Logsources

For each Sigma rule to be effective at detection, it is important to identify what type of logs your SIEM is required to search over. This is important not only for efficiency of detections, but also for ensuring detection is happening against the correct set of fields and values applied.

Each logsource definition within a Sigma rule is made up of three separate fields. These fields, when used in combination, define a given logsource.

• product
• service
• category

Each Sigma logsource is then usually (depending on your SIEM) prepended to the start of a detection query, in order for that query to target only those specific set of logs relevant to that detection. See this example below:

Logsource Basics

Before Sigma queries can be used effectively within an organisation's SIEM or Alerting tooling, it's important to identify whether the detection can search over the appropriate types of logs that the Sigma detection requires.

Because each logsource will look fairly similar – especially in Sigma rules targeting Microsoft Windows™ domain – it's important to know when Sigma rules will match again a logsource, as any mismatches in logsource can render the detection ineffective.

Sigma Specification for Logsources

The Sigma Specification repository outlines a standard set of logsources, that is supported across the community in the Sigma rule collection.

Logsource Types

The category value is used to select all log files written by a certain group of products, like firewalls or web server logs.

The product value is used to select all log outputs of a certain product. For example, all Windows Eventlog types including "Security", "System", "Application" and the new log types like "AppLocker" and "Windows Defender".

Use the service value to select only a subset of a product's logs, like the "sshd" on Linux or the "Security" Eventlog on Windows systems.

Definition Field

You may also see a definition field within logsource description. This can also provide more information about how to onboard the log data source correctly, and doesn't get included when completing logsource matching.

tags:
  - attack.privilege_escalation
  - attack.t1548
logsource: 
  product: windows
  category: ps_script
  definition: Script Block Logging must be enabled
detection:
  selection:
    ScriptBlockText|contains: 'Invoke-Nightmare'

Available Logsources

Standard Logsources

Below is a list of standard Sigma logsources. These are the logsources used within the sigma/rules repository.

AWS - Cloudtrail

awscloudtrail

logsource:
  product: aws
  service: cloudtrail

Antivirus

antivirus

logsource:
  category: antivirus

Apache

apache

logsource:
  service: apache

Azure - Activity Logs

activityactivitylogsazurelogs

logsource:
  product: azure
  service: activitylogs

Azure - Auditlogs

auditlogsazure

logsource:
  product: azure
  service: auditlogs

Azure - Azure Activity

activityazureazureactivity

logsource:
  product: azure
  service: azureactivity

Azure - Signinlogs

azuresigninlogs

logsource:
  product: azure
  service: signinlogs

Cisco - Aaa - Accounting

aaaaccountingcisco

logsource:
  category: accounting
  product: cisco
  service: aaa

DNS

dns

logsource:
  category: dns

Django - Application

applicationdjango

logsource:
  category: application
  product: django

Firewall

firewall

logsource:
  category: firewall

Google Cloud Platform - Google Cloud Platform.Audit

cloudgcpgcp.auditgoogleplatformplatform.audit

logsource:
  product: gcp
  service: gcp.audit

Google Workspace - Google Workspace.Admin

googlegoogle_workspacegoogle_workspace.adminworkspaceworkspace.admin

logsource:
  product: google_workspace
  service: google_workspace.admin

Linux

linux

logsource:
  product: linux

Linux - Auditd

auditdlinux

logsource:
  product: linux
  service: auditd

Linux - Auth

authlinux

logsource:
  product: linux
  service: auth

Linux - Clamav

clamavlinux

logsource:
  product: linux
  service: clamav

Linux - Cron

cronlinux

logsource:
  product: linux
  service: cron

Linux - File Create

createfilefile_createlinux

logsource:
  category: file_create
  product: linux

Linux - Guacamole

guacamolelinux

logsource:
  product: linux
  service: guacamole

Linux - Modsecurity

linuxmodsecurity

logsource:
  product: linux
  service: modsecurity

Linux - Network Connection

connectionlinuxnetworknetwork_connection

logsource:
  category: network_connection
  product: linux

Linux - Process Creation

creationlinuxprocessprocess_creation

logsource:
  category: process_creation
  product: linux

Linux - Sshd

linuxsshd

logsource:
  product: linux
  service: sshd

Linux - Sudo

linuxsudo

logsource:
  product: linux
  service: sudo

Linux - Syslog

linuxsyslog

logsource:
  product: linux
  service: syslog

Linux - Vsftpd

linuxvsftpd

logsource:
  product: linux
  service: vsftpd

Microsoft 365 - Exchange

365exchangem365microsoft

logsource:
  product: m365
  service: exchange

Microsoft 365 - Threat Detection

365detectionm365microsoftthreatthreat_detection

logsource:
  product: m365
  service: threat_detection

Microsoft 365 - Threat Management

365m365managementmicrosoftthreatthreat_management

logsource:
  product: m365
  service: threat_management

Microsoft 365 Portal - Auditlogs

365auditlogsmicrosoftmicrosoft365portalportal

logsource:
  product: microsoft365portal
  service: auditlogs

Netflow

netflow

logsource:
  service: netflow

Okta - Okta

okta

logsource:
  product: okta
  service: okta

OneLogin - OneLogin.Events

oneloginonelogin.events

logsource:
  product: onelogin
  service: onelogin.events

Proxy

proxy

logsource:
  category: proxy

Python - Application

applicationpython

logsource:
  category: application
  product: python

Qualys

qualys

logsource:
  product: qualys

Rpc Firewall - Application

applicationfirewallrpcrpc_firewall

logsource:
  category: application
  product: rpc_firewall

Ruby On Rails - Application

applicationonrailsrubyruby_on_rails

logsource:
  category: application
  product: ruby_on_rails

SQL - Application

applicationsql

logsource:
  category: application
  product: sql

Spring - Application

applicationspring

logsource:
  category: application
  product: spring

Webserver

webserver

logsource:
  category: webserver

Windows

windows

logsource:
  product: windows

Windows - Application

applicationwindows

logsource:
  product: windows
  service: application

Windows - Applocker

applockerwindows

logsource:
  product: windows
  service: applocker

Windows - Bits Client

bitsbits-clientclientwindows

logsource:
  product: windows
  service: bits-client

Windows - Codeintegrity Operational

codeintegritycodeintegrity-operationaloperationalwindows

logsource:
  product: windows
  service: codeintegrity-operational

Windows - Create Remote Thread

createcreate_remote_threadremotethreadwindows

logsource:
  category: create_remote_thread
  product: windows

Windows - Create Stream Hash

createcreate_stream_hashhashstreamwindows

logsource:
  category: create_stream_hash
  product: windows

Windows - DNS Query

dnsdns_queryquerywindows

logsource:
  category: dns_query
  product: windows

Windows - DNS Server

dnsdns-serverserverwindows

logsource:
  product: windows
  service: dns-server

Windows - Diagnosis Scripted

diagnosisdiagnosis-scriptedscriptedwindows

logsource:
  product: windows
  service: diagnosis-scripted

Windows - Driver Framework

driverdriver-frameworkframeworkwindows

logsource:
  product: windows
  service: driver-framework

Windows - Driver Load

driverdriver_loadloadwindows

logsource:
  category: driver_load
  product: windows

Windows - File Access

accessfilefile_accesswindows

logsource:
  category: file_access
  product: windows

Windows - File Block

blockfilefile_blockwindows

logsource:
  category: file_block
  product: windows

Windows - File Change

changefilefile_changewindows

logsource:
  category: file_change
  product: windows

Windows - File Delete

deletefilefile_deletewindows

logsource:
  category: file_delete
  product: windows

Windows - File Event

eventfilefile_eventwindows

logsource:
  category: file_event
  product: windows

Windows - File Rename

filefile_renamerenamewindows

logsource:
  category: file_rename
  product: windows

Windows - Firewall As

asfirewallfirewall-aswindows

logsource:
  product: windows
  service: firewall-as

Windows - Image Load

imageimage_loadloadwindows

logsource:
  category: image_load
  product: windows

Windows - Ldap Debug

debugldapldap_debugwindows

logsource:
  product: windows
  service: ldap_debug

Windows - Microsoft Servicebus Client

clientmicrosoftmicrosoft-servicebus-clientservicebuswindows

logsource:
  product: windows
  service: microsoft-servicebus-client

Windows - Msexchange Management

managementmsexchangemsexchange-managementwindows

logsource:
  product: windows
  service: msexchange-management

Windows - Network Connection

connectionnetworknetwork_connectionwindows

logsource:
  category: network_connection
  product: windows

Windows - Ntlm

ntlmwindows

logsource:
  product: windows
  service: ntlm

Windows - OpenSSH

opensshwindows

logsource:
  product: windows
  service: openssh

Windows - Pipe Created

createdpipepipe_createdwindows

logsource:
  category: pipe_created
  product: windows

Windows - Powershell

powershellwindows

logsource:
  product: windows
  service: powershell

Windows - Powershell Classic

classicpowershellpowershell-classicwindows

logsource:
  product: windows
  service: powershell-classic

Windows - Powershell Classic Provider Start

classicpowershellproviderps_classic_provider_startstartwindows

logsource:
  category: ps_classic_provider_start
  product: windows

Windows - Powershell Classic Start

classicpowershellps_classic_startstartwindows

logsource:
  category: ps_classic_start
  product: windows

Windows - Powershell Module

modulepowershellps_modulewindows

logsource:
  category: ps_module
  product: windows

Windows - Powershell Script

powershellps_scriptscriptwindows

logsource:
  category: ps_script
  product: windows

Windows - Printservice Admin

adminprintserviceprintservice-adminwindows

logsource:
  product: windows
  service: printservice-admin

Windows - Printservice Operational

operationalprintserviceprintservice-operationalwindows

logsource:
  product: windows
  service: printservice-operational

Windows - Process Access

accessprocessprocess_accesswindows

logsource:
  category: process_access
  product: windows

Windows - Process Creation

creationprocessprocess_creationwindows

logsource:
  category: process_creation
  product: windows

Windows - Process Tampering

processprocess_tamperingtamperingwindows

logsource:
  category: process_tampering
  product: windows

Windows - Raw Access Thread

accessrawraw_access_threadthreadwindows

logsource:
  category: raw_access_thread
  product: windows

Windows - Registry Add

addregistryregistry_addwindows

logsource:
  category: registry_add
  product: windows

Windows - Registry Delete

deleteregistryregistry_deletewindows

logsource:
  category: registry_delete
  product: windows

Windows - Registry Event

eventregistryregistry_eventwindows

logsource:
  category: registry_event
  product: windows

Windows - Registry Set

registryregistry_setsetwindows

logsource:
  category: registry_set
  product: windows

Windows - Security

securitywindows

logsource:
  product: windows
  service: security

Windows - Security

securitywindows

logsource:
  category: security
  product: windows

Windows - Security Mitigations

mitigationssecuritysecurity-mitigationswindows

logsource:
  product: windows
  service: security-mitigations

Windows - Shell Core

coreshellshell-corewindows

logsource:
  product: windows
  service: shell-core

Windows - Smbclient Security

securitysmbclientsmbclient-securitywindows

logsource:
  product: windows
  service: smbclient-security

Windows - Sysmon

sysmonwindows

logsource:
  product: windows
  service: sysmon

Windows - Sysmon Error

errorsysmonsysmon_errorwindows

logsource:
  category: sysmon_error
  product: windows

Windows - Sysmon Status

statussysmonsysmon_statuswindows

logsource:
  category: sysmon_status
  product: windows

Windows - System

systemwindows

logsource:
  product: windows
  service: system

Windows - System

systemwindows

logsource:
  category: system
  product: windows

Windows - Taskscheduler

taskschedulerwindows

logsource:
  product: windows
  service: taskscheduler

Windows - Terminalservices Localsessionmanager

localsessionmanagerterminalservicesterminalservices-localsessionmanagerwindows

logsource:
  product: windows
  service: terminalservices-localsessionmanager

Windows - WMI

windowswmi

logsource:
  product: windows
  service: wmi

Windows - WMI Event

eventwindowswmiwmi_event

logsource:
  category: wmi_event
  product: windows

Windows - Webserver

webserverwindows

logsource:
  category: webserver
  product: windows

Windows - Windefend

windefendwindows

logsource:
  product: windows
  service: windefend

Zeek - DNS

dnszeek

logsource:
  product: zeek
  service: dns

Zeek - Dce Rpc

dcedce_rpcrpczeek

logsource:
  product: zeek
  service: dce_rpc

Zeek - Http

httpzeek

logsource:
  product: zeek
  service: http

Zeek - Kerberos

kerberoszeek

logsource:
  product: zeek
  service: kerberos

Zeek - RDP

rdpzeek

logsource:
  product: zeek
  service: rdp

Zeek - Smb Files

filessmbsmb_fileszeek

logsource:
  product: zeek
  service: smb_files

Zeek - X509

x509zeek

logsource:
  product: zeek
  service: x509

macOS - File Event

eventfilefile_eventmacos

logsource:
  category: file_event
  product: macos

macOS - Process Creation

creationmacosprocessprocess_creation

logsource:
  category: process_creation
  product: macos

Custom Logsources

Sigma does not restrict what a Sigma logsource can be defined as, meaning you can use Sigma for just about any kind of logsource within your SIEM.

With the use of Pipelines, you can specify granular field-mapping, and logsource-mapping to ensure that your Sigma rules are correct right after the conversion process.

PipelinesStart to write your own Sigma conversion logic.

You can also see a basic example of logsource and field-mapping within the Getting Started page.