Logsources

For each Sigma rule to be effective at detection, it is important to identify what type of logs your SIEM is required to search over. This is important not only for efficiency of detections, but also for ensuring detection is happening against the correct set of fields and values applied.

Each logsource definition within a Sigma rule is made up of three separate fields. These fields, when used in combination, define a given logsource.

• category
• product
• service

Each Sigma logsource is then usually (depending on your SIEM) prepended to the start of a detection query, in order for that query to target only those specific set of logs relevant to that detection. See this example below:

Logsource Basics

Before Sigma queries can be used effectively within an organization's SIEM or Alerting tooling, it's important to identify whether the detection can search over the appropriate types of logs that the Sigma detection requires.

Because each logsource will look fairly similar – especially in Sigma rules targeting Microsoft Windows™ domain – it's important to know when Sigma rules will match again a logsource, as any mismatches in logsource can render the detection ineffective.

Sigma Specification for Logsources

The Sigma Specification repository outlines a standard set of logsources, that is supported across the community in the Sigma rule collection.

Logsource Types

The category value is used to select all log files written by a certain group of products, like firewalls or web server logs.

The product value is used to select all log outputs of a certain product. For example, all Windows Eventlog types including "Security", "System", "Application" and the new log types like "AppLocker" and "Windows Defender".

Use the service value to select only a subset of a product's logs, like the "sshd" on Linux or the "Security" Eventlog on Windows systems.

Definition Field

You may also see a definition field within logsource description. This can also provide more information about how to onboard the log data source correctly, and doesn't get included when completing logsource matching.

tags:
  - attack.privilege_escalation
  - attack.t1548
logsource: 
  product: windows
  category: ps_script
  definition: Script Block Logging must be enabled
detection:
  selection:
    ScriptBlockText|contains: 'Invoke-Nightmare'

Available Logsources

Standard Logsources

Below is a list of standard Sigma logsources. These are the logsources used within the sigma/rules repository.

AWS - Cloudtrail awscloudtrail

logsource:
  product: aws
  service: cloudtrail

Antivirus antivirus

logsource:
  category: antivirus

Apache apache

logsource:
  service: apache

Azure - Activity Logs activityactivitylogsazurelogs

logsource:
  product: azure
  service: activitylogs

Azure - Auditlogs auditlogsazure

logsource:
  product: azure
  service: auditlogs

Azure - Azure Activity activityazureazureactivity

logsource:
  product: azure
  service: azureactivity

Azure - Signinlogs azuresigninlogs

logsource:
  product: azure
  service: signinlogs

Cisco - Aaa - Accounting aaaaccountingcisco

logsource:
  category: accounting
  product: cisco
  service: aaa

DNS dns

logsource:
  category: dns

Django - Application applicationdjango

logsource:
  category: application
  product: django

Firewall firewall

logsource:
  category: firewall

Google Cloud Platform - Google Cloud Platform.Audit cloudgcpgcp.auditgoogleplatformplatform.audit

logsource:
  product: gcp
  service: gcp.audit

Google Workspace - Google Workspace.Admin googlegoogle_workspacegoogle_workspace.adminworkspaceworkspace.admin

logsource:
  product: google_workspace
  service: google_workspace.admin

Linux linux

logsource:
  product: linux

Linux - Auditd auditdlinux

logsource:
  product: linux
  service: auditd

Linux - Auth authlinux

logsource:
  product: linux
  service: auth

Linux - Clamav clamavlinux

logsource:
  product: linux
  service: clamav

Linux - Cron cronlinux

logsource:
  product: linux
  service: cron

Linux - File Event eventfilefile_eventlinux

logsource:
 product: linux
 category: file_event

Linux - Guacamole guacamolelinux

logsource:
  product: linux
  service: guacamole

Linux - Modsecurity linuxmodsecurity

logsource:
  product: linux
  service: modsecurity

Linux - Network Connection connectionlinuxnetworknetwork_connection

logsource:
  category: network_connection
  product: linux

Linux - Process Creation creationlinuxprocessprocess_creation

logsource:
  category: process_creation
  product: linux

Linux - Sshd linuxsshd

logsource:
  product: linux
  service: sshd

Linux - Sudo linuxsudo

logsource:
  product: linux
  service: sudo

Linux - Syslog linuxsyslog

logsource:
  product: linux
  service: syslog

Linux - Vsftpd linuxvsftpd

logsource:
  product: linux
  service: vsftpd

Microsoft 365 - Exchange 365exchangem365microsoft

logsource:
  product: m365
  service: exchange

Microsoft 365 - Threat Detection 365detectionm365microsoftthreatthreat_detection

logsource:
  product: m365
  service: threat_detection

Microsoft 365 - Threat Management 365m365managementmicrosoftthreatthreat_management

logsource:
  product: m365
  service: threat_management

Microsoft 365 Portal - Auditlogs 365auditlogsmicrosoftmicrosoft365portalportal

logsource:
  product: microsoft365portal
  service: auditlogs

Netflow netflow

logsource:
  service: netflow

Okta - Okta okta

logsource:
  product: okta
  service: okta

OneLogin - OneLogin.Events oneloginonelogin.events

logsource:
  product: onelogin
  service: onelogin.events

Proxy proxy

logsource:
  category: proxy

Python - Application applicationpython

logsource:
  category: application
  product: python

Qualys qualys

logsource:
  product: qualys

Rpc Firewall - Application applicationfirewallrpcrpc_firewall

logsource:
  category: application
  product: rpc_firewall

Ruby On Rails - Application applicationonrailsrubyruby_on_rails

logsource:
  category: application
  product: ruby_on_rails

SQL - Application applicationsql

logsource:
  category: application
  product: sql

Spring - Application applicationspring

logsource:
  category: application
  product: spring

Webserver webserver

logsource:
  category: webserver

Windows windows

logsource:
  product: windows

Windows - Application applicationwindows

logsource:
  product: windows
  service: application

Windows - Applocker applockerwindows

logsource:
  product: windows
  service: applocker

Windows - Bits Client bitsbits-clientclientwindows

logsource:
  product: windows
  service: bits-client

Windows - Codeintegrity Operational codeintegritycodeintegrity-operationaloperationalwindows

logsource:
  product: windows
  service: codeintegrity-operational

Windows - Create Remote Thread createcreate_remote_threadremotethreadwindows

logsource:
  category: create_remote_thread
  product: windows

Windows - Create Stream Hash createcreate_stream_hashhashstreamwindows

logsource:
  category: create_stream_hash
  product: windows

Windows - DNS Query dnsdns_queryquerywindows

logsource:
  category: dns_query
  product: windows

Windows - DNS Server dnsdns-serverserverwindows

logsource:
  product: windows
  service: dns-server

Windows - Diagnosis Scripted diagnosisdiagnosis-scriptedscriptedwindows

logsource:
  product: windows
  service: diagnosis-scripted

Windows - Driver Framework driverdriver-frameworkframeworkwindows

logsource:
  product: windows
  service: driver-framework

Windows - Driver Load driverdriver_loadloadwindows

logsource:
  category: driver_load
  product: windows

Windows - File Access accessfilefile_accesswindows

logsource:
  category: file_access
  product: windows

Windows - File Block blockfilefile_blockwindows

logsource:
  category: file_block
  product: windows

Windows - File Change changefilefile_changewindows

logsource:
  category: file_change
  product: windows

Windows - File Delete deletefilefile_deletewindows

logsource:
  category: file_delete
  product: windows

Windows - File Event eventfilefile_eventwindows

logsource:
  category: file_event
  product: windows

Windows - File Rename filefile_renamerenamewindows

logsource:
  category: file_rename
  product: windows

Windows - Firewall As asfirewallfirewall-aswindows

logsource:
  product: windows
  service: firewall-as

Windows - Image Load imageimage_loadloadwindows

logsource:
  category: image_load
  product: windows

Windows - Ldap Debug debugldapldap_debugwindows

logsource:
  product: windows
  service: ldap_debug

Windows - Microsoft Servicebus Client clientmicrosoftmicrosoft-servicebus-clientservicebuswindows

logsource:
  product: windows
  service: microsoft-servicebus-client

Windows - Msexchange Management managementmsexchangemsexchange-managementwindows

logsource:
  product: windows
  service: msexchange-management

Windows - Network Connection connectionnetworknetwork_connectionwindows

logsource:
  category: network_connection
  product: windows

Windows - Ntlm ntlmwindows

logsource:
  product: windows
  service: ntlm

Windows - OpenSSH opensshwindows

logsource:
  product: windows
  service: openssh

Windows - Pipe Created createdpipepipe_createdwindows

logsource:
  category: pipe_created
  product: windows

Windows - Powershell powershellwindows

logsource:
  product: windows
  service: powershell

Windows - Powershell Classic classicpowershellpowershell-classicwindows

logsource:
  product: windows
  service: powershell-classic

Windows - Powershell Classic Provider Start classicpowershellproviderps_classic_provider_startstartwindows

logsource:
  category: ps_classic_provider_start
  product: windows

Windows - Powershell Classic Start classicpowershellps_classic_startstartwindows

logsource:
  category: ps_classic_start
  product: windows

Windows - Powershell Module modulepowershellps_modulewindows

logsource:
  category: ps_module
  product: windows

Windows - Powershell Script powershellps_scriptscriptwindows

logsource:
  category: ps_script
  product: windows

Windows - Printservice Admin adminprintserviceprintservice-adminwindows

logsource:
  product: windows
  service: printservice-admin

Windows - Printservice Operational operationalprintserviceprintservice-operationalwindows

logsource:
  product: windows
  service: printservice-operational

Windows - Process Access accessprocessprocess_accesswindows

logsource:
  category: process_access
  product: windows

Windows - Process Creation creationprocessprocess_creationwindows

logsource:
  category: process_creation
  product: windows

Windows - Process Tampering processprocess_tamperingtamperingwindows

logsource:
  category: process_tampering
  product: windows

Windows - Raw Access Thread accessrawraw_access_threadthreadwindows

logsource:
  category: raw_access_thread
  product: windows

Windows - Registry Add addregistryregistry_addwindows

logsource:
  category: registry_add
  product: windows

Windows - Registry Delete deleteregistryregistry_deletewindows

logsource:
  category: registry_delete
  product: windows

Windows - Registry Event eventregistryregistry_eventwindows

logsource:
  category: registry_event
  product: windows

Windows - Registry Set registryregistry_setsetwindows

logsource:
  category: registry_set
  product: windows

Windows - Security securitywindows

logsource:
  product: windows
  service: security

Windows - Security securitywindows

logsource:
  category: security
  product: windows

Windows - Security Mitigations mitigationssecuritysecurity-mitigationswindows

logsource:
  product: windows
  service: security-mitigations

Windows - Shell Core coreshellshell-corewindows

logsource:
  product: windows
  service: shell-core

Windows - Smbclient Security securitysmbclientsmbclient-securitywindows

logsource:
  product: windows
  service: smbclient-security

Windows - Sysmon sysmonwindows

logsource:
  product: windows
  service: sysmon

Windows - Sysmon Error errorsysmonsysmon_errorwindows

logsource:
  category: sysmon_error
  product: windows

Windows - Sysmon Status statussysmonsysmon_statuswindows

logsource:
  category: sysmon_status
  product: windows

Windows - System systemwindows

logsource:
  product: windows
  service: system

Windows - System systemwindows

logsource:
  category: system
  product: windows

Windows - Taskscheduler taskschedulerwindows

logsource:
  product: windows
  service: taskscheduler

Windows - Terminalservices Localsessionmanager localsessionmanagerterminalservicesterminalservices-localsessionmanagerwindows

logsource:
  product: windows
  service: terminalservices-localsessionmanager

Windows - WMI windowswmi

logsource:
  product: windows
  service: wmi

Windows - WMI Event eventwindowswmiwmi_event

logsource:
  category: wmi_event
  product: windows

Windows - Webserver webserverwindows

logsource:
  category: webserver
  product: windows

Windows - Windefend windefendwindows

logsource:
  product: windows
  service: windefend

Zeek - DNS dnszeek

logsource:
  product: zeek
  service: dns

Zeek - Dce Rpc dcedce_rpcrpczeek

logsource:
  product: zeek
  service: dce_rpc

Zeek - Http httpzeek

logsource:
  product: zeek
  service: http

Zeek - Kerberos kerberoszeek

logsource:
  product: zeek
  service: kerberos

Zeek - RDP rdpzeek

logsource:
  product: zeek
  service: rdp

Zeek - Smb Files filessmbsmb_fileszeek

logsource:
  product: zeek
  service: smb_files

Zeek - X509 x509zeek

logsource:
  product: zeek
  service: x509

macOS - File Event eventfilefile_eventmacos

logsource:
  category: file_event
  product: macos

macOS - Process Creation creationmacosprocessprocess_creation

logsource:
  category: process_creation
  product: macos

Custom Logsources

Sigma does not restrict what a Sigma logsource can be defined as, meaning you can use Sigma for just about any kind of logsource within your SIEM.

With the use of Pipelines, you can specify granular field-mapping, and logsource-mapping to ensure that your Sigma rules are correct right after the conversion process.

PipelinesStart to write your own Sigma conversion logic.

You can also see a basic example of logsource and field-mapping within the Getting Started page.