gh-agentsecops-secopsagentkit/skills/incident-response/detection-sigma/references/log-source-guide.md

# Sigma Log Source Reference

## Log Source Categories

### process_creation

**Description**: Process creation/execution events

**Common Products**: Windows (Sysmon Event ID 1), Linux (auditd), EDR platforms

**Key Fields**:
- `Image` - Full path to executable
- `CommandLine` - Full command line with arguments
- `ParentImage` - Parent process executable path
- `ParentCommandLine` - Parent process command line
- `User` - User account that created process
- `IntegrityLevel` - Process integrity level (Windows)
- `Hashes` - File hashes (MD5, SHA256)

**Example**:
```yaml
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains: '-enc'
```

### network_connection

**Description**: Network connection events

**Common Products**: Sysmon Event ID 3, Firewall logs, EDR

**Key Fields**:
- `Image` - Process making connection
- `DestinationIp` - Remote IP address
- `DestinationPort` - Remote port
- `DestinationHostname` - Remote hostname
- `SourceIp` - Local IP address
- `SourcePort` - Local port
- `Initiated` - Connection initiated (true/false)

**Example**:
```yaml
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationPort: 4444
```

### file_event

**Description**: File creation, modification, deletion

**Common Products**: Sysmon Events 11/23, File integrity monitoring

**Key Fields**:
- `Image` - Process creating/modifying file
- `TargetFilename` - File path
- `CreationUtcTime` - File creation time

**Example**:
```yaml
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains: '\Windows\Temp\'
        TargetFilename|endswith: '.exe'
```

### registry_event

**Description**: Registry key/value modifications

**Common Products**: Sysmon Events 12/13/14, Windows Event Logs

**Key Fields**:
- `TargetObject` - Registry key path
- `Details` - Registry value data
- `EventType` - SetValue, CreateKey, DeleteKey

**Example**:
```yaml
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: '\CurrentVersion\Run'
```

### image_load

**Description**: DLL/image load events

**Common Products**: Sysmon Event ID 7

**Key Fields**:
- `Image` - Process loading the image
- `ImageLoaded` - Path to loaded DLL/image
- `Signed` - Digital signature status

**Example**:
```yaml
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\evil.dll'
        Signed: 'false'
```

### dns_query

**Description**: DNS query events

**Common Products**: Sysmon Event ID 22, DNS server logs, proxy logs

**Key Fields**:
- `QueryName` - DNS name queried
- `QueryResults` - DNS response IPs
- `Image` - Process making query

**Example**:
```yaml
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        QueryName|endswith: '.onion'
```

### web_request

**Description**: HTTP/HTTPS requests

**Common Products**: Proxy logs, web server logs, WAF

**Key Fields**:
- `c-uri` - Requested URI
- `c-useragent` - User agent string
- `cs-method` - HTTP method
- `sc-status` - HTTP status code

### authentication

**Description**: Authentication events (success/failure)

**Common Products**: Windows Security Events 4624/4625, Linux auth.log

**Key Fields**:
- `EventID` - 4624 (success), 4625 (failure), 4768 (Kerberos)
- `LogonType` - Type of logon (2=Interactive, 3=Network, 10=RemoteInteractive)
- `TargetUserName` - Account being authenticated
- `WorkstationName` - Source workstation
- `IpAddress` - Source IP

**Example**:
```yaml
logsource:
    category: authentication
    product: windows
detection:
    selection:
        EventID: 4625  # Failed logon
```

## Products

Common product values:

- `windows` - Windows OS
- `linux` - Linux OS
- `macos` - macOS
- `azure` - Microsoft Azure
- `aws` - Amazon Web Services
- `gcp` - Google Cloud Platform
- `m365` - Microsoft 365
- `okta` - Okta identity platform
- `firewall` - Generic firewall
- `proxy` - Web proxy

## Service Definitions

For cloud services, use service field:

```yaml
logsource:
    product: azure
    service: azuread
```

Common services:
- `azuread` - Azure Active Directory
- `azureactivity` - Azure Activity Logs
- `cloudtrail` - AWS CloudTrail
- `cloudwatch` - AWS CloudWatch
- `gcp.audit` - GCP Audit Logs

## Field Naming Conventions

Sigma uses normalized field names:

### Process Fields
- `Image` - Full executable path
- `CommandLine` - Command line arguments
- `ParentImage` - Parent process path
- `User` - Username
- `ProcessId` - Process ID

### Network Fields
- `SourceIp` / `DestinationIp`
- `SourcePort` / `DestinationPort`
- `Protocol` - Network protocol

### File Fields
- `TargetFilename` - File path
- `SourceFilename` - Original file location (for copies/moves)

### Registry Fields
- `TargetObject` - Registry key path
- `Details` - Registry value data

## Backend-Specific Mappings

Each backend maps these generic fields to product-specific field names:

**Sigma Generic** → **Splunk Sysmon**:
- `Image` → `Image`
- `CommandLine` → `CommandLine`
- `ParentImage` → `ParentImage`

**Sigma Generic** → **Elasticsearch ECS**:
- `Image` → `process.executable`
- `CommandLine` → `process.command_line`
- `ParentImage` → `process.parent.executable`

## Log Source Discovery

To identify available log sources:

1. **Review SIEM data sources**: Check what logs are ingested
2. **Verify field mappings**: Ensure Sigma fields map correctly
3. **Test conversions**: Convert sample rules and validate output
4. **Check coverage**: Ensure critical log sources are available

## Resources

- [Sigma Log Sources](https://github.com/SigmaHQ/sigma/wiki/Log-Sources)
- [Sysmon Event IDs](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)
- [Windows Security Events](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/)