{ "title": "Field name by logsource", "version": "20221231", "legit":{ "windows":{ "commun": ["EventID","Provider_Name"], "empty": [], "category":{ "process_creation": ["CommandLine","Company","CurrentDirectory","Description","FileVersion", "Hashes","Image","IntegrityLevel","LogonGuid","LogonId","OriginalFileName", "ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId", "ParentUser","ProcessGuid","ProcessId","Product","TerminalSessionId","User"], "file_change": ["CreationUtcTime","Image","PreviousCreationUtcTime","ProcessGuid","ProcessId","TargetFilename","User"], "network_connection": ["DestinationHostname","DestinationIp","DestinationIsIpv6","DestinationPort", "DestinationPortName","Image","Initiated","ProcessGuid","ProcessId","Protocol","SourceHostname", "SourceIp","SourceIsIpv6","SourcePort","SourcePortName","User"], "sysmon_status": ["Configuration","ConfigurationFileHash","SchemaVersion","State","Version"], "process_termination":["Image","ProcessGuid","ProcessId","User"], "driver_load":["Hashes","ImageLoaded","Signature","SignatureStatus","Signed"], "image_load":["Company","Description","FileVersion","Hashes","Image","ImageLoaded","OriginalFileName","ProcessGuid", "ProcessId","Product","Signature","SignatureStatus","Signed","User"], "create_remote_thread":["NewThreadId","SourceImage","SourceProcessGuid","SourceProcessId","SourceUser","StartAddress", "StartFunction","StartModule","TargetImage","TargetProcessGuid","TargetProcessId","TargetUser"], "raw_access_thread":["Device","Image","ProcessGuid","ProcessId","User"], "process_access":["CallTrace","GrantedAccess","SourceImage","SourceProcessGUID","SourceProcessId","SourceThreadId", "SourceUser","TargetImage","TargetProcessGUID","TargetProcessId","TargetUser"], "raw_access_read":["CreationUtcTime","Image","ProcessGuid","ProcessId","TargetFilename","User"], "file_event":["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"], "registry_add":["EventType","ProcessGuid","ProcessId","Image","TargetObject","User"], "registry_delete":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject"], "registry_set":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject","User"], "registry_rename":["EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"], "registry_event":["Details","EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"], "create_stream_hash":["Contents","CreationUtcTime","Hash","Image","ProcessGuid","ProcessId","TargetFilename","User"], "pipe_created":["EventType","Image","PipeName","ProcessGuid","ProcessId","User"], "wmi_event":["Consumer","Destination","EventNamespace","EventType","Filter","Name","Operation","Query","Type","User"], "dns_query":["Image","ProcessGuid","ProcessId","QueryName","QueryResults","QueryStatus","User"], "file_delete":["Archived","Hashes","Image","IsExecutable","ProcessGuid","ProcessId","TargetFilename","User"], "clipboard_capture":["Archived","ClientInfo","Hashes","Image","ProcessGuid","ProcessId","Session","User"], "process_tampering":["Image","ProcessGuid","ProcessId","Type","User"], "file_block":["Hashes","Image","ProcessGuid","ProcessId","TargetFilename","User"], "ps_module":["ContextInfo","UserData","Payload"], "ps_script":["MessageNumber","MessageTotal","ScriptBlockText","ScriptBlockId","Path"], "file_access":["Irp","FileObject","IssuingThreadId","CreateOptions","CreateAttributes","ShareAccess","FileName"], "file_rename":["Irp","FileObject","FileKey","ExtraInformation","IssuingThreadId","InfoClass","FilePath"], "ps_classic_start":[], "ps_classic_provider_start":[], "sysmon_error":[] }, "service":{ "bitlocker": ["VolumeName", "VolumeMountPoint", "ProtectorGUID", "ProtectorType"], "bits-client":["RemoteName","LocalName","processPath","processId"], "codeintegrity-operational":["FileNameLength","FileNameBuffer","ProcessNameLength","ProcessNameBuffer", "RequestedPolicy","ValidatedPolicy","Status"], "diagnosis-scripted": ["PackagePath","PackageId"], "firewall-as":["Action","ApplicationPath","ModifyingApplication"], "ldap_debug":["ScopeOfSearch","SearchFilter","DistinguishedName","AttributeList","ProcessId"], "ntlm":["CallerPID","ClientDomainName","ClientLUID","ClientUserName","DomainName","MechanismOID", "ProcessName","SChannelName","SChannelType","TargetName","UserName","WorkstationName"], "openssh":["process","payload"], "security-mitigations":["ProcessPathLength","ProcessPath","ProcessCommandLineLength","ProcessCommandLine", "ProcessId","ProcessCreateTime","ProcessStartKey","ProcessSignatureLevel", "ProcessSectionSignatureLevel","ProcessProtection","TargetThreadId","TargetThreadCreateTime", "RequiredSignatureLevel","SignatureLevel","ImageNameLength","ImageName"], "shell-core":["Name","AppID","Flags"], "smbclient-security":["Reason","Status","ShareNameLength","ShareName","ObjectNameLength","ObjectName", "UserNameLength","UserName","ServerNameLength","ServerName"], "taskscheduler":["TaskName","UserContext","Path","ProcessID","Priority"], "terminalservices-localsessionmanager":["User","SessionID","Address"], "iis":["date","time","c-ip","cs-username","s-sitename","s-computername","s-ip","cs-method", "cs-uri-stem","cs-uri-query","s-port","cs-method","sc-status","sc-win32-status", "sc-bytes","cs-bytes","time-taken","cs-version","cs-host","cs-user-agent", "cs-referer","cs-cookie"], "application":[], "sysmon":[], "powershell":[], "powershell-classic":[], "security":[], "system":[], "windefend":[], "wmi":[], "microsoft-servicebus-client":[], "printservice-operational":[], "driver-framework":[], "dns-server-analytic":[], "dns-server":[], "printservice-admin":[], "msexchange-management":[], "applocker":[] } }, "linux":{ "commun": [], "empty": [], "category":{ "process_creation": ["ProcessGuid","ProcessId","Image","FileVersion","Description","Product","Company","OriginalFileName", "CommandLine","CurrentDirectory","User","LogonGuid","LogonId","TerminalSessionId","IntegrityLevel","Hashes", "ParentProcessGuid","ParentProcessId","ParentImage","ParentCommandLine","ParentUser"], "network_connection": ["ProcessGuid","ProcessId","Image","User","Protocol","Initiated","SourceIsIpv6","SourceIp","SourceHostname", "SourcePort","SourcePortName","DestinationIsIpv6","DestinationIp","DestinationHostname","DestinationPort", "DestinationPortName"], "process_termination": ["ProcessGuid","ProcessId","Image","User"], "raw_access_read": ["ProcessGuid","ProcessId","Image","Device","User"], "file_event": ["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"], "sysmon_status": ["Configuration","ConfigurationFileHash"], "file_delete": ["ProcessGuid","ProcessId","User","Image","TargetFilename","Hashes","IsExecutable","Archived"] }, "service":{ "auditd": ["a0","a1","a2","a3","a4","a5","a6","a7","a8","a9", "acct","acl","action","added","addr","apparmor","arch","argc","audit_backlog_limit","audit_backlog_wait_time", "audit_enabled","audit_failure","auid","banners","bool","bus","cap_fe,cap_fi","cap_fp","cap_fver","cap_pa","cap_pe","cap_pi", "cap_pp","capability","category","cgroup","changed","cipher","class","cmd","code","comm","compat","cwd","daddr","data", "default-context","dev","dev","device","dir","direction","dmac","dport","egid","enforcing","entries","errno","euid","exe", "exit","fam","family","fd","fe","feature","fi","file","flags","format","fp","fsgid","fsuid","fver","gid","grantors","grp", "hook","hostname","icmp_type","id","igid","img-ctx","inif","ino","inode","inode_gid","inode_uid","invalid_context","ioctlcmd", "ip","ipid","ipx-net","item","items","iuid","kernel","key","kind","ksize","laddr","len","list","lport","mac","macproto","maj", "major","minor","mode","model","msg","name","nametype","nargs","net","new","new_gid","new_lock","new_pe","new_pi","new_pp", "new-chardev","new-disk","new-enabled","new-fs","new-level","new-log_passwd","new-mem","new-net","new-range","new-rng","new-role", "new-seuser","new-vcpu","nlnk-fam","nlnk-grp","nlnk-pid","oauid","obj","obj_gid","obj_uid","ocomm","oflag","ogid","old","old_enforcing", "old_lock","old_pa","old_pe","old_pi","old_pp","old_prom","old_val","old-auid","old-chardev","old-disk","old-enabled","old-fs", "old-level","old-log_passwd","old-mem","old-net","old-range","old-rng","old-role","old-ses","old-seuser","old-vcpu","op","opid", "oses","ouid","outif","pa","parent","path","pe","per","perm","perm_mask","permissive","pfs","pi","pid","pp","ppid","printer", "proctitle","prom","proto","qbytes","range","rdev","reason","removed","res","resrc","result","role","rport","saddr","sauid", "scontext","selected-context","seperm","seperms","seqno","seresult","ses","seuser","sgid","sig","sigev_signo","smac","spid", "sport","state","subj","success","suid","syscall","table","tclass","tcontext","terminal","tty","type","uid","unit","uri","user", "uuid","val","val","ver","virt","vm","vm-ctx","vm-pid","watch"], "vsftpd":[], "sshd":[], "syslog":[], "guacamole":[], "auth":[], "clamav":[], "modsecurity":[], "sudo":[], "cron":[] } }, "empty":{ "commun": [], "empty": [], "category":{ "proxy":["c-uri","c-uri-extension","c-uri-query","c-uri-stem","c-useragent","cs-bytes","cs-cookie", "cs-host","cs-method","r-dns","cs-referrer","cs-version","sc-bytes","sc-status","src_ip","dst_ip", "cs-uri"], "webserver":["date","time","c-ip","cs-username","s-sitename","s-computername","s-ip","cs-method", "cs-uri-stem","cs-uri-query","s-port","cs-method","sc-status","sc-win32-status", "sc-bytes","cs-bytes","time-taken","cs-version","cs-host","cs-user-agent", "cs-referer","cs-cookie"], "antivirus":[], "database":[], "dns":[], "firewall":[] }, "service":{ "apache":[], "netflow":[] } }, "cisco":{ "commun": [], "empty": [], "category":{}, "service":{ "aaa":[] } }, "django":{ "commun": [], "empty": [], "category":{ "application":[] }, "service":{} }, "python":{ "commun": [], "empty": [], "category":{ "application":[] }, "service":{} }, "rpc_firewall":{ "commun": [], "empty": [], "category":{ "application":[] }, "service":{} }, "ruby_on_rails":{ "commun": [], "empty": [], "category":{ "application":[] }, "service":{} }, "spring":{ "commun": [], "empty": [], "category":{ "application":[] }, "service":{} }, "sql":{ "commun": [], "empty": [], "category":{ "application":[] }, "service":{} }, "aws":{ "commun": [], "empty": [], "category":{}, "service":{ "cloudtrail":[] } }, "azure":{ "commun": [], "empty": [], "category":{}, "service":{ "activitylogs":[], "auditlogs":[], "azureactivity":[], "microsoft365portal":[], "signinlogs":[] } }, "gcp":{ "commun": [], "empty": [], "category":{}, "service":{ "gcp.audit":[] } }, "google_workspace":{ "commun": [], "empty": [], "category":{}, "service":{ "google_workspace.admin":[] } }, "m365":{ "commun": [], "empty": [], "category":{}, "service":{ "exchange":[], "threat_detection":[], "threat_management":[] } }, "okta":{ "commun": [], "empty": [], "category":{}, "service":{ "okta":[] } }, "onelogin":{ "commun": [], "empty": [], "category":{}, "service":{ "onelogin.events":[] } }, "zeek":{ "commun": [], "empty": [], "category":{ }, "service":{ "kerberos":[], "smb_files":[], "rdp":[], "http":[], "dns":[], "dce_rpc":[], "x509":[] } }, "macos":{ "commun": [], "empty": [], "category":{ "process_creation": ["ProcessGuid","ProcessId","Image","FileVersion","Description","Product","Company","OriginalFileName", "CommandLine","CurrentDirectory","User","LogonGuid","LogonId","TerminalSessionId","IntegrityLevel","Hashes", "ParentProcessGuid","ParentProcessId","ParentImage","ParentCommandLine","ParentUser"], "network_connection": ["ProcessGuid","ProcessId","Image","User","Protocol","Initiated","SourceIsIpv6","SourceIp","SourceHostname", "SourcePort","SourcePortName","DestinationIsIpv6","DestinationIp","DestinationHostname","DestinationPort", "DestinationPortName"], "process_termination": ["ProcessGuid","ProcessId","Image","User"], "raw_access_read": ["ProcessGuid","ProcessId","Image","Device","User"], "file_event": ["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"], "sysmon_status": ["Configuration","ConfigurationFileHash"], "file_delete": ["ProcessGuid","ProcessId","User","Image","TargetFilename","Hashes","IsExecutable","Archived"] }, "service":{ } } }, "addon":{ "windows":{ "category":{ "process_creation": ["GrandparentCommandLine"], "network_connection": ["CommandLine","ParentImage"], "create_remote_thread": ["User","SourceCommandLine","SourceParentProcessId","SourceParentImage", "SourceParentCommandLine","TargetCommandLine","TargetParentProcessId","TargetParentImage","TargetParentCommandLine", "IsInitialThread","RemoteCreation"], "file_delete": ["CommandLine","ParentImage","ParentCommandLine"], "file_event": ["CommandLine","ParentImage","ParentCommandLine","MagicHeader"], "image_load": ["CommandLine"], "process_access": ["SourceCommandLine","CallTraceExtended"], "file_access":["Image","CommandLine","ParentImage","ParentCommandLine","User","TargetFilename"], "file_rename":["Image","CommandLine","ParentImage","ParentCommandLine","User","OriginalFileName","SourceFilename","TargetFilename","MagicHeader"] }, "service":{} } } }