Skip to content

Logsource in correlation rules

This page lists the vendor, product, category, and service values you can use when you write correlation rules with an object logsource. Those values match the event lane templates in the LogMan.io Library under /Templates/EventLanes/, where each template describes how events are classified (aligned with fields such as observer.vendor and observer.product on the event).

How logsource looks in a template

A typical template defines logsource like this:

logsource:
  vendor:
    - microsoft
  product:
    - windows
  category:
    - authentication

Each key usually contains one or more strings. A few templates do not define logsource at all.

Keys in object logsource

Key What it selects
vendor Vendor or brand (e.g. microsoft, cisco)
product Product or platform (e.g. windows, fortigate)
category Broad event domain (e.g. firewall, authentication)
service Finer service-level label where templates use it (uncommon)

category (alphabetical)

access-control, anomaly, anomaly-detection, antivirus, application, audit, authentication, backup, cloud, communication, compute, connection, containerization, database, dhcp, dns, edr, email, endpoint, endpoint-security, file, file-access, firewall, ftp, hardware, healthcare-informatics, ids, intrusion-detection, intrusion_detection (same idea as intrusion-detection; both forms appear in templates), malware, management, medical-imaging, monitoring, network, network-attached-storage, oob, power, printing, proxy, scada, security, sharepoint, spam, storage, switch, system, telephony, threat-detection, ups, virtualization, voip, vpn, webserver, wifi

vendor (alphabetical)

alcatel-lucent, apache, apc, barracuda, bitdefender, bluecoat, broadcom, brother, check-point, cisco, citrix, dell, devolutions, eaton, eset, f5, fidelis, filezilla, flowmon, fortinet, gfi, gordic, haproxy, helios, hp, hpe, ibm, icewarp, innovaphone, ivanti, juniper, kerio, lenovo, manageengine, mcafee, microsoft, mikrotik, minolta, netgate, netgear, openstack, oracle, palo-alto-networks, philips, philips-healthcare, purestorage, qnap, samba, schneider-electric, sentinelone, siemens, socomec, sophos, symantec, synology, teskalabs, ubiquiti, veeam, vmware, whalebone, wowza, ysoft, zabbix, zeek, zyxel

product (alphabetical)

advanced-threat-analytics, advanced-visualization-workspace, advanced-visualization-workspace-15, apache-http-server, apc-ups, avw, bitdefender-cloud-security, bitdefender-gravityzone, brother-mfc, check-point-firewall, cisco-aci, cisco-asa, cisco-catalyst, cisco-ftd, cisco-ios, cisco-ise, cisco-mds, cisco-meraki, cisco-nexus, cisco-ucs, cisco-wlc, defender, defender-for-endpoint, dell-idrac, dell-powervault, diris, diskstation-manager, dna-center, dsm, eaton-ups, ecs, elastic-cloud-storage, eset-protect, ex-series, fidelis-endpoint, fidelis-network, flashsystem, flowmon-ads, fortianalyzer, fortiauthenticator, forticlient, fortigate, fortimail, fortimanager, fortiswitch, helios, hp-laserjet, hpe-primera, hpe-storeonce, ibm-qradar, ibm-tape-library, icewarp-mailserver, junos, kerio-connect, kubernetes, linux, logmanio, m365, manageengine-ad-audit-plus, manageengine-endpoint, mcafee-webwasher, microsoft-dhcp, microsoft-dns, microsoft-exchange, microsoft-iis, microsoft-sharepoint, microsoft-sql, minolta-bizhub, nas, net-vision, netapp, netscaler, network-policy-server, nginx, nova, nps, ntopng, omniswitch, openvpn, oracle-cloud, oracle-listener, oracle-spark, pan-os, pbx, pfsense, qfx-series, qnap-nas, samba-ad-dc, secure-email-gateway, sentinelone, siemens-scalance, software-defined-access, spectrum-scale, squid, srx-series, storwize, switch, synology-nas, ubiquiti-unifi, ups, veeam-backup-replication, vmware-cloud-director, vmware-esxi, vmware-vcenter, windows, wowza-streaming-engine, ysoft-safeq, zabbix, zeek-analyzer, zeek-conn, zeek-dns, zeek-files, zeek-http, zeek-kerberos, zeek-ldapsearch, zeek-mqttconnect, zeek-mqttpublish, zeek-ntp, zeek-ocsp, zeek-pe, zeek-quic, zeek-radius, zeek-sip, zeek-smtp, zeek-snmp, zeek-ssh, zeek-ssl, zeek-syslog, zeek-tunnel, zeek-weird, zeek-x509, zyxel-firewall, zyxel-switch

service (alphabetical)

Used only in some templates (often Microsoft-related): aaa, auditd, messagetrace, syslog

Scalar logsource in correlation rules

In /Correlations/ you may also see a single value instead of an object, for example:

logsource: complex

Values such as base, complex, or activity choose which class of input the rule consumes. They are not the same as the template vendor / product lists above.

Object logsource in correlation rules

When you filter by lane classification, use the same keys as in templates (vendor, product, category, service, …) and pick values from the lists on this page or from the template that matches your event lane. If you need a value that is not listed yet, extend the corresponding template in /Templates/EventLanes/ first so parsing and correlation stay in sync.

See also

Sigma uses a related but different logsource model. For Sigma’s category, product, and service conventions, see Log sources.