security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity
Files
master
blue-team-tools/tests/logsource.json
T
Tom Kluter c8f207d390 Merge PR #5409 from @Luke57 - Add New Google Workspace Related Rules 
new: Google Workspace Government Attack Warning
new: Google Workspace Out Of Domain Email Forwarding
new: Suspicious Login Activity Classified By Google

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
2026-04-28 02:48:14 +02:00

464 lines
23 KiB
JSON
Raw Permalink Blame History

{
"title": "Field name by logsource",
"version": "20251205",
"legit":{
"windows":{
"common": ["EventID", "Provider_Name","Channel","Computer","Security_UserID"],
"empty": [],
"category":{
"process_creation": ["CommandLine", "Company", "CurrentDirectory", "Description", "FileVersion",
"Hashes", "Image", "IntegrityLevel", "LogonGuid", "LogonId", "OriginalFileName",
"ParentCommandLine", "ParentImage", "ParentProcessGuid", "ParentProcessId",
"ParentUser", "ProcessGuid", "ProcessId", "Product", "TerminalSessionId", "User", "GrandParentImage"],
"file_change": ["CreationUtcTime", "Image", "PreviousCreationUtcTime", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
"network_connection": ["DestinationHostname", "DestinationIp", "DestinationIsIpv6", "DestinationPort",
"DestinationPortName", "Image", "Initiated", "ProcessGuid", "ProcessId", "Protocol", "SourceHostname",
"SourceIp", "SourceIsIpv6", "SourcePort", "SourcePortName", "User", "ParentImage"],
"sysmon_status": ["Configuration", "ConfigurationFileHash", "SchemaVersion", "State", "Version"],
"process_termination":["Image", "ProcessGuid", "ProcessId", "User"],
"driver_load":["Hashes", "ImageLoaded", "Signature", "SignatureStatus", "Signed"],
"image_load":["Company", "Description", "FileVersion", "Hashes", "Image", "ImageLoaded", "OriginalFileName", "ProcessGuid",
"ProcessId", "Product", "Signature", "SignatureStatus", "Signed", "User"],
"create_remote_thread":["NewThreadId", "SourceImage", "SourceProcessGuid", "SourceProcessId", "SourceUser", "StartAddress",
"StartFunction", "StartModule", "TargetImage", "TargetProcessGuid", "TargetProcessId", "TargetUser"],
"raw_access_thread":["Device", "Image", "ProcessGuid", "ProcessId", "User"],
"process_access":["CallTrace", "GrantedAccess", "SourceImage", "SourceProcessGUID", "SourceProcessId", "SourceThreadId",
"SourceUser", "TargetImage", "TargetProcessGUID", "TargetProcessId", "TargetUser"],
"raw_access_read":["CreationUtcTime", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
"file_event":["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"],
"file_executable_detected":["ProcessGuid", "ProcessId", "Image", "TargetFilename", "Hashes", "User"],
"registry_add":["EventType", "ProcessGuid", "ProcessId", "Image", "TargetObject", "User"],
"registry_delete":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject"],
"registry_set":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject", "User"],
"registry_rename":["EventType", "Image", "NewName", "ProcessGuid", "ProcessId", "TargetObject", "User"],
"registry_event":["Details", "EventType", "Image", "NewName", "ProcessGuid", "ProcessId", "TargetObject", "User"],
"create_stream_hash":["Contents", "CreationUtcTime", "Hash", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
"pipe_created":["EventType", "Image", "PipeName", "ProcessGuid", "ProcessId", "User"],
"wmi_event":["Consumer", "Destination", "EventNamespace", "EventType", "Filter", "Name", "Operation", "Query", "Type", "User"],
"dns_query":["Image", "ProcessGuid", "ProcessId", "QueryName", "QueryResults", "QueryStatus", "User"],
"file_delete":["Archived", "Hashes", "Image", "IsExecutable", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
"clipboard_capture":["Archived", "ClientInfo", "Hashes", "Image", "ProcessGuid", "ProcessId", "Session", "User"],
"process_tampering":["Image", "ProcessGuid", "ProcessId", "Type", "User"],
"file_block":["Hashes", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
"ps_module":["ContextInfo", "UserData", "Payload"],
"ps_script":["MessageNumber", "MessageTotal", "ScriptBlockText", "ScriptBlockId", "Path"],
"file_access":["Irp", "FileObject", "IssuingThreadId", "CreateOptions", "CreateAttributes", "ShareAccess", "FileName"],
"file_rename":["Irp", "FileObject", "FileKey", "ExtraInformation", "IssuingThreadId", "InfoClass", "FilePath"],
"ps_classic_start":[],
"ps_classic_provider_start":[],
"sysmon_error":[]
},
"service":{
"bitlocker": ["VolumeName", "VolumeMountPoint", "ProtectorGUID", "ProtectorType"],
"bits-client":["RemoteName", "LocalName", "processPath", "processId"],
"codeintegrity-operational":["FileNameLength", "FileNameBuffer", "ProcessNameLength", "ProcessNameBuffer",
"RequestedPolicy", "ValidatedPolicy", "Status"],
"diagnosis-scripted": ["PackagePath", "PackageId"],
"firewall-as":["Action", "ApplicationPath", "ModifyingApplication"],
"ldap":["ScopeOfSearch", "SearchFilter", "DistinguishedName", "AttributeList", "ProcessId"],
"ntlm":["CallerPID", "ClientDomainName", "ClientLUID", "ClientUserName", "DomainName", "MechanismOID",
"ProcessName", "SChannelName", "SChannelType", "TargetName", "UserName", "WorkstationName"],
"openssh":["process", "payload"],
"security-mitigations":["ProcessPathLength", "ProcessPath", "ProcessCommandLineLength", "ProcessCommandLine",
"ProcessId", "ProcessCreateTime", "ProcessStartKey", "ProcessSignatureLevel",
"ProcessSectionSignatureLevel", "ProcessProtection", "TargetThreadId", "TargetThreadCreateTime",
"RequiredSignatureLevel", "SignatureLevel", "ImageNameLength", "ImageName"],
"shell-core":["Name", "AppID", "Flags"],
"smbclient-security":["Reason", "Status", "ShareNameLength", "ShareName", "ObjectNameLength", "ObjectName",
"UserNameLength", "UserName", "ServerNameLength", "ServerName"],
"smbclient-connectivity":[],
"smbserver-connectivity":[],
"taskscheduler":["TaskName", "UserContext", "Path", "ProcessID", "Priority", "UserName"],
"terminalservices-localsessionmanager":["User", "SessionID", "Address"],
"iis":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method",
"cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status",
"sc-bytes", "cs-bytes", "time-taken", "cs-version", "cs-host", "cs-user-agent",
"cs-referer", "cs-cookie"],
"application":[],
"sysmon":[],
"powershell":[],
"powershell-classic":[],
"security":[],
"system":[],
"windefend":[],
"wmi":[],
"microsoft-servicebus-client":[],
"printservice-operational":[],
"driver-framework":[],
"dns-server-analytic":[],
"dns-server":[],
"printservice-admin":[],
"msexchange-management":[],
"applocker":[],
"vhdmp":[],
"appxdeployment-server":["Path", "AppId", "FilePath", "ErrorCode", "DeploymentOperation", "PackageFullName", "PackageSourceUri", "PackageDisplayName", "CallingProcess","Flags", "HasFullTrust"],
"appxpackaging-om":["subjectName"],
"lsa-server":["TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", "TargetLogonGuid", "EventOrginal", "EventCountTotal", "SidList"],
"dns-client":["QueryName", "QueryType", "QueryOptions", "QueryStatus", "QueryResults", "NetworkIndex", "InterfaceIndex", "Status", "ClientPID", "QueryBlob", "DnsServerIpAddress", "ResponseStatus", "SendBlob", "SendBlobContext", "AddressLength", "Address"],
"appmodel-runtime":["ProcessID", "PackageName", "ImageName", "ApplicationName", "Message"],
"capi2":[],
"certificateservicesclient-lifecycle-system":[],
"iis-configuration":[ "PhysicalPath","ConfigPath","EffectiveLocationPath","Configuration","TokenCacheModule","EditOperationType","OldValue","NewValue"]
}
},
"linux":{
"common": [],
"empty": [],
"category":{
"process_creation": ["ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName",
"CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes",
"ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"],
"network_connection": ["ProcessGuid", "ProcessId", "Image", "User", "Protocol", "Initiated", "SourceIsIpv6", "SourceIp", "SourceHostname",
"SourcePort", "SourcePortName", "DestinationIsIpv6", "DestinationIp", "DestinationHostname", "DestinationPort",
"DestinationPortName"],
"process_termination": ["ProcessGuid", "ProcessId", "Image", "User"],
"raw_access_read": ["ProcessGuid", "ProcessId", "Image", "Device", "User"],
"file_event": ["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"],
"sysmon_status": ["Configuration", "ConfigurationFileHash"],
"file_delete": ["ProcessGuid", "ProcessId", "User", "Image", "TargetFilename", "Hashes", "IsExecutable", "Archived"]
},
"service":{
"auditd": ["a0", "a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9",
"acct", "acl", "action", "added", "addr", "apparmor", "arch", "argc", "audit_backlog_limit", "audit_backlog_wait_time",
"audit_enabled", "audit_failure", "auid", "banners", "bool", "bus", "cap_fe,cap_fi", "cap_fp", "cap_fver", "cap_pa", "cap_pe", "cap_pi",
"cap_pp", "capability", "category", "cgroup", "changed", "cipher", "class", "cmd", "code", "comm", "compat", "cwd", "daddr", "data",
"default-context", "dev", "dev", "device", "dir", "direction", "dmac", "dport", "egid", "enforcing", "entries", "errno", "euid", "exe",
"exit", "fam", "family", "fd", "fe", "feature", "fi", "file", "flags", "format", "fp", "fsgid", "fsuid", "fver", "gid", "grantors", "grp",
"hook", "hostname", "icmp_type", "id", "igid", "img-ctx", "inif", "ino", "inode", "inode_gid", "inode_uid", "invalid_context", "ioctlcmd",
"ip", "ipid", "ipx-net", "item", "items", "iuid", "kernel", "key", "kind", "ksize", "laddr", "len", "list", "lport", "mac", "macproto", "maj",
"major", "minor", "mode", "model", "msg", "name", "nametype", "nargs", "net", "new", "new_gid", "new_lock", "new_pe", "new_pi", "new_pp",
"new-chardev", "new-disk", "new-enabled", "new-fs", "new-level", "new-log_passwd", "new-mem", "new-net", "new-range", "new-rng", "new-role",
"new-seuser", "new-vcpu", "nlnk-fam", "nlnk-grp", "nlnk-pid", "oauid", "obj", "obj_gid", "obj_uid", "ocomm", "oflag", "ogid", "old", "old_enforcing",
"old_lock", "old_pa", "old_pe", "old_pi", "old_pp", "old_prom", "old_val", "old-auid", "old-chardev", "old-disk", "old-enabled", "old-fs",
"old-level", "old-log_passwd", "old-mem", "old-net", "old-range", "old-rng", "old-role", "old-ses", "old-seuser", "old-vcpu", "op", "opid",
"oses", "ouid", "outif", "pa", "parent", "path", "pe", "per", "perm", "perm_mask", "permissive", "pfs", "pi", "pid", "pp", "ppid", "printer",
"proctitle", "prom", "proto", "qbytes", "range", "rdev", "reason", "removed", "res", "resrc", "result", "role", "rport", "saddr", "sauid",
"scontext", "selected-context", "seperm", "seperms", "seqno", "seresult", "ses", "seuser", "sgid", "sig", "sigev_signo", "smac", "spid",
"sport", "state", "subj", "success", "suid", "syscall", "SYSCALL", "table", "tclass", "tcontext", "terminal", "tty", "type", "uid", "unit", "uri", "user",
"uuid", "val", "val", "ver", "virt", "vm", "vm-ctx", "vm-pid", "watch"],
"vsftpd":[],
"sshd":[],
"syslog":[],
"guacamole":[],
"auth":[],
"clamav":[],
"modsecurity":[],
"sudo":[],
"cron":[]
}
},
"empty":{
"common": [],
"empty": ["not_found"],
"category":{
"proxy":["c-uri", "c-uri-extension", "c-uri-query", "c-uri-stem", "c-useragent", "cs-bytes", "cs-cookie",
"cs-host", "cs-method", "cs-uri-stem", "r-dns", "cs-referrer", "cs-version", "sc-bytes", "sc-status", "src_ip", "dst_ip",
"cs-uri"],
"webserver":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method",
"cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status",
"sc-bytes", "cs-bytes", "time-taken", "cs-version", "cs-host", "cs-user-agent",
"cs-referer", "cs-cookie"],
"antivirus":[],
"database":[],
"dns":[],
"firewall":[]
},
"service":{
"apache":[],
"netflow":[],
"nginx":[]
}
},
"cisco":{
"common": [],
"empty": [],
"category":{},
"service":{
"aaa":[],
"bgp":[],
"duo":[],
"ldp":[],
"syslog":[]
}
},
"fortigate":{
"common": [],
"empty": [],
"category":{},
"service":{
"event":["devname","devid","logid","type","subtype","level","vd","logdesc","user","ui","action","cfgtid","cfgpath","cfgobj","cfgattr","msg"]
}
},
"fortios":{
"common": [],
"empty": [],
"category":{},
"service":{
"sslvpnd": []
}
},
"paloalto":{
"common": [],
"empty": [],
"category":{
"file_event": []
},
"service":{
"globalprotect": []
}
},
"django":{
"common": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"kubernetes":{
"common": [],
"empty": [],
"category":{
"application":[]
},
"service":{
"audit": []
}
},
"python":{
"common": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"qualys":{
"common": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"rpc_firewall":{
"common": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"ruby_on_rails":{
"common": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"modsecurity":{
"common": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"spring":{
"common": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"sql":{
"common": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"jvm":{
"common": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"nodejs":{
"common": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"opencanary":{
"common": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"velocity":{
"common": [],
"empty": [],
"category":{
"application":[]
},
"service":{}
},
"aws":{
"common": [],
"empty": [],
"category":{},
"service":{
"cloudtrail":[]
}
},
"azure":{
"common": [],
"empty": [],
"category":{},
"service":{
"activitylogs":[],
"auditlogs":[],
"riskdetection":[],
"pim":[],
"signinlogs":[]
}
},
"gcp":{
"common": [],
"empty": [],
"category":{},
"service":{
"gcp.audit":[],
"google_workspace.admin":[],
"google_workspace.login":[]
}
},
"github":{
"common": [],
"empty": [],
"category":{},
"service":{
"audit":[]
}
},
"bitbucket":{
"common": [],
"empty": [],
"category":{},
"service":{
"audit":[]
}
},
"m365":{
"common": [],
"empty": [],
"category":{},
"service":{
"audit":[],
"exchange":[],
"threat_detection":[],
"threat_management":[]
}
},
"okta":{
"common": [],
"empty": [],
"category":{},
"service":{
"okta":[]
}
},
"onelogin":{
"common": [],
"empty": [],
"category":{},
"service":{
"onelogin.events":[]
}
},
"huawei":{
"common": [],
"empty": [],
"category":{},
"service":{
"bgp":[]
}
},
"juniper":{
"common": [],
"empty": [],
"category":{},
"service":{
"bgp":[]
}
},
"zeek":{
"common": [],
"empty": [],
"category":{
},
"service":{
"kerberos":[],
"smb_files":[],
"rdp":[],
"http":[],
"dns":[],
"dce_rpc":[],
"x509":[]
}
},
"macos":{
"common": [],
"empty": [],
"category":{
"process_creation": ["ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName",
"CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes",
"ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"],
"network_connection": ["ProcessGuid", "ProcessId", "Image", "User", "Protocol", "Initiated", "SourceIsIpv6", "SourceIp", "SourceHostname",
"SourcePort", "SourcePortName", "DestinationIsIpv6", "DestinationIp", "DestinationHostname", "DestinationPort",
"DestinationPortName"],
"process_termination": ["ProcessGuid", "ProcessId", "Image", "User"],
"raw_access_read": ["ProcessGuid", "ProcessId", "Image", "Device", "User"],
"file_event": ["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"],
"sysmon_status": ["Configuration", "ConfigurationFileHash"],
"file_delete": ["ProcessGuid", "ProcessId", "User", "Image", "TargetFilename", "Hashes", "IsExecutable", "Archived"]
},
"service":{
}
}
},
"addon":{
"windows":{
"category":{
"process_creation": ["GrandparentCommandLine"],
"network_connection": ["CommandLine", "ParentImage"],
"create_remote_thread": ["User", "SourceCommandLine", "SourceParentProcessId", "SourceParentImage",
"SourceParentCommandLine", "TargetCommandLine", "TargetParentProcessId", "TargetParentImage", "TargetParentCommandLine",
"IsInitialThread", "RemoteCreation"],
"file_delete": ["CommandLine", "ParentImage", "ParentCommandLine"],
"file_event": ["CommandLine", "IntegrityLevel", "MagicHeader", "ParentCommandLine", "ParentImage"],
"image_load": ["CommandLine"],
"process_access": ["SourceCommandLine", "CallTraceExtended"],
"file_access":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "TargetFilename"],
"file_rename":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "OriginalFileName", "SourceFilename", "TargetFilename", "MagicHeader"]
},
"service":{}
},
"empty":{
"category":{
"webserver": ["cs-content-type"]
},
"service":{}
}
}
}
Reference in New Issue View Git Blame Copy Permalink