Knowledge Base

Logs new process creation events. The most widely used Sysmon category.

logsource:
  product: windows
  category: process_creation

Logs file creation time changes. Useful for detecting timestomping attacks.

logsource:
  product: windows
  category: file_change

Logs outbound TCP/UDP network connections made by processes.

logsource:
  product: windows
  category: network_connection

Logs process termination events.

logsource:
  product: windows
  category: process_termination

Logs when a driver is loaded. Critical for detecting vulnerable or malicious kernel drivers.

logsource:
  product: windows
  category: driver_load

Logs when a DLL or executable image is loaded into a process.

logsource:
  product: windows
  category: image_load

Logs when a process creates a thread in another process - a common injection technique.

logsource:
  product: windows
  category: create_remote_thread

Logs when a process reads raw access to the disk, used to bypass file system filters.

logsource:
  product: windows
  category: raw_access_thread

Logs when a process opens another process, often used to detect credential dumping (e.g., LSASS access).

logsource:
  product: windows
  category: process_access

Logs when a new file is created on the filesystem.

logsource:
  product: windows
  category: file_event

Logs registry key and value operations. Covers EventIDs 12 (add/delete), 13 (set), 14 (rename).

logsource:
  product: windows
  category: registry_event

Logs when a named file stream is created. Used to detect ADS-based persistence.

logsource:
  product: windows
  category: create_stream_hash

Logs named pipe creation and connection events.

logsource:
  product: windows
  category: pipe_created

Logs WMI filter registration, consumer binding - critical for detecting WMI persistence.

logsource:
  product: windows
  category: wmi_event

Logs DNS queries made by processes. Essential for C2 and DGA detection.

logsource:
  product: windows
  category: dns_query

Logs when a file is deleted - Sysmon archives a copy in the DeletedFiles directory.

logsource:
  product: windows
  category: file_delete

Logs clipboard content captured by processes.

logsource:
  product: windows
  category: clipboard_capture

Logs process hollowing, herpaderping, and similar injection techniques.

logsource:
  product: windows
  category: process_tampering

Logs PowerShell script block execution. Essential for detecting obfuscated PS execution.

logsource:
  product: windows
  category: ps_script

Logs PowerShell module loading events.

logsource:
  product: windows
  category: ps_module

Logs classic Windows PowerShell v2 pipeline execution.

logsource:
  product: windows
  category: ps_classic_script

Logs detected file deletions where archive is disabled.

logsource:
  product: windows
  category: file_delete_detected

Logs file read operations via ETW kernel provider.

logsource:
  product: windows
  category: file_access

Logs file rename operations via ETW kernel provider.

logsource:
  product: windows
  category: file_rename

Logs Sysmon service state changes and configuration updates.

logsource:
  product: windows
  category: sysmon_status

Windows Security audit log. Covers logons (4624/4625), privilege use, object access, and account management.

logsource:
  product: windows
  service: security

Windows System event log covering service installations, driver errors, and system-level events.

logsource:
  product: windows
  service: system

Generic Sysmon channel selector (use category-based logsources for specific event types).

logsource:
  product: windows
  service: sysmon

Windows PowerShell operational log - engine lifecycle, command execution, remoting.

logsource:
  product: windows
  service: powershell

Legacy Windows PowerShell v2 log. Use ps_script/ps_module categories when possible.

logsource:
  product: windows
  service: powershell-classic

Windows Application event log for software-level events.

logsource:
  product: windows
  service: application

Windows Defender antivirus and antimalware detection events.

logsource:
  product: windows
  service: windefend

Windows Task Scheduler operational log - task creation, modification, execution.

logsource:
  product: windows
  service: taskscheduler

Windows Management Instrumentation activity log.

logsource:
  product: windows
  service: wmi

AppLocker allow/deny events for EXEs, DLLs, scripts, and packaged apps.

logsource:
  product: windows
  service: applocker

Windows Firewall with Advanced Security connection events.

logsource:
  product: windows
  service: firewall-as

Windows DNS Server query and response logging.

logsource:
  product: windows
  service: dns-server

Client-side DNS resolution events.

logsource:
  product: windows
  service: dns-client

NTLM authentication operational log - useful for Pass-the-Hash detection.

logsource:
  product: windows
  service: ntlm

Local Security Authority server operational log.

logsource:
  product: windows
  service: lsa-server

Cryptographic API 2 certificate operations - certificate verification and chain building.

logsource:
  product: windows
  service: capi2

Background Intelligent Transfer Service - often abused for persistence and C2.

logsource:
  product: windows
  service: bits-client

Windows Defender exploit protection and security mitigation events.

logsource:
  product: windows
  service: security-mitigations

Windows OpenSSH server authentication and session log.

logsource:
  product: windows
  service: openssh

Microsoft Exchange Server management shell command audit log.

logsource:
  product: windows
  service: msexchange-management

Remote Desktop / Terminal Services local session manager events.

logsource:
  product: windows
  service: terminalservices-localsessionmanager

Windows Kernel Event Tracing provider events.

logsource:
  product: windows
  service: kernel-event-tracing

Windows Code Integrity driver/image verification failures - WHQL bypass detection.

logsource:
  product: windows
  service: codeintegrity-operational

Windows Print Spooler service operational log - used in PrintNightmare detection.

logsource:
  product: windows
  service: printservice-operational

BitLocker drive encryption management events.

logsource:
  product: windows
  service: bitlocker

Windows shell core operational events.

logsource:
  product: windows
  service: shell-core

SMB client security event log - access denied, signing errors.

logsource:
  product: windows
  service: smbclient-security

Microsoft IIS configuration operational events.

logsource:
  product: windows
  service: iis-configuration

Microsoft Defender for Endpoint (SENSE) operational events.

logsource:
  product: windows
  service: sense

Linux process creation via Sysmon for Linux (EventID 1).

logsource:
  product: linux
  category: process_creation

Linux network connections via Sysmon for Linux (EventID 3).

logsource:
  product: linux
  category: network_connection

Linux file creation events via Sysmon for Linux (EventID 11).

logsource:
  product: linux
  category: file_event

Linux kernel audit subsystem log. Covers syscalls, file access, user auth, and more.

logsource:
  product: linux
  service: auditd

Linux authentication log. Covers SSH logins, sudo, PAM, and su events.

logsource:
  product: linux
  service: auth

OpenSSH server log - accepted/failed logins, key-based auth, tunnels.

logsource:
  product: linux
  service: sshd

Linux sudo command audit log - privilege escalation attempts.

logsource:
  product: linux
  service: sudo

Linux cron daemon log - scheduled job execution, new crontab entries.

logsource:
  product: linux
  service: cron

Generic Linux syslog. Catch-all for kernel, daemon, and application messages.

logsource:
  product: linux
  service: syslog

ClamAV open-source antivirus detection events on Linux.

logsource:
  product: linux
  service: clamav

Very Secure FTP Daemon log - FTP session and transfer events.

logsource:
  product: linux
  service: vsftpd

Apache Guacamole clientless remote desktop gateway session log.

logsource:
  product: linux
  service: guacamole

macOS process creation events.

logsource:
  product: macos
  category: process_creation

macOS file creation and modification events.

logsource:
  product: macos
  category: file_event

AWS API call audit log. Covers all AWS service API calls - IAM, EC2, S3, Lambda, and more.

logsource:
  product: aws
  service: cloudtrail

Azure subscription-level operations - resource management, policy events.

logsource:
  product: azure
  service: activitylogs

Azure Active Directory audit events - user creation, group changes, app registration.

logsource:
  product: azure
  service: auditlogs

Azure AD authentication events - successful and failed sign-ins, MFA challenges.

logsource:
  product: azure
  service: signinlogs

Azure AD Identity Protection risk detection events.

logsource:
  product: azure
  service: riskdetection

Azure Privileged Identity Management events - role activation and assignment.

logsource:
  product: azure
  service: pim

Google Cloud Platform audit log - admin activity, data access, system events.

logsource:
  product: gcp
  service: gcp.audit

Google Workspace (G Suite) admin audit log - org-wide settings, user management.

logsource:
  product: gcp
  service: google_workspace.admin

Microsoft 365 unified audit log - activity across Exchange, SharePoint, Teams, and more.

logsource:
  product: m365
  service: audit

Exchange Online mailbox audit and message tracking events.

logsource:
  product: m365
  service: exchange

Microsoft 365 Defender threat detection and incident events.

logsource:
  product: m365
  service: threat_detection

Microsoft 365 Defender threat management actions and policies.

logsource:
  product: m365
  service: threat_management

Okta identity platform system log - authentication, authorization, lifecycle events.

logsource:
  product: okta
  service: okta

GitHub organization-level audit log - repo creation, team changes, secret scanning.

logsource:
  product: github
  service: audit

Atlassian Bitbucket organization audit log.

logsource:
  product: bitbucket
  service: audit

Cisco Duo Security MFA authentication and admin events.

logsource:
  product: cisco
  service: duo

OneLogin identity provider event log.

logsource:
  product: onelogin
  service: onelogin.events

Zeek network sensor HTTP connection log.

logsource:
  product: zeek
  service: http

Zeek network sensor DNS query and response log.

logsource:
  product: zeek
  service: dns

Zeek network sensor Kerberos authentication log - AS-REQ, TGS-REQ.

logsource:
  product: zeek
  service: kerberos

Zeek RDP (Remote Desktop Protocol) connection log.

logsource:
  product: zeek
  service: rdp

Zeek SMB (Server Message Block) file operations log.

logsource:
  product: zeek
  service: smb_files

Zeek DCE/RPC (Distributed Computing Environment) log - common for lateral movement.

logsource:
  product: zeek
  service: dce_rpc

Zeek TLS certificate inspection log.

logsource:
  product: zeek
  service: x509

Cisco Authentication, Authorization, and Accounting log.

logsource:
  product: cisco
  service: aaa

Cisco router BGP (Border Gateway Protocol) events.

logsource:
  product: cisco
  service: bgp

Generic network connection events. Technology-agnostic firewall/flow log source.

logsource:
  category: network
  service: connection

Generic DNS query events. Technology-agnostic DNS log source.

logsource:
  category: network
  service: dns

Django Python web framework application log. Keyword-based rules.

logsource:
  product: django
  category: application

Generic Python application/runtime log. Keyword-based rules.

logsource:
  product: python
  category: application

RPCFW (RPC Firewall) application log for Windows RPC call monitoring.

logsource:
  product: rpc_firewall
  category: application

Ruby on Rails web framework application log. Keyword-based rules.

logsource:
  product: ruby_on_rails
  category: application

Java Spring Framework application log. Keyword-based rules.

logsource:
  product: spring
  category: application

SQL query audit log (DROP, SELECT, …). Covers various SQL database systems.

logsource:
  product: sql
  category: application

Apache httpd error.log and access.log.

logsource:
  service: apache

ModSecurity Web Application Firewall detection and audit log.

logsource:
  product: modsecurity

Generic antivirus detection message. Vendor-neutral - format depends on the AV product.

logsource:
  category: antivirus

Generic SQL query log (DROP, SELECT, …). Vendor-neutral database log source.

logsource:
  category: database

Generic DNS query/response log. Vendor-neutral - matches any DNS data source.

logsource:
  category: dns

Generic firewall allow/deny log. Vendor-neutral network perimeter log source.

logsource:
  category: firewall

Generic web proxy log. Uses W3C Extended Log Format field names.

logsource:
  category: proxy

Generic web server access log. Vendor-neutral - IIS, Apache, nginx, etc.

logsource:
  category: webserver