Skip to content

Logsources

For each Sigma rule to be effective at detection, it is important to identify what type of logs your SIEM is required to search over. This is important not only for efficiency of detections, but also for ensuring detection is happening against the correct set of fields and values applied.

Each logsource definition within a Sigma rule is made up of three separate fields. These fields, when used in combination, define a given logsource.

  • category
  • product
  • service

Each Sigma logsource is then usually (depending on your SIEM) prepended to the start of a detection query, in order for that query to target only those specific set of logs relevant to that detection. See this example below:

Logsource Basics

Before Sigma queries can be used effectively within an organization's SIEM or Alerting tooling, it's important to identify whether the detection can search over the appropriate types of logs that the Sigma detection requires.

Because each logsource will look fairly similar – especially in Sigma rules targeting Microsoft Windows™ domain – it's important to know when Sigma rules will match again a logsource, as any mismatches in logsource can render the detection ineffective.

Sigma Specification for Logsources

The Sigma Specification repository outlines a standard set of logsources, that is supported across the community in the Sigma rule collection.

Logsource Types

The category value is used to select all log files written by a certain group of products, like firewalls or web server logs.

The product value is used to select all log outputs of a certain product. For example, all Windows Eventlog types including "Security", "System", "Application" and the new log types like "AppLocker" and "Windows Defender".

Use the service value to select only a subset of a product's logs, like the "sshd" on Linux or the "Security" Eventlog on Windows systems.

Definition Field

You may also see a definition field within logsource description. This can also provide more information about how to onboard the log data source correctly, and doesn't get included when completing logsource matching.

yaml
tags:
  - attack.privilege_escalation
  - attack.t1548
logsource: 
  product: windows
  category: ps_script
  definition: Script Block Logging must be enabled
detection:
  selection:
    ScriptBlockText|contains: 'Invoke-Nightmare'

Available Logsources

Standard Logsources

Below is a list of standard Sigma logsources. These are the logsources used within the sigma/rules repository.

AWS - Cloudtrail

awscloudtrail
yaml
logsource:
  product: aws
  service: cloudtrail

Antivirus

antivirus
yaml
logsource:
  category: antivirus

Apache

apache
yaml
logsource:
  service: apache

Azure - Activity Logs

activityactivitylogsazurelogs
yaml
logsource:
  product: azure
  service: activitylogs

Azure - Auditlogs

auditlogsazure
yaml
logsource:
  product: azure
  service: auditlogs

Azure - Azure Activity

activityazureazureactivity
yaml
logsource:
  product: azure
  service: azureactivity

Azure - Signinlogs

azuresigninlogs
yaml
logsource:
  product: azure
  service: signinlogs

Cisco - Aaa - Accounting

aaaaccountingcisco
yaml
logsource:
  category: accounting
  product: cisco
  service: aaa

DNS

dns
yaml
logsource:
  category: dns

Django - Application

applicationdjango
yaml
logsource:
  category: application
  product: django

Firewall

firewall
yaml
logsource:
  category: firewall

Google Cloud Platform - Google Cloud Platform.Audit

cloudgcpgcp.auditgoogleplatformplatform.audit
yaml
logsource:
  product: gcp
  service: gcp.audit

Google Workspace - Google Workspace.Admin

googlegoogle_workspacegoogle_workspace.adminworkspaceworkspace.admin
yaml
logsource:
  product: google_workspace
  service: google_workspace.admin

Linux

linux
yaml
logsource:
  product: linux

Linux - Auditd

auditdlinux
yaml
logsource:
  product: linux
  service: auditd

Linux - Auth

authlinux
yaml
logsource:
  product: linux
  service: auth

Linux - Clamav

clamavlinux
yaml
logsource:
  product: linux
  service: clamav

Linux - Cron

cronlinux
yaml
logsource:
  product: linux
  service: cron

Linux - File Event

eventfilefile_eventlinux
yaml
logsource:
 product: linux
 category: file_event

Linux - Guacamole

guacamolelinux
yaml
logsource:
  product: linux
  service: guacamole

Linux - Modsecurity

linuxmodsecurity
yaml
logsource:
  product: linux
  service: modsecurity

Linux - Network Connection

connectionlinuxnetworknetwork_connection
yaml
logsource:
  category: network_connection
  product: linux

Linux - Process Creation

creationlinuxprocessprocess_creation
yaml
logsource:
  category: process_creation
  product: linux

Linux - Sshd

linuxsshd
yaml
logsource:
  product: linux
  service: sshd

Linux - Sudo

linuxsudo
yaml
logsource:
  product: linux
  service: sudo

Linux - Syslog

linuxsyslog
yaml
logsource:
  product: linux
  service: syslog

Linux - Vsftpd

linuxvsftpd
yaml
logsource:
  product: linux
  service: vsftpd

Microsoft 365 - Exchange

365exchangem365microsoft
yaml
logsource:
  product: m365
  service: exchange

Microsoft 365 - Threat Detection

365detectionm365microsoftthreatthreat_detection
yaml
logsource:
  product: m365
  service: threat_detection

Microsoft 365 - Threat Management

365m365managementmicrosoftthreatthreat_management
yaml
logsource:
  product: m365
  service: threat_management

Microsoft 365 Portal - Auditlogs

365auditlogsmicrosoftmicrosoft365portalportal
yaml
logsource:
  product: microsoft365portal
  service: auditlogs

Netflow

netflow
yaml
logsource:
  service: netflow

Okta - Okta

okta
yaml
logsource:
  product: okta
  service: okta

OneLogin - OneLogin.Events

oneloginonelogin.events
yaml
logsource:
  product: onelogin
  service: onelogin.events

Proxy

proxy
yaml
logsource:
  category: proxy

Python - Application

applicationpython
yaml
logsource:
  category: application
  product: python

Qualys

qualys
yaml
logsource:
  product: qualys

Rpc Firewall - Application

applicationfirewallrpcrpc_firewall
yaml
logsource:
  category: application
  product: rpc_firewall

Ruby On Rails - Application

applicationonrailsrubyruby_on_rails
yaml
logsource:
  category: application
  product: ruby_on_rails

SQL - Application

applicationsql
yaml
logsource:
  category: application
  product: sql

Spring - Application

applicationspring
yaml
logsource:
  category: application
  product: spring

Webserver

webserver
yaml
logsource:
  category: webserver

Windows

windows
yaml
logsource:
  product: windows

Windows - Application

applicationwindows
yaml
logsource:
  product: windows
  service: application

Windows - Applocker

applockerwindows
yaml
logsource:
  product: windows
  service: applocker

Windows - Bits Client

bitsbits-clientclientwindows
yaml
logsource:
  product: windows
  service: bits-client

Windows - Codeintegrity Operational

codeintegritycodeintegrity-operationaloperationalwindows
yaml
logsource:
  product: windows
  service: codeintegrity-operational

Windows - Create Remote Thread

createcreate_remote_threadremotethreadwindows
yaml
logsource:
  category: create_remote_thread
  product: windows

Windows - Create Stream Hash

createcreate_stream_hashhashstreamwindows
yaml
logsource:
  category: create_stream_hash
  product: windows

Windows - DNS Query

dnsdns_queryquerywindows
yaml
logsource:
  category: dns_query
  product: windows

Windows - DNS Server

dnsdns-serverserverwindows
yaml
logsource:
  product: windows
  service: dns-server

Windows - Diagnosis Scripted

diagnosisdiagnosis-scriptedscriptedwindows
yaml
logsource:
  product: windows
  service: diagnosis-scripted

Windows - Driver Framework

driverdriver-frameworkframeworkwindows
yaml
logsource:
  product: windows
  service: driver-framework

Windows - Driver Load

driverdriver_loadloadwindows
yaml
logsource:
  category: driver_load
  product: windows

Windows - File Access

accessfilefile_accesswindows
yaml
logsource:
  category: file_access
  product: windows

Windows - File Block

blockfilefile_blockwindows
yaml
logsource:
  category: file_block
  product: windows

Windows - File Change

changefilefile_changewindows
yaml
logsource:
  category: file_change
  product: windows

Windows - File Delete

deletefilefile_deletewindows
yaml
logsource:
  category: file_delete
  product: windows

Windows - File Event

eventfilefile_eventwindows
yaml
logsource:
  category: file_event
  product: windows

Windows - File Rename

filefile_renamerenamewindows
yaml
logsource:
  category: file_rename
  product: windows

Windows - Firewall As

asfirewallfirewall-aswindows
yaml
logsource:
  product: windows
  service: firewall-as

Windows - Image Load

imageimage_loadloadwindows
yaml
logsource:
  category: image_load
  product: windows

Windows - Ldap Debug

debugldapldap_debugwindows
yaml
logsource:
  product: windows
  service: ldap_debug

Windows - Microsoft Servicebus Client

clientmicrosoftmicrosoft-servicebus-clientservicebuswindows
yaml
logsource:
  product: windows
  service: microsoft-servicebus-client

Windows - Msexchange Management

managementmsexchangemsexchange-managementwindows
yaml
logsource:
  product: windows
  service: msexchange-management

Windows - Network Connection

connectionnetworknetwork_connectionwindows
yaml
logsource:
  category: network_connection
  product: windows

Windows - Ntlm

ntlmwindows
yaml
logsource:
  product: windows
  service: ntlm

Windows - OpenSSH

opensshwindows
yaml
logsource:
  product: windows
  service: openssh

Windows - Pipe Created

createdpipepipe_createdwindows
yaml
logsource:
  category: pipe_created
  product: windows

Windows - Powershell

powershellwindows
yaml
logsource:
  product: windows
  service: powershell

Windows - Powershell Classic

classicpowershellpowershell-classicwindows
yaml
logsource:
  product: windows
  service: powershell-classic

Windows - Powershell Classic Provider Start

classicpowershellproviderps_classic_provider_startstartwindows
yaml
logsource:
  category: ps_classic_provider_start
  product: windows

Windows - Powershell Classic Start

classicpowershellps_classic_startstartwindows
yaml
logsource:
  category: ps_classic_start
  product: windows

Windows - Powershell Module

modulepowershellps_modulewindows
yaml
logsource:
  category: ps_module
  product: windows

Windows - Powershell Script

powershellps_scriptscriptwindows
yaml
logsource:
  category: ps_script
  product: windows

Windows - Printservice Admin

adminprintserviceprintservice-adminwindows
yaml
logsource:
  product: windows
  service: printservice-admin

Windows - Printservice Operational

operationalprintserviceprintservice-operationalwindows
yaml
logsource:
  product: windows
  service: printservice-operational

Windows - Process Access

accessprocessprocess_accesswindows
yaml
logsource:
  category: process_access
  product: windows

Windows - Process Creation

creationprocessprocess_creationwindows
yaml
logsource:
  category: process_creation
  product: windows

Windows - Process Tampering

processprocess_tamperingtamperingwindows
yaml
logsource:
  category: process_tampering
  product: windows

Windows - Raw Access Thread

accessrawraw_access_threadthreadwindows
yaml
logsource:
  category: raw_access_thread
  product: windows

Windows - Registry Add

addregistryregistry_addwindows
yaml
logsource:
  category: registry_add
  product: windows

Windows - Registry Delete

deleteregistryregistry_deletewindows
yaml
logsource:
  category: registry_delete
  product: windows

Windows - Registry Event

eventregistryregistry_eventwindows
yaml
logsource:
  category: registry_event
  product: windows

Windows - Registry Set

registryregistry_setsetwindows
yaml
logsource:
  category: registry_set
  product: windows

Windows - Security

securitywindows
yaml
logsource:
  product: windows
  service: security

Windows - Security

securitywindows
yaml
logsource:
  category: security
  product: windows

Windows - Security Mitigations

mitigationssecuritysecurity-mitigationswindows
yaml
logsource:
  product: windows
  service: security-mitigations

Windows - Shell Core

coreshellshell-corewindows
yaml
logsource:
  product: windows
  service: shell-core

Windows - Smbclient Security

securitysmbclientsmbclient-securitywindows
yaml
logsource:
  product: windows
  service: smbclient-security

Windows - Sysmon

sysmonwindows
yaml
logsource:
  product: windows
  service: sysmon

Windows - Sysmon Error

errorsysmonsysmon_errorwindows
yaml
logsource:
  category: sysmon_error
  product: windows

Windows - Sysmon Status

statussysmonsysmon_statuswindows
yaml
logsource:
  category: sysmon_status
  product: windows

Windows - System

systemwindows
yaml
logsource:
  product: windows
  service: system

Windows - System

systemwindows
yaml
logsource:
  category: system
  product: windows

Windows - Taskscheduler

taskschedulerwindows
yaml
logsource:
  product: windows
  service: taskscheduler

Windows - Terminalservices Localsessionmanager

localsessionmanagerterminalservicesterminalservices-localsessionmanagerwindows
yaml
logsource:
  product: windows
  service: terminalservices-localsessionmanager

Windows - WMI

windowswmi
yaml
logsource:
  product: windows
  service: wmi

Windows - WMI Event

eventwindowswmiwmi_event
yaml
logsource:
  category: wmi_event
  product: windows

Windows - Webserver

webserverwindows
yaml
logsource:
  category: webserver
  product: windows

Windows - Windefend

windefendwindows
yaml
logsource:
  product: windows
  service: windefend

Zeek - DNS

dnszeek
yaml
logsource:
  product: zeek
  service: dns

Zeek - Dce Rpc

dcedce_rpcrpczeek
yaml
logsource:
  product: zeek
  service: dce_rpc

Zeek - Http

httpzeek
yaml
logsource:
  product: zeek
  service: http

Zeek - Kerberos

kerberoszeek
yaml
logsource:
  product: zeek
  service: kerberos

Zeek - RDP

rdpzeek
yaml
logsource:
  product: zeek
  service: rdp

Zeek - Smb Files

filessmbsmb_fileszeek
yaml
logsource:
  product: zeek
  service: smb_files

Zeek - X509

x509zeek
yaml
logsource:
  product: zeek
  service: x509

macOS - File Event

eventfilefile_eventmacos
yaml
logsource:
  category: file_event
  product: macos

macOS - Process Creation

creationmacosprocessprocess_creation
yaml
logsource:
  category: process_creation
  product: macos

Custom Logsources

Sigma does not restrict what a Sigma logsource can be defined as, meaning you can use Sigma for just about any kind of logsource within your SIEM.

With the use of Pipelines, you can specify granular field-mapping, and logsource-mapping to ensure that your Sigma rules are correct right after the conversion process.

PipelinesStart to write your own Sigma conversion logic.

You can also see a basic example of logsource and field-mapping within the Getting Started page.