{ "title": "Field name by logsource", "version": "20251205", "legit":{ "windows":{ "common": ["EventID", "Provider_Name","Channel","Computer","Security_UserID"], "empty": [], "category":{ "process_creation": ["CommandLine", "Company", "CurrentDirectory", "Description", "FileVersion", "Hashes", "Image", "IntegrityLevel", "LogonGuid", "LogonId", "OriginalFileName", "ParentCommandLine", "ParentImage", "ParentProcessGuid", "ParentProcessId", "ParentUser", "ProcessGuid", "ProcessId", "Product", "TerminalSessionId", "User", "GrandParentImage"], "file_change": ["CreationUtcTime", "Image", "PreviousCreationUtcTime", "ProcessGuid", "ProcessId", "TargetFilename", "User"], "network_connection": ["DestinationHostname", "DestinationIp", "DestinationIsIpv6", "DestinationPort", "DestinationPortName", "Image", "Initiated", "ProcessGuid", "ProcessId", "Protocol", "SourceHostname", "SourceIp", "SourceIsIpv6", "SourcePort", "SourcePortName", "User", "ParentImage"], "sysmon_status": ["Configuration", "ConfigurationFileHash", "SchemaVersion", "State", "Version"], "process_termination":["Image", "ProcessGuid", "ProcessId", "User"], "driver_load":["Hashes", "ImageLoaded", "Signature", "SignatureStatus", "Signed"], "image_load":["Company", "Description", "FileVersion", "Hashes", "Image", "ImageLoaded", "OriginalFileName", "ProcessGuid", "ProcessId", "Product", "Signature", "SignatureStatus", "Signed", "User"], "create_remote_thread":["NewThreadId", "SourceImage", "SourceProcessGuid", "SourceProcessId", "SourceUser", "StartAddress", "StartFunction", "StartModule", "TargetImage", "TargetProcessGuid", "TargetProcessId", "TargetUser"], "raw_access_thread":["Device", "Image", "ProcessGuid", "ProcessId", "User"], "process_access":["CallTrace", "GrantedAccess", "SourceImage", "SourceProcessGUID", "SourceProcessId", "SourceThreadId", "SourceUser", "TargetImage", "TargetProcessGUID", "TargetProcessId", "TargetUser"], "raw_access_read":["CreationUtcTime", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"], "file_event":["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"], "file_executable_detected":["ProcessGuid", "ProcessId", "Image", "TargetFilename", "Hashes", "User"], "registry_add":["EventType", "ProcessGuid", "ProcessId", "Image", "TargetObject", "User"], "registry_delete":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject"], "registry_set":["Details", "EventType", "Image", "ProcessGuid", "ProcessId", "TargetObject", "User"], "registry_rename":["EventType", "Image", "NewName", "ProcessGuid", "ProcessId", "TargetObject", "User"], "registry_event":["Details", "EventType", "Image", "NewName", "ProcessGuid", "ProcessId", "TargetObject", "User"], "create_stream_hash":["Contents", "CreationUtcTime", "Hash", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"], "pipe_created":["EventType", "Image", "PipeName", "ProcessGuid", "ProcessId", "User"], "wmi_event":["Consumer", "Destination", "EventNamespace", "EventType", "Filter", "Name", "Operation", "Query", "Type", "User"], "dns_query":["Image", "ProcessGuid", "ProcessId", "QueryName", "QueryResults", "QueryStatus", "User"], "file_delete":["Archived", "Hashes", "Image", "IsExecutable", "ProcessGuid", "ProcessId", "TargetFilename", "User"], "clipboard_capture":["Archived", "ClientInfo", "Hashes", "Image", "ProcessGuid", "ProcessId", "Session", "User"], "process_tampering":["Image", "ProcessGuid", "ProcessId", "Type", "User"], "file_block":["Hashes", "Image", "ProcessGuid", "ProcessId", "TargetFilename", "User"], "ps_module":["ContextInfo", "UserData", "Payload"], "ps_script":["MessageNumber", "MessageTotal", "ScriptBlockText", "ScriptBlockId", "Path"], "file_access":["Irp", "FileObject", "IssuingThreadId", "CreateOptions", "CreateAttributes", "ShareAccess", "FileName"], "file_rename":["Irp", "FileObject", "FileKey", "ExtraInformation", "IssuingThreadId", "InfoClass", "FilePath"], "ps_classic_start":[], "ps_classic_provider_start":[], "sysmon_error":[] }, "service":{ "bitlocker": ["VolumeName", "VolumeMountPoint", "ProtectorGUID", "ProtectorType"], "bits-client":["RemoteName", "LocalName", "processPath", "processId"], "codeintegrity-operational":["FileNameLength", "FileNameBuffer", "ProcessNameLength", "ProcessNameBuffer", "RequestedPolicy", "ValidatedPolicy", "Status"], "diagnosis-scripted": ["PackagePath", "PackageId"], "firewall-as":["Action", "ApplicationPath", "ModifyingApplication"], "ldap":["ScopeOfSearch", "SearchFilter", "DistinguishedName", "AttributeList", "ProcessId"], "ntlm":["CallerPID", "ClientDomainName", "ClientLUID", "ClientUserName", "DomainName", "MechanismOID", "ProcessName", "SChannelName", "SChannelType", "TargetName", "UserName", "WorkstationName"], "openssh":["process", "payload"], "security-mitigations":["ProcessPathLength", "ProcessPath", "ProcessCommandLineLength", "ProcessCommandLine", "ProcessId", "ProcessCreateTime", "ProcessStartKey", "ProcessSignatureLevel", "ProcessSectionSignatureLevel", "ProcessProtection", "TargetThreadId", "TargetThreadCreateTime", "RequiredSignatureLevel", "SignatureLevel", "ImageNameLength", "ImageName"], "shell-core":["Name", "AppID", "Flags"], "smbclient-security":["Reason", "Status", "ShareNameLength", "ShareName", "ObjectNameLength", "ObjectName", "UserNameLength", "UserName", "ServerNameLength", "ServerName"], "smbclient-connectivity":[], "smbserver-connectivity":[], "taskscheduler":["TaskName", "UserContext", "Path", "ProcessID", "Priority", "UserName"], "terminalservices-localsessionmanager":["User", "SessionID", "Address"], "iis":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method", "cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status", "sc-bytes", "cs-bytes", "time-taken", "cs-version", "cs-host", "cs-user-agent", "cs-referer", "cs-cookie"], "application":[], "sysmon":[], "powershell":[], "powershell-classic":[], "security":[], "system":[], "windefend":[], "wmi":[], "microsoft-servicebus-client":[], "printservice-operational":[], "driver-framework":[], "dns-server-analytic":[], "dns-server":[], "printservice-admin":[], "msexchange-management":[], "applocker":[], "vhdmp":[], "appxdeployment-server":["Path", "AppId", "FilePath", "ErrorCode", "DeploymentOperation", "PackageFullName", "PackageSourceUri", "PackageDisplayName", "CallingProcess","Flags", "HasFullTrust"], "appxpackaging-om":["subjectName"], "lsa-server":["TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", "TargetLogonGuid", "EventOrginal", "EventCountTotal", "SidList"], "dns-client":["QueryName", "QueryType", "QueryOptions", "QueryStatus", "QueryResults", "NetworkIndex", "InterfaceIndex", "Status", "ClientPID", "QueryBlob", "DnsServerIpAddress", "ResponseStatus", "SendBlob", "SendBlobContext", "AddressLength", "Address"], "appmodel-runtime":["ProcessID", "PackageName", "ImageName", "ApplicationName", "Message"], "capi2":[], "certificateservicesclient-lifecycle-system":[], "iis-configuration":[ "PhysicalPath","ConfigPath","EffectiveLocationPath","Configuration","TokenCacheModule","EditOperationType","OldValue","NewValue"] } }, "linux":{ "common": [], "empty": [], "category":{ "process_creation": ["ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName", "CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes", "ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"], "network_connection": ["ProcessGuid", "ProcessId", "Image", "User", "Protocol", "Initiated", "SourceIsIpv6", "SourceIp", "SourceHostname", "SourcePort", "SourcePortName", "DestinationIsIpv6", "DestinationIp", "DestinationHostname", "DestinationPort", "DestinationPortName"], "process_termination": ["ProcessGuid", "ProcessId", "Image", "User"], "raw_access_read": ["ProcessGuid", "ProcessId", "Image", "Device", "User"], "file_event": ["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"], "sysmon_status": ["Configuration", "ConfigurationFileHash"], "file_delete": ["ProcessGuid", "ProcessId", "User", "Image", "TargetFilename", "Hashes", "IsExecutable", "Archived"] }, "service":{ "auditd": ["a0", "a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "acct", "acl", "action", "added", "addr", "apparmor", "arch", "argc", "audit_backlog_limit", "audit_backlog_wait_time", "audit_enabled", "audit_failure", "auid", "banners", "bool", "bus", "cap_fe,cap_fi", "cap_fp", "cap_fver", "cap_pa", "cap_pe", "cap_pi", "cap_pp", "capability", "category", "cgroup", "changed", "cipher", "class", "cmd", "code", "comm", "compat", "cwd", "daddr", "data", "default-context", "dev", "dev", "device", "dir", "direction", "dmac", "dport", "egid", "enforcing", "entries", "errno", "euid", "exe", "exit", "fam", "family", "fd", "fe", "feature", "fi", "file", "flags", "format", "fp", "fsgid", "fsuid", "fver", "gid", "grantors", "grp", "hook", "hostname", "icmp_type", "id", "igid", "img-ctx", "inif", "ino", "inode", "inode_gid", "inode_uid", "invalid_context", "ioctlcmd", "ip", "ipid", "ipx-net", "item", "items", "iuid", "kernel", "key", "kind", "ksize", "laddr", "len", "list", "lport", "mac", "macproto", "maj", "major", "minor", "mode", "model", "msg", "name", "nametype", "nargs", "net", "new", "new_gid", "new_lock", "new_pe", "new_pi", "new_pp", "new-chardev", "new-disk", "new-enabled", "new-fs", "new-level", "new-log_passwd", "new-mem", "new-net", "new-range", "new-rng", "new-role", "new-seuser", "new-vcpu", "nlnk-fam", "nlnk-grp", "nlnk-pid", "oauid", "obj", "obj_gid", "obj_uid", "ocomm", "oflag", "ogid", "old", "old_enforcing", "old_lock", "old_pa", "old_pe", "old_pi", "old_pp", "old_prom", "old_val", "old-auid", "old-chardev", "old-disk", "old-enabled", "old-fs", "old-level", "old-log_passwd", "old-mem", "old-net", "old-range", "old-rng", "old-role", "old-ses", "old-seuser", "old-vcpu", "op", "opid", "oses", "ouid", "outif", "pa", "parent", "path", "pe", "per", "perm", "perm_mask", "permissive", "pfs", "pi", "pid", "pp", "ppid", "printer", "proctitle", "prom", "proto", "qbytes", "range", "rdev", "reason", "removed", "res", "resrc", "result", "role", "rport", "saddr", "sauid", "scontext", "selected-context", "seperm", "seperms", "seqno", "seresult", "ses", "seuser", "sgid", "sig", "sigev_signo", "smac", "spid", "sport", "state", "subj", "success", "suid", "syscall", "SYSCALL", "table", "tclass", "tcontext", "terminal", "tty", "type", "uid", "unit", "uri", "user", "uuid", "val", "val", "ver", "virt", "vm", "vm-ctx", "vm-pid", "watch"], "vsftpd":[], "sshd":[], "syslog":[], "guacamole":[], "auth":[], "clamav":[], "modsecurity":[], "sudo":[], "cron":[] } }, "empty":{ "common": [], "empty": ["not_found"], "category":{ "proxy":["c-uri", "c-uri-extension", "c-uri-query", "c-uri-stem", "c-useragent", "cs-bytes", "cs-cookie", "cs-host", "cs-method", "cs-uri-stem", "r-dns", "cs-referrer", "cs-version", "sc-bytes", "sc-status", "src_ip", "dst_ip", "cs-uri"], "webserver":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method", "cs-uri-stem", "cs-uri-query", "s-port", "cs-method", "sc-status", "sc-win32-status", "sc-bytes", "cs-bytes", "time-taken", "cs-version", "cs-host", "cs-user-agent", "cs-referer", "cs-cookie"], "antivirus":[], "database":[], "dns":[], "firewall":[] }, "service":{ "apache":[], "netflow":[], "nginx":[] } }, "cisco":{ "common": [], "empty": [], "category":{}, "service":{ "aaa":[], "bgp":[], "duo":[], "ldp":[], "syslog":[] } }, "fortigate":{ "common": [], "empty": [], "category":{}, "service":{ "event":["devname","devid","logid","type","subtype","level","vd","logdesc","user","ui","action","cfgtid","cfgpath","cfgobj","cfgattr","msg"] } }, "fortios":{ "common": [], "empty": [], "category":{}, "service":{ "sslvpnd": [] } }, "paloalto":{ "common": [], "empty": [], "category":{ "file_event": [] }, "service":{ "globalprotect": [] } }, "django":{ "common": [], "empty": [], "category":{ "application":[] }, "service":{} }, "kubernetes":{ "common": [], "empty": [], "category":{ "application":[] }, "service":{ "audit": [] } }, "python":{ "common": [], "empty": [], "category":{ "application":[] }, "service":{} }, "qualys":{ "common": [], "empty": [], "category":{ "application":[] }, "service":{} }, "rpc_firewall":{ "common": [], "empty": [], "category":{ "application":[] }, "service":{} }, "ruby_on_rails":{ "common": [], "empty": [], "category":{ "application":[] }, "service":{} }, "modsecurity":{ "common": [], "empty": [], "category":{ "application":[] }, "service":{} }, "spring":{ "common": [], "empty": [], "category":{ "application":[] }, "service":{} }, "sql":{ "common": [], "empty": [], "category":{ "application":[] }, "service":{} }, "jvm":{ "common": [], "empty": [], "category":{ "application":[] }, "service":{} }, "nodejs":{ "common": [], "empty": [], "category":{ "application":[] }, "service":{} }, "opencanary":{ "common": [], "empty": [], "category":{ "application":[] }, "service":{} }, "velocity":{ "common": [], "empty": [], "category":{ "application":[] }, "service":{} }, "aws":{ "common": [], "empty": [], "category":{}, "service":{ "cloudtrail":[] } }, "azure":{ "common": [], "empty": [], "category":{}, "service":{ "activitylogs":[], "auditlogs":[], "riskdetection":[], "pim":[], "signinlogs":[] } }, "gcp":{ "common": [], "empty": [], "category":{}, "service":{ "gcp.audit":[], "google_workspace.admin":[] } }, "github":{ "common": [], "empty": [], "category":{}, "service":{ "audit":[] } }, "bitbucket":{ "common": [], "empty": [], "category":{}, "service":{ "audit":[] } }, "m365":{ "common": [], "empty": [], "category":{}, "service":{ "audit":[], "exchange":[], "threat_detection":[], "threat_management":[] } }, "okta":{ "common": [], "empty": [], "category":{}, "service":{ "okta":[] } }, "onelogin":{ "common": [], "empty": [], "category":{}, "service":{ "onelogin.events":[] } }, "huawei":{ "common": [], "empty": [], "category":{}, "service":{ "bgp":[] } }, "juniper":{ "common": [], "empty": [], "category":{}, "service":{ "bgp":[] } }, "zeek":{ "common": [], "empty": [], "category":{ }, "service":{ "kerberos":[], "smb_files":[], "rdp":[], "http":[], "dns":[], "dce_rpc":[], "x509":[] } }, "macos":{ "common": [], "empty": [], "category":{ "process_creation": ["ProcessGuid", "ProcessId", "Image", "FileVersion", "Description", "Product", "Company", "OriginalFileName", "CommandLine", "CurrentDirectory", "User", "LogonGuid", "LogonId", "TerminalSessionId", "IntegrityLevel", "Hashes", "ParentProcessGuid", "ParentProcessId", "ParentImage", "ParentCommandLine", "ParentUser"], "network_connection": ["ProcessGuid", "ProcessId", "Image", "User", "Protocol", "Initiated", "SourceIsIpv6", "SourceIp", "SourceHostname", "SourcePort", "SourcePortName", "DestinationIsIpv6", "DestinationIp", "DestinationHostname", "DestinationPort", "DestinationPortName"], "process_termination": ["ProcessGuid", "ProcessId", "Image", "User"], "raw_access_read": ["ProcessGuid", "ProcessId", "Image", "Device", "User"], "file_event": ["ProcessGuid", "ProcessId", "Image", "TargetFilename", "CreationUtcTime", "User"], "sysmon_status": ["Configuration", "ConfigurationFileHash"], "file_delete": ["ProcessGuid", "ProcessId", "User", "Image", "TargetFilename", "Hashes", "IsExecutable", "Archived"] }, "service":{ } } }, "addon":{ "windows":{ "category":{ "process_creation": ["GrandparentCommandLine"], "network_connection": ["CommandLine", "ParentImage"], "create_remote_thread": ["User", "SourceCommandLine", "SourceParentProcessId", "SourceParentImage", "SourceParentCommandLine", "TargetCommandLine", "TargetParentProcessId", "TargetParentImage", "TargetParentCommandLine", "IsInitialThread", "RemoteCreation"], "file_delete": ["CommandLine", "ParentImage", "ParentCommandLine"], "file_event": ["CommandLine", "IntegrityLevel", "MagicHeader", "ParentCommandLine", "ParentImage"], "image_load": ["CommandLine"], "process_access": ["SourceCommandLine", "CallTraceExtended"], "file_access":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "TargetFilename"], "file_rename":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "OriginalFileName", "SourceFilename", "TargetFilename", "MagicHeader"] }, "service":{} }, "empty":{ "category":{ "webserver": ["cs-content-type"] }, "service":{} } } }