Sigma Rules 101: Defining the Logsource (Part 2)

  • used to select all log files written by a certain group of products, like firewalls or web server logs.
  • e.g. firewall, web, antivirus
  • used to select all log outputs of a certain product, e.g. all Windows Eventlog types including “Security”, “System”, “Application” and the new log types like “AppLocker” and “Windows Defender”.
  • e.g. windows, apache, check point fw1
  • used to select only a subset of a product’s logs, like the “sshd” on Linux or the “Security” Eventlog on Windows systems.
  • e.g. sshd, applocker
logsource:
product: windows
service: powershell
definition: Standard Windows logging
logsource:
product: windows
category: process_creation
definition: Standard Windows logging

SIEM Rules!

--

--

--

Hi, my name’s Dave. I help to build product that make people go; “Wow! That’s cool”.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
David G

David G

Hi, my name’s Dave. I help to build product that make people go; “Wow! That’s cool”.

More from Medium

How to write detection rules in YARA-L for Google Chronicle

Security Analyst Diaries: Detecting GCP CIS control violations with native GCP Cloud Audit Logging…

Tidal Cyber — Why Tidal? Why now?

Threat Modeling with STRIDE Method (Part III)