{
    "title": "Field name by logsource",
    "version": "20221231",
    "legit":{
        "windows":{
            "commun": ["EventID","Provider_Name"],
            "category":{
                "process_creation": ["CommandLine","Company","CurrentDirectory","Description","FileVersion",
                                    "Hashes","Image","IntegrityLevel","LogonGuid","LogonId","OriginalFileName",
                                    "ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId",
                                    "ParentUser","ProcessGuid","ProcessId","Product","TerminalSessionId","User"],
                "file_change": ["CreationUtcTime","Image","PreviousCreationUtcTime","ProcessGuid","ProcessId","TargetFilename","User"],
                "network_connection": ["DestinationHostname","DestinationIp","DestinationIsIpv6","DestinationPort",
                                    "DestinationPortName","Image","Initiated","ProcessGuid","ProcessId","Protocol","SourceHostname",
                                    "SourceIp","SourceIsIpv6","SourcePort","SourcePortName","User"],
                "sysmon_status": ["Configuration","ConfigurationFileHash","SchemaVersion","State","Version"],
                "process_termination":["Image","ProcessGuid","ProcessId","User"],
                "driver_load":["Hashes","ImageLoaded","Signature","SignatureStatus","Signed"],
                "image_load":["Company","Description","FileVersion","Hashes","Image","ImageLoaded","OriginalFileName","ProcessGuid",
                            "ProcessId","Product","Signature","SignatureStatus","Signed","User"],
                "create_remote_thread":["NewThreadId","SourceImage","SourceProcessGuid","SourceProcessId","SourceUser","StartAddress",
                                        "StartFunction","StartModule","TargetImage","TargetProcessGuid","TargetProcessId","TargetUser"],
                "raw_access_thread":["Device","Image","ProcessGuid","ProcessId","User"],
                "process_access":["CallTrace","GrantedAccess","SourceImage","SourceProcessGUID","SourceProcessId","SourceThreadId",
                                "SourceUser","TargetImage","TargetProcessGUID","TargetProcessId","TargetUser"],
                "raw_access_read":["CreationUtcTime","Image","ProcessGuid","ProcessId","TargetFilename","User"],
                "file_event":["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"],
                "registry_add":["EventType","ProcessGuid","ProcessId","Image","TargetObject","User"],
                "registry_delete":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject"],
                "registry_set":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject","User"],
                "registry_rename":["EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"],
                "registry_event":["Details","EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"],
                "create_stream_hash":["Contents","CreationUtcTime","Hash","Image","ProcessGuid","ProcessId","TargetFilename","User"],
                "pipe_created":["EventType","Image","PipeName","ProcessGuid","ProcessId","User"],
                "wmi_event":["Consumer","Destination","EventNamespace","EventType","Filter","Name","Operation","Query","Type","User"],
                "dns_query":["Image","ProcessGuid","ProcessId","QueryName","QueryResults","QueryStatus","User"],
                "file_delete":["Archived","Hashes","Image","IsExecutable","ProcessGuid","ProcessId","TargetFilename","User"],
                "clipboard_capture":["Archived","ClientInfo","Hashes","Image","ProcessGuid","ProcessId","Session","User"],
                "process_tampering":["Image","ProcessGuid","ProcessId","Type","User"],
                "file_block":["Hashes","Image","ProcessGuid","ProcessId","TargetFilename","User"],
                "ps_module":["ContextInfo","UserData","Payload"],
                "ps_script":["MessageNumber","MessageTotal","ScriptBlockText","ScriptBlockId","Path"],
                "file_access":["Irp","FileObject","IssuingThreadId","CreateOptions","CreateAttributes","ShareAccess","FileName"],
                "file_rename":["Irp","FileObject","FileKey","ExtraInformation","IssuingThreadId","InfoClass","FilePath"]
            },
            "service":{
                "bits-client":["RemoteName","LocalName","processPath","processId"],
                "codeintegrity-operational":["FileNameLength","FileNameBuffer","ProcessNameLength","ProcessNameBuffer",
                                            "RequestedPolicy","ValidatedPolicy","Status"],
                "diagnosis-scripted": ["PackagePath","PackageId"],
                "firewall-as":["Action","ApplicationPath","ModifyingApplication"],
                "ldap_debug":["ScopeOfSearch","SearchFilter","DistinguishedName","AttributeList","ProcessId"]
            }
        },
        "linux":{
            "category":{
                "process_creation": ["ProcessGuid","ProcessId","Image","FileVersion","Description","Product","Company","OriginalFileName",
                                    "CommandLine","CurrentDirectory","User","LogonGuid","LogonId","TerminalSessionId","IntegrityLevel","Hashes",
                                    "ParentProcessGuid","ParentProcessId","ParentImage","ParentCommandLine","ParentUser"],
                "network_connection": ["ProcessGuid","ProcessId","Image","User","Protocol","Initiated","SourceIsIpv6","SourceIp","SourceHostname",
                                    "SourcePort","SourcePortName","DestinationIsIpv6","DestinationIp","DestinationHostname","DestinationPort",
                                    "DestinationPortName"],
                "process_termination": ["ProcessGuid","ProcessId","Image","User"],
                "raw_access_read": ["ProcessGuid","ProcessId","Image","Device","User"],
                "file_event": ["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"],
                "sysmon_status": ["Configuration","ConfigurationFileHash"],
                "file_delete": ["ProcessGuid","ProcessId","User","Image","TargetFilename","Hashes","IsExecutable","Archived"]
            },
            "service":{
                "auditd": ["a0","a1","a2","a3","a4","a5","a6","a7","a8","a9",
                    "acct","acl","action","added","addr","apparmor","arch","argc","audit_backlog_limit","audit_backlog_wait_time",
                    "audit_enabled","audit_failure","auid","banners","bool","bus","cap_fe,cap_fi","cap_fp","cap_fver","cap_pa","cap_pe","cap_pi",
                    "cap_pp","capability","category","cgroup","changed","cipher","class","cmd","code","comm","compat","cwd","daddr","data",
                    "default-context","dev","dev","device","dir","direction","dmac","dport","egid","enforcing","entries","errno","euid","exe",
                    "exit","fam","family","fd","fe","feature","fi","file","flags","format","fp","fsgid","fsuid","fver","gid","grantors","grp",
                    "hook","hostname","icmp_type","id","igid","img-ctx","inif","ino","inode","inode_gid","inode_uid","invalid_context","ioctlcmd",
                    "ip","ipid","ipx-net","item","items","iuid","kernel","key","kind","ksize","laddr","len","list","lport","mac","macproto","maj",
                    "major","minor","mode","model","msg","name","nametype","nargs","net","new","new_gid","new_lock","new_pe","new_pi","new_pp",
                    "new-chardev","new-disk","new-enabled","new-fs","new-level","new-log_passwd","new-mem","new-net","new-range","new-rng","new-role",
                    "new-seuser","new-vcpu","nlnk-fam","nlnk-grp","nlnk-pid","oauid","obj","obj_gid","obj_uid","ocomm","oflag","ogid","old","old_enforcing",
                    "old_lock","old_pa","old_pe","old_pi","old_pp","old_prom","old_val","old-auid","old-chardev","old-disk","old-enabled","old-fs",
                    "old-level","old-log_passwd","old-mem","old-net","old-range","old-rng","old-role","old-ses","old-seuser","old-vcpu","op","opid",
                    "oses","ouid","outif","pa","parent","path","pe","per","perm","perm_mask","permissive","pfs","pi","pid","pp","ppid","printer",
                    "proctitle","prom","proto","qbytes","range","rdev","reason","removed","res","resrc","result","role","rport","saddr","sauid",
                    "scontext","selected-context","seperm","seperms","seqno","seresult","ses","seuser","sgid","sig","sigev_signo","smac","spid",
                    "sport","state","subj","success","suid","syscall","table","tclass","tcontext","terminal","tty","type","uid","unit","uri","user",
                    "uuid","val","val","ver","virt","vm","vm-ctx","vm-pid","watch"]
            }
        }
    },
    "addon":{
        "windows":{
            "category":{
                "process_creation": ["GrandparentCommandLine"],
                "network_connection": ["CommandLine","ParentImage"],
                "create_remote_thread": ["User","SourceCommandLine","SourceParentProcessId","SourceParentImage",
                                    "SourceParentCommandLine","TargetCommandLine","TargetParentProcessId","TargetParentImage","TargetParentCommandLine",
                                    "IsInitialThread","RemoteCreation"],
                "file_delete": ["CommandLine","ParentImage","ParentCommandLine"],
                "file_event": ["CommandLine","ParentImage","ParentCommandLine","MagicHeader"],
                "image_load": ["CommandLine"],
                "process_access": ["SourceCommandLine","CallTraceExtended"],
                "file_access":["Image","CommandLine","ParentImage","ParentCommandLine","User","TargetFilename"],
                "file_rename":["Image","CommandLine","ParentImage","ParentCommandLine","User","OriginalFileName","SourceFilename","TargetFilename","MagicHeader"]
            }
        }
    }
}