blue-team-tools/tests/logsource.json

{
    "title": "Field name by logsource",
    "version": "20230113",
    "legit":{
        "windows":{
            "common": ["EventID", "Provider_Name","Channel","Computer","Security_UserID"],
            "empty": [],
            "category":{
                "process_creation": ["CommandLine", "Company", "CurrentDirectory", "Description", "FileVersion",
                                    "Hashes", "Image", "IntegrityLevel", "LogonGuid", "LogonId", "OriginalFileName",
                                    "ParentCommandLine", "ParentImage", "ParentProcessGuid", "ParentProcessId",
                                    "ParentUser", "ProcessGuid", "ProcessId", "Product", "TerminalSessionId", "User", "GrandParentImage"],
                "file_change": ["CreationUtcTime", "Image", "PreviousCreationUtcTime", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
                "network_connection": ["DestinationHostname", "DestinationIp", "DestinationIsIpv6", "DestinationPort",
                                    "DestinationPortName", "Image", "Initiated", "ProcessGuid", "ProcessId", "Protocol", "SourceHostname",
                                    "SourceIp", "SourceIsIpv6", "SourcePort", "SourcePortName", "User", "ParentImage"],
                "sysmon_status": ["Configuration", "ConfigurationFileHash", "SchemaVersion", "State", "Version"],
                "process_termination":["Image", "ProcessGuid", "ProcessId", "User"],
                "driver_load":["Hashes", "ImageLoaded", "Signature", "SignatureStatus", "Signed"],
                "image_load":["Company", "Description", "FileVersion", "Hashes", "Image", "ImageLoaded", "OriginalFileName", "ProcessGuid",
                            "ProcessId", "Product", "Signature", "SignatureStatus", "Signed", "User"],
                "create_remote_thread":["NewThreadId", "SourceImage", "SourceProcessGuid", "SourceProcessId", "SourceUser", "StartAddress",
                                        "StartFunction", "StartModule", "TargetImage", "TargetProcessGuid", "TargetProcessId", "TargetUser"],
                "raw_access_thread":["Device", "Image", "ProcessGuid", "ProcessId", "User"],
                "process_access":["CallTrace", "GrantedAccess", "SourceImage", "SourceProcessGUID", "SourceProcessId", "SourceThreadId",
                                "SourceUser", "TargetImage", "TargetProcessGUID", "TargetProcessId", "TargetUser"],
                "raw_access_read":["CreationUtcTime", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
                "file_event":["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"],
                "file_executable_detected":["ProcessGuid", "ProcessId", "Image", "TargetFilename", "Hashes", "User"],
                "registry_add":["EventType", "ProcessGuid", "ProcessId", "Image", "TargetObject", "User"],
                "registry_delete":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject"],
                "registry_set":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject", "User"],
                "registry_rename":["EventType", "Image", "NewName", "ProcessGuid", "ProcessId", "TargetObject", "User"],
                "registry_event":["Details", "EventType", "Image", "NewName", "ProcessGuid", "ProcessId", "TargetObject", "User"],
                "create_stream_hash":["Contents", "CreationUtcTime", "Hash", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
                "pipe_created":["EventType", "Image", "PipeName", "ProcessGuid", "ProcessId", "User"],
                "wmi_event":["Consumer", "Destination", "EventNamespace", "EventType", "Filter", "Name", "Operation", "Query", "Type", "User"],
                "dns_query":["Image", "ProcessGuid", "ProcessId", "QueryName", "QueryResults", "QueryStatus", "User"],
                "file_delete":["Archived", "Hashes", "Image", "IsExecutable", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
                "clipboard_capture":["Archived", "ClientInfo", "Hashes", "Image", "ProcessGuid", "ProcessId", "Session", "User"],
                "process_tampering":["Image", "ProcessGuid", "ProcessId", "Type", "User"],
                "file_block":["Hashes", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"],
                "ps_module":["ContextInfo", "UserData", "Payload"],
                "ps_script":["MessageNumber", "MessageTotal", "ScriptBlockText", "ScriptBlockId", "Path"],
                "file_access":["Irp", "FileObject", "IssuingThreadId", "CreateOptions", "CreateAttributes", "ShareAccess", "FileName"],
                "file_rename":["Irp", "FileObject", "FileKey", "ExtraInformation", "IssuingThreadId", "InfoClass", "FilePath"],
                "ps_classic_start":[],
                "ps_classic_provider_start":[],
                "sysmon_error":[]
            },
            "service":{
                "bitlocker": ["VolumeName", "VolumeMountPoint", "ProtectorGUID", "ProtectorType"],
                "bits-client":["RemoteName", "LocalName", "processPath", "processId"],
                "codeintegrity-operational":["FileNameLength", "FileNameBuffer", "ProcessNameLength", "ProcessNameBuffer",
                                            "RequestedPolicy", "ValidatedPolicy", "Status"],
                "diagnosis-scripted": ["PackagePath", "PackageId"],
                "firewall-as":["Action", "ApplicationPath", "ModifyingApplication"],
                "ldap":["ScopeOfSearch", "SearchFilter", "DistinguishedName", "AttributeList", "ProcessId"],
                "ntlm":["CallerPID", "ClientDomainName", "ClientLUID", "ClientUserName", "DomainName", "MechanismOID",
                        "ProcessName", "SChannelName", "SChannelType", "TargetName", "UserName", "WorkstationName"],
                "openssh":["process", "payload"],
                "security-mitigations":["ProcessPathLength", "ProcessPath", "ProcessCommandLineLength", "ProcessCommandLine",
                                        "ProcessId", "ProcessCreateTime", "ProcessStartKey", "ProcessSignatureLevel",
                                        "ProcessSectionSignatureLevel", "ProcessProtection", "TargetThreadId", "TargetThreadCreateTime",
                                        "RequiredSignatureLevel", "SignatureLevel", "ImageNameLength", "ImageName"],
                "shell-core":["Name", "AppID", "Flags"],
                "smbclient-security":["Reason", "Status", "ShareNameLength", "ShareName", "ObjectNameLength", "ObjectName",
                                    "UserNameLength", "UserName", "ServerNameLength", "ServerName"],
                "smbclient-connectivity":[],
                "taskscheduler":["TaskName", "UserContext", "Path", "ProcessID", "Priority", "UserName"],
                "terminalservices-localsessionmanager":["User", "SessionID", "Address"],
                "iis":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method",
                        "cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status",
                        "sc-bytes", "cs-bytes", "time-taken", "cs-version", "cs-host", "cs-user-agent",
                        "cs-referer", "cs-cookie"],
                "application":[],
                "sysmon":[],
                "powershell":[],
                "powershell-classic":[],
                "security":[],
                "system":[],
                "windefend":[],
                "wmi":[],
                "microsoft-servicebus-client":[],
                "printservice-operational":[],
                "driver-framework":[],
                "dns-server-analytic":[],
                "dns-server":[],
                "printservice-admin":[],
                "msexchange-management":[],
                "applocker":[],
                "vhdmp":[],
                "appxdeployment-server":["Path", "AppId", "FilePath", "ErrorCode", "DeploymentOperation", "PackageFullName", "PackageSourceUri", "PackageDisplayName", "CallingProcess"],
                "appxpackaging-om":["subjectName"],
                "lsa-server":["TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", "TargetLogonGuid", "EventOrginal", "EventCountTotal", "SidList"],
                "dns-client":["QueryName", "QueryType", "QueryOptions", "QueryStatus", "QueryResults", "NetworkIndex", "InterfaceIndex", "Status", "ClientPID", "QueryBlob", "DnsServerIpAddress", "ResponseStatus", "SendBlob", "SendBlobContext", "AddressLength", "Address"],
                "appmodel-runtime":["ProcessID", "PackageName", "ImageName", "ApplicationName", "Message"],
                "capi2":[],
                "certificateservicesclient-lifecycle-system":[],
                "iis-configuration":[ "PhysicalPath","ConfigPath","EffectiveLocationPath","Configuration","TokenCacheModule","EditOperationType","OldValue","NewValue"]
            }
        },
        "linux":{
            "common": [],
            "empty": [],
            "category":{
                "process_creation": ["ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName",
                                    "CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes",
                                    "ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"],
                "network_connection": ["ProcessGuid", "ProcessId", "Image", "User", "Protocol", "Initiated", "SourceIsIpv6", "SourceIp", "SourceHostname",
                                    "SourcePort", "SourcePortName", "DestinationIsIpv6", "DestinationIp", "DestinationHostname", "DestinationPort",
                                    "DestinationPortName"],
                "process_termination": ["ProcessGuid", "ProcessId", "Image", "User"],
                "raw_access_read": ["ProcessGuid", "ProcessId", "Image", "Device", "User"],
                "file_event": ["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"],
                "sysmon_status": ["Configuration", "ConfigurationFileHash"],
                "file_delete": ["ProcessGuid", "ProcessId", "User", "Image", "TargetFilename", "Hashes", "IsExecutable", "Archived"]
            },
            "service":{
                "auditd": ["a0", "a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9",
                    "acct", "acl", "action", "added", "addr", "apparmor", "arch", "argc", "audit_backlog_limit", "audit_backlog_wait_time",
                    "audit_enabled", "audit_failure", "auid", "banners", "bool", "bus", "cap_fe,cap_fi", "cap_fp", "cap_fver", "cap_pa", "cap_pe", "cap_pi",
                    "cap_pp", "capability", "category", "cgroup", "changed", "cipher", "class", "cmd", "code", "comm", "compat", "cwd", "daddr", "data",
                    "default-context", "dev", "dev", "device", "dir", "direction", "dmac", "dport", "egid", "enforcing", "entries", "errno", "euid", "exe",
                    "exit", "fam", "family", "fd", "fe", "feature", "fi", "file", "flags", "format", "fp", "fsgid", "fsuid", "fver", "gid", "grantors", "grp",
                    "hook", "hostname", "icmp_type", "id", "igid", "img-ctx", "inif", "ino", "inode", "inode_gid", "inode_uid", "invalid_context", "ioctlcmd",
                    "ip", "ipid", "ipx-net", "item", "items", "iuid", "kernel", "key", "kind", "ksize", "laddr", "len", "list", "lport", "mac", "macproto", "maj",
                    "major", "minor", "mode", "model", "msg", "name", "nametype", "nargs", "net", "new", "new_gid", "new_lock", "new_pe", "new_pi", "new_pp",
                    "new-chardev", "new-disk", "new-enabled", "new-fs", "new-level", "new-log_passwd", "new-mem", "new-net", "new-range", "new-rng", "new-role",
                    "new-seuser", "new-vcpu", "nlnk-fam", "nlnk-grp", "nlnk-pid", "oauid", "obj", "obj_gid", "obj_uid", "ocomm", "oflag", "ogid", "old", "old_enforcing",
                    "old_lock", "old_pa", "old_pe", "old_pi", "old_pp", "old_prom", "old_val", "old-auid", "old-chardev", "old-disk", "old-enabled", "old-fs",
                    "old-level", "old-log_passwd", "old-mem", "old-net", "old-range", "old-rng", "old-role", "old-ses", "old-seuser", "old-vcpu", "op", "opid",
                    "oses", "ouid", "outif", "pa", "parent", "path", "pe", "per", "perm", "perm_mask", "permissive", "pfs", "pi", "pid", "pp", "ppid", "printer",
                    "proctitle", "prom", "proto", "qbytes", "range", "rdev", "reason", "removed", "res", "resrc", "result", "role", "rport", "saddr", "sauid",
                    "scontext", "selected-context", "seperm", "seperms", "seqno", "seresult", "ses", "seuser", "sgid", "sig", "sigev_signo", "smac", "spid",
                    "sport", "state", "subj", "success", "suid", "syscall", "table", "tclass", "tcontext", "terminal", "tty", "type", "uid", "unit", "uri", "user",
                    "uuid", "val", "val", "ver", "virt", "vm", "vm-ctx", "vm-pid", "watch"],
                "vsftpd":[],
                "sshd":[],
                "syslog":[],
                "guacamole":[],
                "auth":[],
                "clamav":[],
                "modsecurity":[],
                "sudo":[],
                "cron":[]
            }
        },
        "empty":{
            "common": [],
            "empty": ["not_found"],
            "category":{
                "proxy":["c-uri", "c-uri-extension", "c-uri-query", "c-uri-stem", "c-useragent", "cs-bytes", "cs-cookie",
                        "cs-host", "cs-method", "r-dns", "cs-referrer", "cs-version", "sc-bytes", "sc-status", "src_ip", "dst_ip",
                        "cs-uri"],
                "webserver":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method",
                            "cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status",
                            "sc-bytes", "cs-bytes", "time-taken", "cs-version", "cs-host", "cs-user-agent",
                            "cs-referer", "cs-cookie"],
                "antivirus":[],
                "database":[],
                "dns":[],
                "firewall":[]
            },
            "service":{
                "apache":[],
                "netflow":[],
                "nginx":[]
            }
        },
        "cisco":{
            "common": [],
            "empty": [],
            "category":{},
            "service":{
                "aaa":[],
                "bgp":[],
                "duo":[],
                "ldp":[],
                "syslog":[]
            }
        },
        "fortios":{
            "common": [],
            "empty": [],
            "category":{},
            "service":{
                "sslvpnd": []
            }
        },
        "paloalto":{
            "common": [],
            "empty": [],
            "category":{
                "file_event": []
            },
            "service":{
                "globalprotect": []
            }
        },
        "django":{
            "common": [],
            "empty": [],
            "category":{
                "application":[]
            },
            "service":{}
        },
        "kubernetes":{
            "common": [],
            "empty": [],
            "category":{
                "application":[]
            },
            "service":{
                "audit": []
            }
        },
        "python":{
            "common": [],
            "empty": [],
            "category":{
                "application":[]
            },
            "service":{}
        },
        "qualys":{
            "common": [],
            "empty": [],
            "category":{
                "application":[]
            },
            "service":{}
        },
        "rpc_firewall":{
            "common": [],
            "empty": [],
            "category":{
                "application":[]
            },
            "service":{}
        },
        "ruby_on_rails":{
            "common": [],
            "empty": [],
            "category":{
                "application":[]
            },
            "service":{}
        },
        "modsecurity":{
            "common": [],
            "empty": [],
            "category":{
                "application":[]
            },
            "service":{}
        },
        "spring":{
            "common": [],
            "empty": [],
            "category":{
                "application":[]
            },
            "service":{}
        },
        "sql":{
            "common": [],
            "empty": [],
            "category":{
                "application":[]
            },
            "service":{}
        },
        "jvm":{
            "common": [],
            "empty": [],
            "category":{
                "application":[]
            },
            "service":{}
        },
        "nodejs":{
            "common": [],
            "empty": [],
            "category":{
                "application":[]
            },
            "service":{}
        },
        "opencanary":{
            "common": [],
            "empty": [],
            "category":{
                "application":[]
            },
            "service":{}
        },
        "velocity":{
            "common": [],
            "empty": [],
            "category":{
                "application":[]
            },
            "service":{}
        },
        "aws":{
            "common": [],
            "empty": [],
            "category":{},
            "service":{
                "cloudtrail":[]
            }
        },
        "azure":{
            "common": [],
            "empty": [],
            "category":{},
            "service":{
                "activitylogs":[],
                "auditlogs":[],
				"riskdetection":[],
				"pim":[],
                "signinlogs":[]
            }
        },
        "gcp":{
            "common": [],
            "empty": [],
            "category":{},
            "service":{
                "gcp.audit":[],
                "google_workspace.admin":[]
            }
        },
        "github":{
            "common": [],
            "empty": [],
            "category":{},
            "service":{
                "audit":[]
            }
        },
        "bitbucket":{
            "common": [],
            "empty": [],
            "category":{},
            "service":{
                "audit":[]
            }
        },
        "m365":{
            "common": [],
            "empty": [],
            "category":{},
            "service":{
                "audit":[],
                "exchange":[],
                "threat_detection":[],
                "threat_management":[]
            }
        },
        "okta":{
            "common": [],
            "empty": [],
            "category":{},
            "service":{
                "okta":[]
            }
        },
        "onelogin":{
            "common": [],
            "empty": [],
            "category":{},
            "service":{
                "onelogin.events":[]
            }
        },
        "huawei":{
            "common": [],
            "empty": [],
            "category":{},
            "service":{
                "bgp":[]
            }
        },
        "juniper":{
            "common": [],
            "empty": [],
            "category":{},
            "service":{
                "bgp":[]
            }
        },
        "zeek":{
            "common": [],
            "empty": [],
            "category":{
            },
            "service":{
                "kerberos":[],
                "smb_files":[],
                "rdp":[],
                "http":[],
                "dns":[],
                "dce_rpc":[],
                "x509":[]
            }
        },
        "macos":{
            "common": [],
            "empty": [],
            "category":{
                "process_creation": ["ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName",
                                    "CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes",
                                    "ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"],
                "network_connection": ["ProcessGuid", "ProcessId", "Image", "User", "Protocol", "Initiated", "SourceIsIpv6", "SourceIp", "SourceHostname",
                                    "SourcePort", "SourcePortName", "DestinationIsIpv6", "DestinationIp", "DestinationHostname", "DestinationPort",
                                    "DestinationPortName"],
                "process_termination": ["ProcessGuid", "ProcessId", "Image", "User"],
                "raw_access_read": ["ProcessGuid", "ProcessId", "Image", "Device", "User"],
                "file_event": ["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"],
                "sysmon_status": ["Configuration", "ConfigurationFileHash"],
                "file_delete": ["ProcessGuid", "ProcessId", "User", "Image", "TargetFilename", "Hashes", "IsExecutable", "Archived"]
            },
            "service":{
            }
        }    
    },
    "addon":{
        "windows":{
            "category":{
                "process_creation": ["GrandparentCommandLine"],
                "network_connection": ["CommandLine", "ParentImage"],
                "create_remote_thread": ["User", "SourceCommandLine", "SourceParentProcessId", "SourceParentImage",
                                    "SourceParentCommandLine", "TargetCommandLine", "TargetParentProcessId", "TargetParentImage", "TargetParentCommandLine",
                                    "IsInitialThread", "RemoteCreation"],
                "file_delete": ["CommandLine", "ParentImage", "ParentCommandLine"],
                "file_event": ["CommandLine", "ParentImage", "ParentCommandLine", "MagicHeader"],
                "image_load": ["CommandLine"],
                "process_access": ["SourceCommandLine", "CallTraceExtended"],
                "file_access":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "TargetFilename"],
                "file_rename":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "OriginalFileName", "SourceFilename", "TargetFilename", "MagicHeader"]
            },
            "service":{}
        }
    }
}