Exploring Log Fields in Various Systems

This post is a continuation of my ongoing post on Log Analysis. See the Initial post here
Anticipating the essential log fields for different systems can be a strategic advantage, offering a blueprint for effective investigations. By understanding the potential log data a system could produce, one gains a roadmap to navigate through the information landscape. In this article, I’ve curated a selection of recurring log fields that transcend various systems. It’s worth noting that these fields might manifest across multiple logs rather than within a single log file.

Some log fields might seem inconsequential until they prove crucial during an investigation. Particularly for Security Information and Event Management (SIEM) engineers, capturing extensive log data is a valuable practice. The reservoir of data might hold answers when the need arises. Therefore, consider these fields not only as routine log entries but as pieces of a larger puzzle that might be instrumental in uncovering anomalies, breaches, or performance issues.

However, the world of logs is vast and intricate, evolving as systems grow more complex. This list is an evolving document. New systems, technologies, and insights will inevitably bring new dimensions to the log field landscape. As we continue to dive deeper into the intricacies of system investigation, this resource will remain open to additions and refinements.

The contents of this post are dynamic and will expand over time. Constructing such comprehensive lists demands substantial effort, as each system has its intricacies. As new insights emerge, this resource will continue to evolve. By sharing and accumulating knowledge, we empower one another in the realm of system investigation. Remember, an observant eye on log fields can often be the key to unlocking hidden narratives within the data.


Network Appliance Events

In the intricate realm of network events, an array of critical information often resides within network appliances. These devices, encompassing routers, firewalls, UTMs (Unified Threat Management), DNS servers, and more, become repositories of indispensable insights. While this list may not be exhaustive, it underscores the essence of anticipating such events and the pivotal role they play in your investigation.

Diving into network appliances for investigation purposes signifies more than just inspecting a single technology. It embodies the versatility to tackle various networking paradigms with a unified approach. As an analyst, you possess the agility to navigate through these dynamic logs, regardless of the specific networking technology in play. The central question becomes: Where is this invaluable information meticulously recorded?

Each network appliance, a silent sentinel of your network’s activity, contributes to a collective log symphony. These events, captured meticulously across one or multiple log files, form an essential cornerstone of your investigative prowess. In your quest to decipher network anomalies, breaches, or performance discrepancies, these logs are your vantage point. They hold the key to unlocking a tapestry of events that might otherwise remain concealed.

As you embark on a journey into network appliance events, consider the following:
Router Logs: These logs can reveal insights into traffic patterns, routing decisions, and potential vulnerabilities. They reside within the router’s management interface or designated log storage locations.
Firewall Logs: Firewall logs are a treasure trove of data about permitted and denied traffic, intrusion attempts, and rule violations. They often reside in the firewall’s management console or are exported to external log management systems.
UTM Logs: Unified Threat Management devices amalgamate several security features. Their logs encompass data on threat detection, virus scanning, intrusion prevention, and more.
DNS Server Logs: Domain Name System (DNS) server logs contain information about domain resolutions, domain queries, and potential malicious activities. They are typically found within the DNS server’s management interface.

While this assortment of network appliance events isn’t exhaustive, it epitomizes the essence of what’s at stake. As you tread into these territories, remember that your investigative acumen is not confined to any single networking technology. Instead, it’s a universal toolkit waiting to be applied to the logs of routers, firewalls, UTMs, DNS servers, and beyond.

The key to your success lies in not just accessing these logs, but also interpreting them effectively. Each log entry holds potential clues, each timestamp a story waiting to be told. As you glean insights, patterns, and anomalies, you’re constructing a narrative that might alter the trajectory of your network’s security and performance.

In the evolving landscape of networking, this resource remains open to continual expansion. As new technologies emerge and networking paradigms shift, the universe of network appliance events will expand. By honing your skills in deciphering these logs, you’re poised to be a sentinel, safeguarding your network’s integrity and unveiling its hidden tales.

+-------------------------+-----------------------------------------------------------+
| Field                   | Description                                               |
+-------------------------+-----------------------------------------------------------+
| Timestamp               | The date and time the event was logged                    |
| IP Address              | The IP address of the client that sent the request        |
| User Agent              | The user agent string that identifies the client's browser|
| HTTP Method             | The HTTP method used by the client (e.g. GET, POST, PUT, DELETE) |
| URL                     | The URL of the requested resource                          |
| HTTP Status Code        | The HTTP status code returned by the server               |
| Response Time           | The time it took for the server to generate a response    |
| Referrer                | The URL of the page that referred the client to the request|
| Request Body            | The body of the client's request (e.g. form data, JSON payload) |
| Response Body           | The body of the server's response (e.g. HTML, JSON, XML)  |
| Request Headers         | The headers included in the client's request              |
| Response Headers        | The headers included in the server's response             |
| Cookies                 | The cookies included in the client's request or server's response |
| Session ID              | The identifier of the client's session                    |
| User ID                 | The identifier of the user associated with the request    |
| Request Source          | The source of the request (e.g. web browser, mobile app, API client) |
| Error Message           | The message associated with any errors during request processing |
| Error Code              | The error code associated with any errors during request processing |
| Server Name             | The name of the server that processed the request         |
| Server IP               | The IP address of the server that processed the request   |
| Log Source              | The source of the log event (e.g. web server, application server) |
| Log Message             | The log message associated with the event                 |
| Request Content Type    | The content type of the client's request                  |
| Response Content Type   | The content type of the server's response                |
| Request Query Parameters| The query parameters included in the client's request     |
| Response Size           | The size of the server's response                         |
| Request Size            | The size of the client's request                          |
| SSL Cipher              | The SSL cipher used to encrypt the request                |
| SSL Protocol            | The SSL protocol used to encrypt the request              |
| TLS Version             | The TLS version used to encrypt the request               |
| HTTP Version            | The version of the HTTP protocol used by the client       |
| Request Duration        | The duration of the client's request                      |
| Response Duration       | The duration of the server's response                     |
| Server Port             | The port number on which the server is listening          |
| Request Source IP       | The IP address of the source of the client's request      |
| Response Content Length | The length of the server's response content               |
| Request Content Length  | The length of the client's request content                |
| Bytes Sent              | The number of bytes sent by the server                   |
| Bytes Received          | The number of bytes received by the server                |
+-------------------------+-----------------------------------------------------------+

Exploring Web Application and Web Server Event Logs

We now venture into the realm of web applications and web servers. These vital components of the online world not only facilitate interactions but also attract potential threats. Therefore, understanding and investigating their event logs is crucial.

Web applications and web servers encompass various technologies like NGINX, Tomcat, and Apache. They serve as gateways to the digital world, making their logs a treasure trove of insights.

Let’s break down the key categories of events that reside within these logs:
Access Logs: These logs reveal who accessed your resources and when, shedding light on patterns of legitimate and suspicious activities.
Error Logs: Highlighting server and application errors, these logs provide a trail of anomalies requiring investigation.
Security Incidents: Logs unveil attempted breaches, unauthorized access, and potential exploits, allowing you to respond swiftly.
User Sessions: These logs track user behavior, helping you enhance user experience and assess security.
Application Errors: By examining application errors, you can identify and address glitches and programming issues.
Performance Metrics: Metrics logs measure response times, server loads, and resource consumption, aiding optimization.
HTTP Requests and Responses: These logs offer insights into requested URLs, response statuses, and data exchange.

Consider some examples:
NGINX Access Logs: Reveal visitor IP addresses, requested resources, and response codes.
Tomcat Error Logs: Uncover Java-related errors, exceptions, and stack traces.
Apache Security Logs: Track IP blocks, authentication failures, and intrusion attempts.
Application Performance Metrics: Gauge server response times, database query durations, and resource use.
Session Duration Tracking: Understand user engagement patterns through session logs.

Your investigative skills in this dynamic realm are essential. Each log entry decoded brings you closer to safeguarding your digital space. Remember, this landscape evolves, and so does the depth of your investigative canvas.
With each timestamp, you extract meaning, uncovering paths to enhance security and user experience. As a sentinel in this ever-changing digital world, your role remains pivotal in unraveling tales of security and performance.

+-------------------------+-----------------------------------------------------------+
| Field                   | Description                                               |
+-------------------------+-----------------------------------------------------------+
| Timestamp               | The date and time the event was logged                    |
| IP Address              | The IP address of the client that sent the request        |
| User Agent              | The user agent string that identifies the client's browser|
| HTTP Method             | The HTTP method used by the client (e.g. GET, POST, PUT, DELETE) |
| URL                     | The URL of the requested resource                          |
| HTTP Status Code        | The HTTP status code returned by the server               |
| Response Time           | The time it took for the server to generate a response    |
| Referrer                | The URL of the page that referred the client to the request|
| Request Body            | The body of the client's request (e.g. form data, JSON payload) |
| Response Body           | The body of the server's response (e.g. HTML, JSON, XML)  |
| Request Headers         | The headers included in the client's request              |
| Response Headers        | The headers included in the server's response             |
| Cookies                 | The cookies included in the client's request or server's response |
| Session ID              | The identifier of the client's session                    |
| User ID                 | The identifier of the user associated with the request    |
| Request Source          | The source of the request (e.g. web browser, mobile app, API client) |
| Error Message           | The message associated with any errors during request processing |
| Error Code              | The error code associated with any errors during request processing |
| Server Name             | The name of the server that processed the request         |
| Server IP               | The IP address of the server that processed the request   |
| Log Source              | The source of the log event (e.g. web server, application server) |
| Log Message             | The log message associated with the event                 |
| Request Content Type    | The content type of the client's request                  |
| Response Content Type   | The content type of the server's response                |
| Request Query Parameters| The query parameters included in the client's request     |
| Response Size           | The size of the server's response                         |
| Request Size            | The size of the client's request                          |
| SSL Cipher              | The SSL cipher used to encrypt the request                |
| SSL Protocol            | The SSL protocol used to encrypt the request              |
| TLS Version             | The TLS version used to encrypt the request               |
| HTTP Version            | The version of the HTTP protocol used by the client       |
| Request Duration        | The duration of the client's request                      |
| Response Duration       | The duration of the server's response                     |
| Server Port             | The port number on which the server is listening          |
| Request Source IP       | The IP address of the source of the client's request      |
| Response Content Length | The length of the server's response content               |
| Request Content Length  | The length of the client's request content                |
| Bytes Sent              | The number of bytes sent by the server                   |
| Bytes Received          | The number of bytes received by the server                |
| TLS Cipher Strength     | The strength of the TLS cipher used for encryption        |
| Authentication Type     | The type of authentication used for the request           |
+-------------------------+-----------------------------------------------------------+

Authentication and Identity Log Sources

The pillars of Confidentiality, Integrity, Availability, Authentication, Authorization, and Auditing form the bedrock of cyber security. IAM (Identity and Access Management) systems stand as guardians of two vital pillars: Authentication and Authorization. Delving into the logs of these systems is akin to deciphering the intricate layers of security that provision access in organizations.

In the modern enterprise IAM is composed of three or more products such as;
Authentication Systems : These systems validate the identity of users and devices seeking access, forming the bedrock of security.
Authorization Systems: These systems determine what resources a user or device can access, ensuring data remains in the hands of those who need it.
MFA (Multi-Factor Authentication) Systems (e.g., OTP Systems, Token Systems): These systems add an extra layer of security beyond passwords, strengthening access control.

In larger enterprises, a diverse array of technologies comes into play, such as Key Vaults and Password Managers to mention but a few, each adding a layer of security control and contributing to safeguarding access to sensitive information.

Given the importance of IAM product, you can see why security analysts are expected to know how to read and interpret logs from IAM systems.. Here are some log sources to keep in mind:
Active Directory Logs: These logs reveal user authentication, failed login attempts, and account lockouts, allowing you to track access patterns and security breaches.
Federated System Logs: Uncover user authorization and access token issuance, aiding in ensuring seamless and secure cross-domain access.
MFA System Logs: These logs provide a trail of multi-factor authentication, offering insights into additional layers of security.
Key Vault Logs: Illuminate actions around cryptographic key management and access, essential for preserving data confidentiality.
Password Manager Logs: Track password changes, resets, and access attempts, ensuring the integrity of password-based authentication.

Consider the following scenarios:
Active Directory Authentication: Monitor successful and failed logins, tracking potential unauthorized access attempts.
Federated System Authorization: Verify access rights across interconnected systems, identifying any anomalies.
MFA Validation: Scrutinize multi-factor authentication logs to ensure enhanced security layers are functioning as intended.

As the IAM landscape evolves, a security analyst’s role in interpreting these logs remains pivotal. With each log entry unraveled, the intricate dance of identity and access unveils itself. From thwarting unauthorized access to facilitating smooth user journeys, your mastery of IAM logs empowers your organization’s security stance.

Through these logs, you wield the ability to ensure the right people access the right resources at the right time, fortifying the pillars of security that uphold your digital realm.

+---------------------+--------------------------------------------------------+
| Field               | Description                                            |
+---------------------+--------------------------------------------------------+
| Timestamp           | The date and time the event was logged                 |
| User ID             | The identifier of the user who performed the action   |
| User Name           | The name of the user who performed the action         |
| IP Address          | The IP address of the client that sent the request    |
| Event ID            | The unique identifier of the event                    |
| Event Source        | The source of the event (e.g. Active Directory, LDAP) |
| Event Type          | The type of event (e.g. login, logout, password change)|
| Event Description   | A description of the event                            |
| Success/Failure     | Whether the event was successful or not              |
| Target User ID      | The identifier of the user targeted by the action     |
| Target User Name    | The name of the user targeted by the action           |
| Target Group ID     | The identifier of the group targeted by the action    |
| Target Group Name   | The name of the group targeted by the action          |
| Target Computer     | The name of the computer targeted by the action       |
| Target Domain       | The name of the domain targeted by the action         |
| Target IP Address   | The IP address of the target computer                |
| Object Type         | The type of object affected by the action            |
| Object Name         | The name of the object affected by the action         |
| Operation Type      | The type of operation performed on the object        |
| Operation Description| A description of the operation performed on the object|
| Attribute Name      | The name of the attribute modified by the operation  |
| Attribute Value     | The value of the attribute modified by the operation |
| Permission Type     | The type of permission granted or revoked            |
| Permission Description| A description of the permission granted or revoked   |
| Caller User ID      | The identifier of the user that initiated the action |
| Caller User Name    | The name of the user that initiated the action       |
| Caller Process ID   | The identifier of the process that initiated the action|
| Caller Process Name | The name of the process that initiated the action    |
| Caller Computer     | The name of the computer that initiated the action   |
| Caller IP Address   | The IP address of the computer that initiated the action|
| Error Code          | The error code associated with any errors that occurred|
| Error Message       | The message associated with any errors that occurred |
| Logon Type          | The type of logon performed                          |
| Logon Process       | The name of the process responsible for the logon   |
| Logon Account       | The account used to perform the logon               |
| Logon Workstation   | The name of the workstation used to perform the logon|
+---------------------+--------------------------------------------------------+

Databases and Data storage Logs

Database Logs

+---------------------+--------------------------------------------------------+
| Field               | Description                                            |
+---------------------+--------------------------------------------------------+
| Timestamp           | The date and time the event was logged                 |
| User ID             | The identifier of the user who performed the action   |
| User Name           | The name of the user who performed the action         |
| IP Address          | The IP address of the client that sent the request    |
| Database Name       | The name of the database being accessed               |
| Query               | The SQL query being executed                          |
| Query Duration      | The duration of the query execution                   |
| Query Result        | The result of the query execution                     |
| Error Message       | The message associated with any errors that occurred |
| Error Code          | The error code associated with any errors that occurred|
| Transaction ID      | The identifier of the transaction                     |
| Transaction Status  | The status of the transaction                         |
| Object Type         | The type of object affected by the action            |
| Object Name         | The name of the object affected by the action         |
| Operation Type      | The type of operation performed on the object        |
| Rows Affected       | The number of rows affected by the operation          |
| Client Application  | The name of the client application that sent the request|
| Client Hostname     | The hostname of the client that sent the request     |
| Client OS User      | The user account used by the client operating system  |
| Client OS Version   | The version of the client operating system            |
| Client Protocol     | The protocol used by the client to connect to the database|
| Server Name         | The name of the database server                      |
| Server Version      | The version of the database server                    |
| Server OS           | The operating system running on the database server  |
| Server Architecture | The architecture of the database server              |
| Session ID          | The identifier of the database session                |
| Session Status      | The status of the database session                   |
| Session Duration    | The duration of the database session                  |
| Lock Type           | The type of lock being held on the database object   |
| Lock Duration       | The duration of the lock                              |
| Lock Wait           | The amount of time waited before acquiring the lock   |
| Buffer Type         | The type of buffer being accessed                    |
| Buffer Size         | The size of the buffer being accessed                |
+---------------------+--------------------------------------------------------+

Windows Event Logs

These are Logs fields from Windows OS events

+-----------------+-----------------------------------------------------------------+
| Field Name      | Description                                                     |
+-----------------+-----------------------------------------------------------------+
| Date and Time   | The date and time the event was logged                          |
| Event ID        | The unique identifier for the event                             |
| Level           | The severity level of the event                                 |
| Source          | The source of the event                                         |
| Task Category   | The category of the event                                       |
| User            | The name of the user associated with the event                  |
| Computer        | The name of the computer on which the event was logged          |
| Message         | A description of the event that was logged                      |
| Keywords        | The keywords associated with the event                          |
| Event Record ID| The unique identifier for the event record                      |
| Provider Name   | The name of the provider that logged the event                  |
| Channel         | The name of the event log that the event was logged to           |
| Opcode          | The operation code associated with the event                    |
| Version         | The version number of the event log                             |
| Process ID      | The ID of the process that generated the event                  |
| Thread ID       | The ID of the thread that generated the event                   |
| Logon ID        | The ID of the logon session associated with the event            |
| Logon Type      | The type of logon that was performed                            |
| Logon Process   | The process used to authenticate the user                       |
| Logon Account   | The account used to perform the logon                           |
| Logon Domain    | The domain associated with the logon account                    |
| Logon GUID      | The unique identifier for the logon session                     |
| Logon Information| Additional information about the logon session                  |
| Object Name     | The name of the object associated with the event                 |
| Object Type     | The type of object associated with the event                     |
| Object Server   | The server that manages the object                               |
| Object Handle   | The handle to the object associated with the event               |
| Object Access   | The type of access requested or granted for the object           |
| Access Mask     | The access mask associated with the event                        |
| Process Name    | The name of the process that generated the event                 |
| Image Path      | The path of the executable file associated with the process      |
| Command Line    | The command line used to launch the process                      |
| Event Type        | The general type or category of the event                    |
| Event Description | A detailed description of the event                          |
| Event Source Path | The path to the executable or component that generated the event |
| Event Data        | Additional structured data associated with the event          |
| Event Context     | Contextual information or environment of the event            |
| Correlation ID    | A unique identifier for correlating related events            |
| Parent Process ID | The ID of the parent process that spawned the event           |
| Thread Name       | The name of the thread that generated the event               |
| Caller Process ID | The ID of the process that initiated the event                |
| Caller Thread ID  | The ID of the thread that initiated the event                 |
| CPU Usage         | The CPU usage during the event                                |
| Memory Usage      | The memory usage during the event                             |
| Disk Usage        | The disk usage during the event                               |
| Network Activity  | The network activity during the event                         |
| Energy Consumption| The energy consumption during the event                       |
| Security Context  | The security context of the event                             |
| Additional Info   | Any additional information or metadata about the event        |
+-------------------+--------------------------------------------------------------+

Linux OS Log events Fields

These are Linux OS Event field

+-----------------------+--------------------------------------------------------+
| Field Name            | Description                                            |
+-----------------------+--------------------------------------------------------+
| Log Source            | The source of the log event                           |
| Log Message ID        | The unique identifier of the log message              |
| Log Sequence Number   | The sequence number of the log event                  |
| Log Component         | The specific component or module generating the log   |
| Log Level             | The log level or severity of the event                |
| Log Context           | Contextual information or environment of the event    |
| Log Record ID         | The identifier for the log record                     |
| Kernel Module         | The kernel module associated with the event           |
| Logon Type            | The type of logon that was performed                 |
| File Path             | The path of the file associated with the event        |
| File Permissions      | The permissions of the file associated with the event |
| Resource Usage        | The resource usage during the event                   |
| Memory Allocation     | The memory allocation during the event                |
| System Call           | The system call associated with the event             |
| Return Code           | The return code of the system call                    |
| Socket Information    | Information about socket-related events               |
| Resource Owner        | The owner of the resource associated with the event   |
| SELinux Context       | The SELinux context associated with the event         |
| AppArmor Profile      | The AppArmor profile associated with the event        |
| Capabilities          | The capabilities associated with the event            |
| Thread ID             | The ID of the thread that generated the event         |
| Virtual Memory        | Information about virtual memory usage                |
| Network Protocol      | The network protocol associated with the event        |
| Network Session ID    | The ID of the network session associated with the event|
| Network Connection    | Information about network connections                |
| Network Status        | The status of the network connection                  |
| Network Interface     | The network interface associated with the event      |
| Device Information    | Information about devices                             |
| USB Device            | Information about USB devices                         |
| Mount Information     | Information about mounted filesystems                |
| Authentication Method | The method of authentication used                     |
| Authentication Result | The result of the authentication                      |
| Authentication Type   | The type of authentication performed                 |
+-----------------------+--------------------------------------------------------+

Endpoint Detection and Response (EDR) Logs

Logs from EDR Products

+----------------------+------------------------------------------------------+
| Field Name           | Description                                          |
+----------------------+------------------------------------------------------+
| Timestamp            | The date and time the event was logged               |
| Event Type           | The type of event (e.g. process creation, file access)|
| Event Category       | The category of the event (e.g. malware detection, intrusion attempt)|
| Process Name         | The name of the process involved in the event        |
| Process ID           | The unique identifier of the process                 |
| Parent Process Name  | The name of the parent process                       |
| Parent Process ID    | The identifier of the parent process                 |
| User ID              | The user associated with the process/event           |
| Source IP            | The source IP address of the event                   |
| Destination IP       | The destination IP address of the event              |
| Source Port          | The source port of the network connection            |
| Destination Port     | The destination port of the network connection       |
| Protocol             | The protocol used in the network connection          |
| File Path            | The path of the file involved in the event           |
| File Name            | The name of the file involved in the event           |
| Hash                 | The hash value of the file                           |
| File Size            | The size of the file involved in the event           |
| Action Taken         | The action taken by the EDR (blocked, quarantined, allowed)|
| Detection Name       | The name of the detection or rule triggered          |
| Threat Level         | The severity level of the threat detected            |
| Alert ID             | The unique identifier of the generated alert         |
| Device Name          | The name of the endpoint device                      |
| Device IP            | The IP address of the endpoint device                |
| Device OS            | The operating system of the endpoint device          |
| Device Username      | The username associated with the endpoint device    |
| Device MAC           | The MAC address of the endpoint device               |
| Device Domain        | The domain of the endpoint device                    |
| Device Vendor        | The vendor of the endpoint device                    |
| Device Model         | The model of the endpoint device                     |
| Device Serial Number | The serial number of the endpoint device             |
| Scan Result          | The result of a file or system scan                  |
| Event Description    | Additional details about the event                  |
| Event Source         | The source of the event (e.g. sensor, agent)         |
| Event Source ID      | The unique identifier of the event source            |
| Event Log ID         | The unique identifier of the event in the EDR system |
| Event Correlation ID | The identifier used to correlate events              |
| Event Outcome        | The outcome of the event (success, failure)          |
| Remediation Action   | The action taken to remediate the event              |
| Event Tags           | Tags associated with the event for categorization   |
| Event Severity       | The severity level of the event                      |
| Event Status         | The status of the event (open, closed, in progress)  |
| Registry Key         | The registry key involved in the event               |
| Registry Value       | The value within the registry key                    |
| DNS Query            | The DNS query made by the process/device             |
| DNS Response         | The DNS response received                            |
| URL                  | The URL accessed by the process/device               |
| HTTP Method          | The HTTP method used in the request                  |
| HTTP Status Code     | The HTTP status code of the response                |
| User-Agent           | The user-agent string in the HTTP request           |
| HTTP Referer         | The referring URL in the HTTP request               |
| Protocol             | The protocol used in the network connection          |
| Network Connection ID| The unique identifier of the network connection    |
| Source Hostname      | The hostname of the source in the event             |
| Destination Hostname | The hostname of the destination in the event        |
| Source MAC           | The MAC address of the source in the event          |
| Destination MAC      | The MAC address of the destination in the event     |
| Source Username      | The username associated with the source             |
| Destination Username | The username associated with the destination        |
| Source Port Name     | The name of the source port                          |
| Destination Port Name| The name of the destination port                     |
| Process Command Line | The full command line of the process                |
| Process Hash         | The hash value of the process image                 |
| Memory Address       | The memory address involved in the event            |
| Memory Module        | The module (DLL) related to the memory address      |
| DLL Loaded           | The DLL loaded by the process                       |
| Shellcode            | The shellcode detected in the event                  |
| API Call             | The API call made by the process/device             |
| Mutex Name           | The name of the mutex created/used                  |
| Hooked Function      | The hooked function detected in the event           |
| Network Packets      | Packet details of network communication            |
| Device Type          | The type of endpoint device (desktop, laptop, server, etc.)|
| File Accessed        | The accessed files during the event                 |
| Network Protocol     | The specific protocol (e.g. SMB, FTP) in network communication|
| Event Sequence       | The sequence/order of events in a series            |
| Event Duration       | The duration of the event                           |
| Event Source Address | The source address of the event                     |
| Event Destination Address| The destination address of the event            |
| Event Payload        | The payload associated with the event               |
| Mitigation Action    | The action taken to mitigate the threat             |
| Malware Name         | The name of the detected malware                    |
| Malware Family       | The family of the detected malware                  |
| Command and Control Server| The C2 server details                            |
| IOC                  | Indicators of Compromise associated with the event  |
| IOC Category         | The category of the IOC (e.g. IP, domain, hash)     |
+----------------------+------------------------------------------------------+

Virtualization Software Logs

These are virtualization logs

+--------------------------+----------------------------------------------------------+
| Field Name               | Description                                              |
+--------------------------+----------------------------------------------------------+
| Virtual CPU Count        | The number of virtual CPUs assigned to the VM            |
| Memory Allocation        | The amount of memory allocated to the virtual machine    |
| Host Name                | The hostname of the physical host running the VM         |
| Host CPU Count           | The number of physical CPUs on the host                  |
| Host CPU Usage           | The CPU usage of the host                                |
| Host Memory Usage        | The memory usage of the host                             |
| Hypervisor Version       | The version of the hypervisor software                   |
| Hypervisor Vendor        | The vendor of the hypervisor software                    |
| VM Snapshot Count        | The number of snapshots associated with the VM           |
| VM Network Configuration | The network configuration settings for the VM            |
| VM Power State           | The current power state of the VM                        |
| VM Uptime                | The time duration the VM has been running               |
| VM Boot Time             | The time the VM was booted up                           |
| VM Shutdown Time         | The time the VM was shut down                          |
| VM Pause Time            | The time the VM was paused                             |
| VM Resume Time           | The time the VM was resumed                            |
| VM Migration Source      | The source host of a VM migration event                |
| VM Migration Destination | The destination host of a VM migration event           |
| VM Template              | Whether the VM is a template                           |
| Storage Usage            | The amount of storage used by the VM                    |
| Storage Allocation       | The amount of storage allocated to the VM               |
| Storage Controller Type  | The type of storage controller used by the VM           |
| USB Device Usage         | Information about USB devices attached to the VM       |
| Integration Services     | Installed integration services/tools in the guest OS    |
| VM Heartbeat             | The health status of the VM                            |
| VM Configuration Changes | Changes made to the VM configuration                   |
| VM Cloning               | Information about VM cloning events                    |
| VM Snapshot Changes      | Changes made to VM snapshots                           |
| VM Template Changes      | Changes made to VM templates                           |
| Disk Usage               | The amount of disk space used by the VM                 |
| Disk Allocation          | The amount of disk space allocated to the VM            |
| VM Network Traffic       | Details about network traffic in and out of the VM      |
| Disk I/O Statistics      | Information about disk read and write operations         |
| Snapshot Restore Time    | The time taken to restore a VM snapshot                 |
| VM Resource Usage        | Metrics about CPU, memory, disk, and network usage       |
| VM Configuration Version | The version of the virtual machine configuration         |
| VM Backup                | Information about VM backup events                       |
| VM Restore               | Information about VM restore events                      |
| VM Encryption            | Details about VM encryption and key management           |
| VM Guest Tools           | Information about installed guest tools/utilities        |
| VM Application Events    | Events generated within the guest operating system       |
| VM Security Events       | Security-related events within the VM                   |
| VM Custom Properties     | Custom properties or tags associated with the VM         |
| VM Snapshots Size        | The total size of all snapshots of the VM                |
| VM Live Migration        | Details about live migration events                      |
| VM Resource Allocation   | Details about CPU, memory, and disk allocation          |
| VM Network Configuration | Network settings like DNS, IP, subnet, and gateway      |
| VM Integration Services  | Information about installed integration services         |
| VM Health Monitoring     | Metrics related to VM health and performance             |
| VM Template Changes      | Modifications to VM templates                           |
| VM Cloning Changes       | Changes related to VM cloning                           |
| VM Snapshots Changes     | Changes made to VM snapshots                            |
| VM Disk Changes          | Modifications to VM disk settings                       |
| VM Network Changes       | Changes in VM network configuration                    |
| VM Hardware Changes      | Modifications to VM hardware settings                  |
| VM State Changes         | Transitions between power states                        |
| VM Power Operations      | Power operations like start, shutdown, restart          |
| VM Pause/Resume          | Events related to VM pause and resume                   |
| VM Snapshot Management   | Actions involving the creation and management of snaps  |
| VM Template Management   | Activities related to VM templates                      |
| VM Storage Management    | Changes in VM storage settings and allocations          |
| VM Migration Operations  | Data about VM migrations, such as destination and source|
+--------------------------+----------------------------------------------------------+

Container Logs

These are container Logs

+----------------------+------------------------------------------------------+
| Field Name           | Description                                          |
+----------------------+------------------------------------------------------+
| Timestamp            | The date and time the event was logged               |
| Service Name         | The name of the microservice or container           |
| Container ID         | The identifier of the container                      |
| Image Name           | The name of the image used to create the container  |
| Image Version        | The version of the image used to create the container|
| Log Message          | The log message generated by the microservice or container|
| Log Level            | The severity level of the log message               |
| Component            | The component within the microservice or container that generated the log message|
| Request ID           | The identifier of the incoming request being processed|
| Response Status      | The status of the response sent to the client       |
| Response Time        | The time taken to generate the response             |
| HTTP Method          | The HTTP method used in the incoming request       |
| URL                  | The URL requested by the client                     |
| Request Size         | The size of the incoming request                    |
| Response Size        | The size of the response sent to the client         |
| User Agent           | The user agent string from the client              |
| Remote IP            | The IP address of the client                        |
| Hostname             | The hostname of the machine running the container or microservice|
| Instance ID          | The identifier of the instance running the container or microservice|
| Namespace            | The Kubernetes namespace where the container or microservice is deployed|
| Pod Name             | The name of the Kubernetes pod where the container or microservice is running|
| Node Name            | The name of the Kubernetes node where the container or microservice is running|
| Exit Code            | The exit code of the container if it terminated     |
| Error Message        | The message associated with any errors that occurred|
| Correlation ID       | The identifier used to correlate logs across microservices or containers|
| Trace ID             | The identifier used to trace the flow of a request across microservices or containers|
| Container State      | The current state of the container (e.g. running, paused, stopped)|
| Environment Variables| Environment variables set in the container          |
| Labels               | Labels attached to the container for identification or grouping|
| Annotations          | Annotations added to the container for additional information|
| Volume Mounts        | Details about volumes mounted in the container     |
| CPU Usage            | CPU resources used by the container                 |
| Memory Usage         | Memory used by the container                        |
| Network Traffic      | Network traffic details for the container           |
| Disk I/O             | Disk I/O metrics for the container                  |
| GPU Usage            | GPU resources used by the container (if applicable)|
| Container Start Time | The time when the container was started            |
| Container End Time   | The time when the container was terminated         |
| Executed Commands    | List of commands executed in the container         |
| Resource Limits      | Limits set for CPU, memory, and other resources    |
| Health Checks        | Results of health checks performed on the container|
| Container Events     | Other significant events related to the container  |
| Container Labels     | Metadata labels set for the container              |
| Container Annotations| Additional annotations for the container          |
| Host Port Mapping    | Mapping of container ports to host ports           |
| Container Port Usage | Information about used and exposed container ports|
| Network Connectivity | Connectivity details of the container             |
| Resource Requests    | Requested resources for CPU, memory, and more      |
| Security Context     | Security settings for the container               |
| Container Creation   | Details about container creation events           |
| Container Destruction| Details about container termination events        |
| Resource Allocation  | Allocation of CPU, memory, and other resources    |
| Container Network    | Network settings of the container                 |
| Container Storage    | Storage settings and mounts in the container      |
| Load Balancing       | Load balancing settings for the container         |
| Container Scaling    | Scaling actions related to the container          |
| Image Pull           | Details about pulling container images            |
| Container Execution  | Information about command execution in the container|
+----------------------+------------------------------------------------------+

Android Logs

This is log information you will find on various Android systems

+----------------------+------------------------------------------------------+
| Field Name           | Description                                          |
+----------------------+------------------------------------------------------+
| Timestamp            | The date and time the event was logged               |
| Component            | The Android component that generated the log message (e.g. Activity, Service, Broadcast Receiver)|
| Log Message          | The log message generated by the Android component   |
| Log Level            | The severity level of the log message (e.g. verbose, debug, info, warning, error, assert)|
| Tag                  | The tag used to identify the source of the log message|
| PID                  | The process ID of the Android component that generated the log message|
| TID                  | The thread ID of the thread that generated the log message|
| Source Code Filename| The name of the source code file where the log message was generated|
| Source Code Line Number| The line number in the source code file where the log message was generated|
| Device ID            | The unique identifier of the Android device          |
| Android Version     | The version of the Android operating system running on the device|
| Manufacturer         | The name of the device manufacturer                  |
| Model                | The device model name                                |
| App Package Name     | The package name of the Android app that generated the log message|
| App Version Name     | The version name of the Android app that generated the log message|
| App Version Code     | The version code of the Android app that generated the log message|
| Process Name         | The name of the process that generated the log message|
| Thread Name          | The name of the thread that generated the log message|
| Stack Trace          | The stack trace associated with the log message, if applicable|
| Exception Type       | The type of the exception, if applicable           |
| Exception Message    | The message associated with the exception, if applicable|
| Memory Usage         | The amount of memory used by the Android component at the time the log message was generated|
| Battery Level        | The battery level of the device at the time the log message was generated|
| Battery Status       | The status of the battery (e.g. charging, discharging, full, not charging)|
| Network Status       | The status of the network connection (e.g. connected, disconnected)|
| Location             | The location of the device, if available            |
| Screen Resolution    | The resolution of the device screen                 |
| Locale               | The locale of the device                            |
| User ID              | The user ID associated with the Android component that generated the log message|
| Event Type           | The type of event associated with the log message (e.g. app startup, app crash, network request)|
| Application ID       | The ID of the Android application that generated the log message|
| Thread Priority      | The priority level of the thread that generated the log message|
| Exception Stack Trace| The full stack trace associated with the log message, including all frames and nested exceptions|
| Network Type         | The type of network connection used by the Android component at the time the log message was generated (e.g. Wi-Fi, mobile data)|
| Connection Type      | The type of connection used by the Android component (e.g. HTTP, HTTPS, TCP, UDP)|
| Request URL          | The URL of the network request associated with the log message|
| Response Code        | The HTTP response code returned by the network request, if applicable|
| Response Message     | The HTTP response message returned by the network request, if applicable|
| Request Body         | The body of the network request, if applicable     |
| Response Body        | The body of the network response, if applicable    |
| SQL Statement        | The SQL statement executed by the Android component, if applicable|
| SQL Error Code       | The error code returned by the SQLite database engine, if applicable|
| SQL Error Message    | The error message returned by the SQLite database engine, if applicable|
| App Package Signature| The signature of the Android app that generated the log message|
| Battery Temperature  | The temperature of the device battery, if available|
| Screen Density       | The density of the device screen                    |
| Input Event Type     | The type of input event associated with the log message (e.g. touch event, keyboard event)|
| Input Event Action   | The action associated with the input event (e.g. key pressed, touch down)|
| Input Event Coordinates| The coordinates of the input event (e.g. X and Y coordinates for touch events)|
| File Path            | The path of the file accessed or modified by the Android component|
| File Mode            | The mode used to access or modify the file (e.g. read, write, execute)|
| File Size            | The size of the file accessed or modified by the Android component|
| Process ID           | The ID of the process that generated the log message|
| Thread ID            | The ID of the thread that generated the log message|
| Application Name     | The name of the Android application that generated the log message|
| Caller Information   | Information about the method or class that called the Android component that generated the log message|
| User Action          | User actions performed at the time of the log event  |
| User Context         | User-related context information                    |
| Network Latency      | Latency of network requests, if applicable          |
| Network Latency Time | Time taken for network request/response, if applicable|
| Battery Health       | Health status of the device battery                |
| Battery Voltage      | Voltage of the device battery                       |
| Memory Available     | Available memory on the device                      |
| Memory Total         | Total memory on the device                          |
| CPU Temperature      | Temperature of the device's CPU                     |
| App Background Time | Time spent by the app in the background            |
| App Foreground Time | Time spent by the app in the foreground            |
| App Launch Time      | Time taken by the app to launch                    |
| App Usage Duration   | Duration for which the app was in use              |
| Network SSID         | SSID of the Wi-Fi network connected to             |
| Network BSSID        | BSSID of the Wi-Fi network connected to            |
| Mobile Network Type  | Type of mobile network (e.g. 3G, 4G, 5G)           |
| Screen On/Off        | Screen on/off events and duration                  |
| Screen Brightness    | Brightness level of the device screen              |
| Device Orientation   | Orientation of the device (portrait/landscape)     |
| App Updates          | Information about app updates                      |
| App Installs         | Information about app installations                |
| App Uninstalls       | Information about app uninstalls                  |
| App Permissions      | Permissions requested and granted by the app       |
| App Background Jobs  | Background tasks or jobs performed by the app      |
| App UI Events        | UI events within the app (e.g. button clicks)      |
| App Analytics Events | Custom events tracked by app analytics             |
| App Errors           | Errors or exceptions occurring within the app     |
| App Start Count      | Count of app startups                              |
| App Crash Count      | Count of app crashes                               |
| App Usage Count      | Count of app usage                                 |
| App Sessions         | Information about user sessions in the app         |
| App Screen Views     | Views of different screens in the app              |
| App Navigation Path  | Navigation path followed by users in the app      |
+----------------------+------------------------------------------------------+

IOS Logs

These are iOS logs

+----------------------+------------------------------------------------------+
| Field Name           | Description                                          |
+----------------------+------------------------------------------------------+
| Timestamp            | The date and time the event occurred                |
| Process Name         | The name of the process that generated the log entry|
| Thread ID            | The unique identifier of the thread that generated the log entry|
| Log Level            | The severity level of the log entry (e.g. debug, info, warning, error)|
| Category             | The category of the log entry (e.g. network, database, user interface)|
| Message              | The log message itself, which may include additional details about the event|
| Bundle ID            | The unique identifier of the iOS application that generated the log entry|
| App Version          | The version of the iOS application that generated the log entry|
| Device Model         | The model of the iOS device on which the application was running|
| OS Version           | The version of the iOS operating system on which the application was running|
| Battery Level        | The remaining battery level of the device at the time of the event|
| Network Type         | The type of network connection available (e.g. Wi-Fi, cellular)|
| Connection Status    | Whether the device was connected to the internet or not at the time of the event|
| Location             | The location of the device at the time of the event, if available|
| User ID              | The unique identifier of the user associated with the event, if applicable|
| Device ID            | The unique identifier of the iOS device on which the application was running|
| Orientation          | The orientation of the device at the time of the event|
| Memory Usage         | The amount of memory used by the application at the time of the event|
| CPU Usage            | The amount of CPU used by the application at the time of the event|
| Disk Usage           | The amount of disk space used by the application at the time of the event|
| Screen Resolution    | The resolution of the device screen at the time of the event|
| Device Language     | The language of the iOS device on which the application was running|
| App Language         | The language of the iOS application that generated the log entry|
| App Launch Time      | The amount of time it took for the application to launch|
| App Exit Reason      | The reason why the application exited (e.g. user closed the app, app crashed)|
| App Launch Type      | Whether the application was launched from the home screen or from another app|
| App Session ID       | The unique identifier of the user session associated with the event, if applicable|
| App Session Duration | The duration of the user session associated with the event, if applicable|
| Touch Events         | The details of touch events (e.g. touch coordinates, touch duration) that occurred during the event|
| User Actions         | The user actions (e.g. button clicks, menu selections) that triggered the event|
| HTTP Requests        | The details of HTTP requests (e.g. URL, method, headers) made by the application|
| HTTP Response        | The details of HTTP responses (e.g. status code, headers, body) received by the application|
| Key-Value Pairs      | Additional key-value pairs that provide context for the event|
| Exception Details    | The details of any exceptions or errors that occurred during the event|
| Security Events      | Details of security-related events (e.g. authentication, encryption) that occurred during the event|
| Push Notifications   | The details of push notifications (e.g. payload, delivery time) received by the application|
| App Background Time  | The amount of time the application spent in the background|
| App Foreground Time  | The amount of time the application spent in the foreground|
| App Response Time    | The time it took for the application to respond to a user action|
| App Crashes          | Details of any crashes that occurred within the application|
| App Analytics        | Analytics data (e.g. usage statistics, user demographics) collected by the application|
+----------------------+------------------------------------------------------+
Scroll to Top