash"],
"file_delete": ["ProcessGuid", "ProcessId", "User", "Image", "TargetFilename", "Hashes", "IsExecutable", "Archived"]
},
"service":{
}
}
},
"addon":{
"windows":{
"category":{
"process_creation": ["GrandparentCommandLine"],
"network_connection": ["CommandLine", "ParentImage"],
"create_remote_thread": ["User", "SourceCommandLine", "SourceParentProcessId", "SourceParentImage",
"SourceParentCommandLine", "TargetCommandLine", "TargetParentProcessId", "TargetParentImage", "TargetParentCommandLine",
"IsInitialThread", "RemoteCreation"],
"file_delete": ["CommandLine", "ParentImage", "ParentCommandLine"],
"file_event": ["CommandLine", "ParentImage", "ParentCommandLine", "MagicHeader"],
"image_load": ["CommandLine"],
"process_access": ["SourceCommandLine", "CallTraceExtended"],
"file_access":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "TargetFilename"],
"file_rename":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "OriginalFileName", "SourceFilename", "TargetFilename", "MagicHeader"]
},
"service":{}
}
}
}