gh-agentsecops-secopsagentkit/skills/incident-response/detection-sigma/references/log-source-guide.md

Sigma Log Source Reference

Log Source Categories

process_creation

Description: Process creation/execution events

Common Products: Windows (Sysmon Event ID 1), Linux (auditd), EDR platforms

Key Fields:

• Image - Full path to executable
• CommandLine - Full command line with arguments
• ParentImage - Parent process executable path
• ParentCommandLine - Parent process command line
• User - User account that created process
• IntegrityLevel - Process integrity level (Windows)
• Hashes - File hashes (MD5, SHA256)

Example:

logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains: '-enc'

network_connection

Description: Network connection events

Common Products: Sysmon Event ID 3, Firewall logs, EDR

Key Fields:

• Image - Process making connection
• DestinationIp - Remote IP address
• DestinationPort - Remote port
• DestinationHostname - Remote hostname
• SourceIp - Local IP address
• SourcePort - Local port
• Initiated - Connection initiated (true/false)

Example:

logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationPort: 4444

file_event

Description: File creation, modification, deletion

Common Products: Sysmon Events 11/23, File integrity monitoring

Key Fields:

• Image - Process creating/modifying file
• TargetFilename - File path
• CreationUtcTime - File creation time

Example:

logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains: '\Windows\Temp\'
        TargetFilename|endswith: '.exe'

registry_event

Description: Registry key/value modifications

Common Products: Sysmon Events 12/13/14, Windows Event Logs

Key Fields:

• TargetObject - Registry key path
• Details - Registry value data
• EventType - SetValue, CreateKey, DeleteKey

Example:

logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: '\CurrentVersion\Run'

image_load

Description: DLL/image load events

Common Products: Sysmon Event ID 7

Key Fields:

• Image - Process loading the image
• ImageLoaded - Path to loaded DLL/image
• Signed - Digital signature status

Example:

logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\evil.dll'
        Signed: 'false'

dns_query

Description: DNS query events

Common Products: Sysmon Event ID 22, DNS server logs, proxy logs

Key Fields:

• QueryName - DNS name queried
• QueryResults - DNS response IPs
• Image - Process making query

Example:

logsource:
    category: dns_query
    product: windows
detection:
    selection:
        QueryName|endswith: '.onion'

web_request

Description: HTTP/HTTPS requests

Common Products: Proxy logs, web server logs, WAF

Key Fields:

• c-uri - Requested URI
• c-useragent - User agent string
• cs-method - HTTP method
• sc-status - HTTP status code

authentication

Description: Authentication events (success/failure)

Common Products: Windows Security Events 4624/4625, Linux auth.log

Key Fields:

• EventID - 4624 (success), 4625 (failure), 4768 (Kerberos)
• LogonType - Type of logon (2=Interactive, 3=Network, 10=RemoteInteractive)
• TargetUserName - Account being authenticated
• WorkstationName - Source workstation
• IpAddress - Source IP

Example:

logsource:
    category: authentication
    product: windows
detection:
    selection:
        EventID: 4625  # Failed logon

Products

Common product values:

• windows - Windows OS
• linux - Linux OS
• macos - macOS
• azure - Microsoft Azure
• aws - Amazon Web Services
• gcp - Google Cloud Platform
• m365 - Microsoft 365
• okta - Okta identity platform
• firewall - Generic firewall
• proxy - Web proxy

Service Definitions

For cloud services, use service field:

logsource:
    product: azure
    service: azuread

Common services:

• azuread - Azure Active Directory
• azureactivity - Azure Activity Logs
• cloudtrail - AWS CloudTrail
• cloudwatch - AWS CloudWatch
• gcp.audit - GCP Audit Logs

Field Naming Conventions

Sigma uses normalized field names:

Process Fields

• Image - Full executable path
• CommandLine - Command line arguments
• ParentImage - Parent process path
• User - Username
• ProcessId - Process ID

Network Fields

• SourceIp / DestinationIp
• SourcePort / DestinationPort
• Protocol - Network protocol

File Fields

• TargetFilename - File path
• SourceFilename - Original file location (for copies/moves)

Registry Fields

• TargetObject - Registry key path
• Details - Registry value data

Backend-Specific Mappings

Each backend maps these generic fields to product-specific field names:

Sigma Generic → Splunk Sysmon:

• Image → Image
• CommandLine → CommandLine
• ParentImage → ParentImage

Sigma Generic → Elasticsearch ECS:

• Image → process.executable
• CommandLine → process.command_line
• ParentImage → process.parent.executable

Log Source Discovery

To identify available log sources:

1. Review SIEM data sources: Check what logs are ingested
2. Verify field mappings: Ensure Sigma fields map correctly
3. Test conversions: Convert sample rules and validate output
4. Check coverage: Ensure critical log sources are available

Resources

• Sigma Log Sources
• Sysmon Event IDs
• Windows Security Events