Logsources
For each Sigma rule to be effective at detection, it is important to identify what type of logs your SIEM is required to search over. This is important not only for efficiency of detections, but also for ensuring detection is happening against the correct set of fields and values applied.
Each logsource definition within a Sigma rule is made up of three separate fields. These fields, when used in combination, define a given logsource.
category
product
service
Each Sigma logsource is then usually (depending on your SIEM) prepended to the start of a detection query, in order for that query to target only those specific set of logs relevant to that detection. See this example below:
Logsource Basics
Before Sigma queries can be used effectively within an organization's SIEM or Alerting tooling, it's important to identify whether the detection can search over the appropriate types of logs that the Sigma detection requires.
Because each logsource will look fairly similar – especially in Sigma rules targeting Microsoft Windows™ domain – it's important to know when Sigma rules will match again a logsource, as any mismatches in logsource can render the detection ineffective.
Sigma Specification for Logsources
The Sigma Specification repository outlines a standard set of logsources, that is supported across the community in the Sigma rule collection.
Logsource Types
The category
value is used to select all log files written by a certain group of products, like firewalls or web server logs.
The product
value is used to select all log outputs of a certain product. For example, all Windows Eventlog types including "Security", "System", "Application" and the new log types like "AppLocker" and "Windows Defender".
Use the service
value to select only a subset of a product's logs, like the "sshd" on Linux or the "Security" Eventlog on Windows systems.
Definition Field
You may also see a definition
field within logsource description. This can also provide more information about how to onboard the log data source correctly, and doesn't get included when completing logsource matching.
tags:
- attack.privilege_escalation
- attack.t1548
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enabled
detection:
selection:
ScriptBlockText|contains: 'Invoke-Nightmare'
Available Logsources
Standard Logsources
Below is a list of standard Sigma logsources. These are the logsources used within the sigma/rules repository.
AWS - Cloudtrail
awscloudtraillogsource:
product: aws
service: cloudtrail
Antivirus
antiviruslogsource:
category: antivirus
Apache
apachelogsource:
service: apache
Azure - Activity Logs
activityactivitylogsazurelogslogsource:
product: azure
service: activitylogs
Azure - Auditlogs
auditlogsazurelogsource:
product: azure
service: auditlogs
Azure - Azure Activity
activityazureazureactivitylogsource:
product: azure
service: azureactivity
Azure - Signinlogs
azuresigninlogslogsource:
product: azure
service: signinlogs
Cisco - Aaa - Accounting
aaaaccountingciscologsource:
category: accounting
product: cisco
service: aaa
DNS
dnslogsource:
category: dns
Django - Application
applicationdjangologsource:
category: application
product: django
Firewall
firewalllogsource:
category: firewall
Google Cloud Platform - Google Cloud Platform.Audit
cloudgcpgcp.auditgoogleplatformplatform.auditlogsource:
product: gcp
service: gcp.audit
Google Workspace - Google Workspace.Admin
googlegoogle_workspacegoogle_workspace.adminworkspaceworkspace.adminlogsource:
product: google_workspace
service: google_workspace.admin
Linux
linuxlogsource:
product: linux
Linux - Auditd
auditdlinuxlogsource:
product: linux
service: auditd
Linux - Auth
authlinuxlogsource:
product: linux
service: auth
Linux - Clamav
clamavlinuxlogsource:
product: linux
service: clamav
Linux - Cron
cronlinuxlogsource:
product: linux
service: cron
Linux - File Event
eventfilefile_eventlinuxlogsource:
product: linux
category: file_event
Linux - Guacamole
guacamolelinuxlogsource:
product: linux
service: guacamole
Linux - Modsecurity
linuxmodsecuritylogsource:
product: linux
service: modsecurity
Linux - Network Connection
connectionlinuxnetworknetwork_connectionlogsource:
category: network_connection
product: linux
Linux - Process Creation
creationlinuxprocessprocess_creationlogsource:
category: process_creation
product: linux
Linux - Sshd
linuxsshdlogsource:
product: linux
service: sshd
Linux - Sudo
linuxsudologsource:
product: linux
service: sudo
Linux - Syslog
linuxsysloglogsource:
product: linux
service: syslog
Linux - Vsftpd
linuxvsftpdlogsource:
product: linux
service: vsftpd
Microsoft 365 - Exchange
365exchangem365microsoftlogsource:
product: m365
service: exchange
Microsoft 365 - Threat Detection
365detectionm365microsoftthreatthreat_detectionlogsource:
product: m365
service: threat_detection
Microsoft 365 - Threat Management
365m365managementmicrosoftthreatthreat_managementlogsource:
product: m365
service: threat_management
Microsoft 365 Portal - Auditlogs
365auditlogsmicrosoftmicrosoft365portalportallogsource:
product: microsoft365portal
service: auditlogs
Netflow
netflowlogsource:
service: netflow
Okta - Okta
oktalogsource:
product: okta
service: okta
OneLogin - OneLogin.Events
oneloginonelogin.eventslogsource:
product: onelogin
service: onelogin.events
Proxy
proxylogsource:
category: proxy
Python - Application
applicationpythonlogsource:
category: application
product: python
Qualys
qualyslogsource:
product: qualys
Rpc Firewall - Application
applicationfirewallrpcrpc_firewalllogsource:
category: application
product: rpc_firewall
Ruby On Rails - Application
applicationonrailsrubyruby_on_railslogsource:
category: application
product: ruby_on_rails
SQL - Application
applicationsqllogsource:
category: application
product: sql
Spring - Application
applicationspringlogsource:
category: application
product: spring
Webserver
webserverlogsource:
category: webserver
Windows
windowslogsource:
product: windows
Windows - Application
applicationwindowslogsource:
product: windows
service: application
Windows - Applocker
applockerwindowslogsource:
product: windows
service: applocker
Windows - Bits Client
bitsbits-clientclientwindowslogsource:
product: windows
service: bits-client
Windows - Codeintegrity Operational
codeintegritycodeintegrity-operationaloperationalwindowslogsource:
product: windows
service: codeintegrity-operational
Windows - Create Remote Thread
createcreate_remote_threadremotethreadwindowslogsource:
category: create_remote_thread
product: windows
Windows - Create Stream Hash
createcreate_stream_hashhashstreamwindowslogsource:
category: create_stream_hash
product: windows
Windows - DNS Query
dnsdns_queryquerywindowslogsource:
category: dns_query
product: windows
Windows - DNS Server
dnsdns-serverserverwindowslogsource:
product: windows
service: dns-server
Windows - Diagnosis Scripted
diagnosisdiagnosis-scriptedscriptedwindowslogsource:
product: windows
service: diagnosis-scripted
Windows - Driver Framework
driverdriver-frameworkframeworkwindowslogsource:
product: windows
service: driver-framework
Windows - Driver Load
driverdriver_loadloadwindowslogsource:
category: driver_load
product: windows
Windows - File Access
accessfilefile_accesswindowslogsource:
category: file_access
product: windows
Windows - File Block
blockfilefile_blockwindowslogsource:
category: file_block
product: windows
Windows - File Change
changefilefile_changewindowslogsource:
category: file_change
product: windows
Windows - File Delete
deletefilefile_deletewindowslogsource:
category: file_delete
product: windows
Windows - File Event
eventfilefile_eventwindowslogsource:
category: file_event
product: windows
Windows - File Rename
filefile_renamerenamewindowslogsource:
category: file_rename
product: windows
Windows - Firewall As
asfirewallfirewall-aswindowslogsource:
product: windows
service: firewall-as
Windows - Image Load
imageimage_loadloadwindowslogsource:
category: image_load
product: windows
Windows - Ldap Debug
debugldapldap_debugwindowslogsource:
product: windows
service: ldap_debug
Windows - Microsoft Servicebus Client
clientmicrosoftmicrosoft-servicebus-clientservicebuswindowslogsource:
product: windows
service: microsoft-servicebus-client
Windows - Msexchange Management
managementmsexchangemsexchange-managementwindowslogsource:
product: windows
service: msexchange-management
Windows - Network Connection
connectionnetworknetwork_connectionwindowslogsource:
category: network_connection
product: windows
Windows - Ntlm
ntlmwindowslogsource:
product: windows
service: ntlm
Windows - OpenSSH
opensshwindowslogsource:
product: windows
service: openssh
Windows - Pipe Created
createdpipepipe_createdwindowslogsource:
category: pipe_created
product: windows
Windows - Powershell
powershellwindowslogsource:
product: windows
service: powershell
Windows - Powershell Classic
classicpowershellpowershell-classicwindowslogsource:
product: windows
service: powershell-classic
Windows - Powershell Classic Provider Start
classicpowershellproviderps_classic_provider_startstartwindowslogsource:
category: ps_classic_provider_start
product: windows
Windows - Powershell Classic Start
classicpowershellps_classic_startstartwindowslogsource:
category: ps_classic_start
product: windows
Windows - Powershell Module
modulepowershellps_modulewindowslogsource:
category: ps_module
product: windows
Windows - Powershell Script
powershellps_scriptscriptwindowslogsource:
category: ps_script
product: windows
Windows - Printservice Admin
adminprintserviceprintservice-adminwindowslogsource:
product: windows
service: printservice-admin
Windows - Printservice Operational
operationalprintserviceprintservice-operationalwindowslogsource:
product: windows
service: printservice-operational
Windows - Process Access
accessprocessprocess_accesswindowslogsource:
category: process_access
product: windows
Windows - Process Creation
creationprocessprocess_creationwindowslogsource:
category: process_creation
product: windows
Windows - Process Tampering
processprocess_tamperingtamperingwindowslogsource:
category: process_tampering
product: windows
Windows - Raw Access Thread
accessrawraw_access_threadthreadwindowslogsource:
category: raw_access_thread
product: windows
Windows - Registry Add
addregistryregistry_addwindowslogsource:
category: registry_add
product: windows
Windows - Registry Delete
deleteregistryregistry_deletewindowslogsource:
category: registry_delete
product: windows
Windows - Registry Event
eventregistryregistry_eventwindowslogsource:
category: registry_event
product: windows
Windows - Registry Set
registryregistry_setsetwindowslogsource:
category: registry_set
product: windows
Windows - Security
securitywindowslogsource:
product: windows
service: security
Windows - Security
securitywindowslogsource:
category: security
product: windows
Windows - Security Mitigations
mitigationssecuritysecurity-mitigationswindowslogsource:
product: windows
service: security-mitigations
Windows - Shell Core
coreshellshell-corewindowslogsource:
product: windows
service: shell-core
Windows - Smbclient Security
securitysmbclientsmbclient-securitywindowslogsource:
product: windows
service: smbclient-security
Windows - Sysmon
sysmonwindowslogsource:
product: windows
service: sysmon
Windows - Sysmon Error
errorsysmonsysmon_errorwindowslogsource:
category: sysmon_error
product: windows
Windows - Sysmon Status
statussysmonsysmon_statuswindowslogsource:
category: sysmon_status
product: windows
Windows - System
systemwindowslogsource:
product: windows
service: system
Windows - System
systemwindowslogsource:
category: system
product: windows
Windows - Taskscheduler
taskschedulerwindowslogsource:
product: windows
service: taskscheduler
Windows - Terminalservices Localsessionmanager
localsessionmanagerterminalservicesterminalservices-localsessionmanagerwindowslogsource:
product: windows
service: terminalservices-localsessionmanager
Windows - WMI
windowswmilogsource:
product: windows
service: wmi
Windows - WMI Event
eventwindowswmiwmi_eventlogsource:
category: wmi_event
product: windows
Windows - Webserver
webserverwindowslogsource:
category: webserver
product: windows
Windows - Windefend
windefendwindowslogsource:
product: windows
service: windefend
Zeek - DNS
dnszeeklogsource:
product: zeek
service: dns
Zeek - Dce Rpc
dcedce_rpcrpczeeklogsource:
product: zeek
service: dce_rpc
Zeek - Http
httpzeeklogsource:
product: zeek
service: http
Zeek - Kerberos
kerberoszeeklogsource:
product: zeek
service: kerberos
Zeek - RDP
rdpzeeklogsource:
product: zeek
service: rdp
Zeek - Smb Files
filessmbsmb_fileszeeklogsource:
product: zeek
service: smb_files
Zeek - X509
x509zeeklogsource:
product: zeek
service: x509
macOS - File Event
eventfilefile_eventmacoslogsource:
category: file_event
product: macos
macOS - Process Creation
creationmacosprocessprocess_creationlogsource:
category: process_creation
product: macos
Custom Logsources
Sigma does not restrict what a Sigma logsource can be defined as, meaning you can use Sigma for just about any kind of logsource within your SIEM.
With the use of Pipelines, you can specify granular field-mapping, and logsource-mapping to ensure that your Sigma rules are correct right after the conversion process.
You can also see a basic example of logsource and field-mapping within the Getting Started page.