| Application Log |
None |
| Application:Mail |
smtpd$.$: .from=.*@internaldomain.com to=.*@internaldomain.com |
| Application:Mail |
Inbound messages with anomalous headers, spoofed SPF/DKIM failures |
| Application:Mail |
Inbound emails containing hyperlinks from suspicious sources |
| Application:Mail |
Inbound email attachments logged from MTAs with suspicious metadata |
| Application:Mail |
Mismatch between authenticated username and From header in email |
| Application:Mail |
High-frequency inbound mail activity to a specific recipient address |
| ApplicationLog:API |
Docker/Kubernetes API access from external sources |
| ApplicationLog:CallRecords |
Outbound or inbound calls to high-risk or blocklisted numbers |
| ApplicationLog:EntraIDPortal |
DeviceRegistration events |
| ApplicationLog:IIS |
IIS W3C logs in C:\inetpub\logs\LogFiles\W3SVC* (spikes in 5xx, RCE/SQLi/path traversal/JNDI patterns) |
| ApplicationLog:Ingress |
Kubernetes NGINX/Envoy ingress controller logs with anomalous payloads and 5xx spikes |
| ApplicationLog:Intune/MDM Logs |
Enrollment events (e.g., MDMDeviceRegistration) |
| ApplicationLog:MailServer |
Unexpected additions of sieve rules or filtering directives |
| ApplicationLog:Outlook |
Outlook client-level rule creation actions not consistent with normal user activity |
| ApplicationLog:WebServer |
/var/log/httpd/access_log, /var/log/apache2/access.log, /var/log/nginx/access.log with exploit indicators and burst errors |
| AWS:CloudTrail |
SendEmail |
| AWS:CloudTrail |
InvokeModel |
| AWS:CloudTrail |
InvokeFunction: Unexpected or repeated invocation of functions not tied to known workflows |
| AWS:CloudTrail |
CreateUser |
| AWS:CloudTrail |
StopLogging, DeleteTrail, UpdateTrail: API calls that disable or modify logging services |
| AWS:CloudWatch |
Repeated crash pattern within container or instance logs |
| AWS:CloudWatch |
Elevated 5xx response rates in application logs or gateway layer |
| azure:activity |
Add role assignment / ElevateAccess / Create service principal |
| azure:audit |
App registrations or consent grants by abnormal users or at unusual times |
| azure:signinlogs |
ConsentGrant: Suspicious consent grants to non-approved or unknown applications |
| azure:signinlogs |
Modify Conditional Access Policy |
| azure:signinlogs |
Register PTA Agent or Modify AD FS trust |
| azure:signinlogs |
Resource access initiated using application credentials, not user accounts |
| docker:daemon |
container_create,container_start |
| docker:events |
Container exited with non-zero code repeatedly in short period |
| docker:runtime |
execution of cloud CLI tool (e.g., aws, az) inside container |
| EDR:detection |
ThreatDetected, QuarantineLog |
| EDR:detection |
ThreatLog |
| esxi:esxupdate |
/var/log/esxupdate.log contains VIB installed with --force or --no-sig-check and non-standard acceptance levels |
| esxi:hostd |
/var/log/hostd.log anomalies (faults, crashes, restarts) around inbound connections |
| esxi:hostd |
Keywords: ‘Backtrace’,’Signal 11’,’PANIC’,’hostd restarted’,’assert’ or ‘Service terminated unexpectedly’ in /var/log/hostd.log, /var/log/vmkernel.log, /var/log/syslog.log. |
| esxi:hostd |
unexpected script/command invocations via hostd |
| esxi:hostd |
Guest Operations API invocation: StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, InitiateFileTransferFromGuest |
| esxi:hostd |
unexpected script invocations producing long encoded strings |
| esxi:hostd |
Host daemon command log entries related to vib enumeration |
| esxi:hostd |
New extension/module install with unknown vendor ID |
| esxi:vmkernel |
vmkernel / OpenSLP logs for malformed requests |
| esxi:vpxd |
Symmetric crypto routines triggered for external session |
| esxi:vpxd |
ESXi process initiating asymmetric handshake with external host |
| gcp:workspaceaudit |
SendAs: Outbound messages with alias identities that differ from primary account |
| journald:Application |
Segfault or crash log entry associated with specific application binary |
| journald:systemd |
Repeated service restart attempts or unit failures |
| kubernetes:orchestrator |
Access to orchestrator logs containing credentials (Docker/Kubernetes logs) |
| linux:cli |
cleared or truncated .bash_history |
| linux:syslog |
usb * new |
| linux:syslog |
Inbound messages from webmail services containing attachments or URLs |
| linux:syslog |
kernel |
| linux:syslog |
System daemons initiating encrypted sessions with unexpected destinations |
| linux:syslog |
milter configuration updated, transport rule initialized, unexpected script execution |
| linux:syslog |
Repetitive HTTP 408, 500, or 503 errors logged within short timeframe |
| linux:syslog |
Application or browser logs (webview errors, plugin enumerations) indicating suspicious script evaluation or plugin loads |
| linux:syslog |
processes binding to non-standard ports or sshd configured on unexpected port |
| linux:syslog |
system daemons initiating TLS sessions outside expected services |
| linux:syslog |
browser/office crash, segfault, abnormal termination |
| linux:syslog |
Error/warning logs from services indicating load spike or worker exhaustion |
| linux:syslog |
SPF fail OR DKIM fail OR DMARC fail OR mismatched from_domain vs return_path_domain |
| linux:syslog |
suspicious DHCP lease assignment with unexpected DNS or gateway |
| linux:syslog |
opened document |
| linux:syslog |
Authentication attempts into finance-related servers from unusual IPs or times |
| linux:syslog |
sshd sessions with unusual port forwarding parameters |
| linux:syslog |
Non-standard processes negotiating SSL/TLS key exchanges |
| linux:syslog |
Module registration or stacktrace logs indicating segmentation faults or unknown module errors |
| linux:syslog |
Segfaults, kernel oops, or crashes in security software processes |
| m365:exchange |
Emails containing cleartext secrets (password=, api_key=, token=) shared across internal/external domains |
| m365:exchange |
Transport Rule Modification |
| m365:exchange |
Admin Audit Logs, Transport Rules |
| m365:exchange |
MailDelivery: High-frequency delivery of messages or attachments to a single recipient |
| m365:exchange |
New-InboxRule: Automation that triggers abnormal forwarding or external link generation |
| m365:exchange |
MessageTrace logs |
| m365:mailboxaudit |
Outlook rule creation or custom form deployment |
| m365:messagetrace |
AuthenticationDetails=fail OR SPF=fail OR DKIM=fail OR DMARC=fail |
| m365:messagetrace |
X-MS-Exchange-Organization-AutoForwarded |
| m365:purview |
MailItemsAccessed & Exchange Audit |
| m365:purview |
MailItemsAccessed, Search-Mailbox events |
| m365:unified |
Unusual form activity within Outlook client, including load of non-default forms |
| m365:unified |
SendOnBehalf, MessageSend, ClickThrough, MailItemsAccessed |
| m365:unified |
SendOnBehalf, MessageSend, AttachmentPreviewed |
| m365:unified |
Send/Receive: Emails with suspicious sender domains, spoofed headers, or anomalous attachment types |
| m365:unified |
FileAccessed: Access of email attachments by Office applications |
| m365:unified |
Creation or modification of inbox rule outside of normal user behavior |
| m365:unified |
Send/Receive: Inbound emails containing embedded or shortened URLs |
| m365:unified |
AppRegistration: Unexpected application registration or OAuth authorization |
| m365:unified |
MessageSend, MessageRead, or FileAttached events containing credential-like patterns |
| m365:unified |
Set-Mailbox, Add-InboxRule, RegisterWebhook |
| m365:unified |
ConsentGranted: Abuse of application integrations to mint tokens bypassing MFA |
| m365:unified |
Application Consent grants, new OAuth client registrations, or unusual admin-level activities executed by a user account shortly after suspected drive-by compromise |
| m365:unified |
Folder configuration updated with external or HTML-formatted Home Page via Set-MailboxFolder |
| m365:unified |
PurgeAuditLogs, Remove-MailboxAuditLog |
| m365:unified |
Set-CsOnlineUser or UpdateAuthPolicy |
| m365:unified |
New-InboxRule or Set-InboxRule events recorded in Exchange Online |
| m365:unified |
Transport rule or inbox rule creation events |
| m365:unified |
GAL Lookup or Address Book download |
| m365:unified |
Send/Receive: Inbound emails with attachments from suspicious or spoofed senders |
| m365:unified |
certificate added or modified in application credentials |
| m365:unified |
Unusual MFA requests or OAuth consent events temporally aligned with user-reported vishing call |
| m365:unified |
Set federation settings on domain |
| m365:unified |
SendOnBehalf/SendAs: Emails sent where the sending identity mismatches account ownership |
| m365:unified |
Set-MailboxAutoReplyConfiguration: Unexpected rule changes creating impersonated replies |
| m365:unified |
SendOnBehalf/SendAs: Office Suite initiated messages using impersonated identities |
| m365:unified |
Read-only configuration review from GUI |
| m365:unified |
Modify Federation Settings or Update Authentication Policy |
| m365:unified |
Send/Receive: Unusual spikes in inbound messages to a single recipient |
| m365:unified |
PowerShell: Add-MailboxPermission |
| m365:unified |
Add-MailboxPermission or Set-ManagementRoleAssignment |
| m365:unified |
Set-PartnerOfRecord / CompanyAdministrator role assignments / New-DelegatedAdminRelationship |
| m365:unified |
Add-DelegatedAdmin, Set-PartnerOfRecord, Add-MailboxPermission, Set-OrganizationRelationship |
| m365:unified |
MailSend: Outlook messages with suspicious subject/body terms (e.g., urgent payment, wire transfer) targeting finance teams |
| m365:unified |
FileAccessed, FileDownloaded, SearchQueried |
| m365:unified |
Detection of hidden macro streams or SetHiddenAttribute actions |
| m365:unified |
RunMacro |
| m365:unified |
FileUploaded or FileCopied events |
| m365:unified |
TeamsMessageAccess, TeamsExport, ExternalAppAccess |
| m365:unified |
TeamsMessagesAccessedViaEDiscovery, TeamsGraphMessageExport |
| m365:unified |
FileAccessed |
| m365:unified |
ApplicationModified, ConsentGranted: Unexpected app consent or modification events linked to security evasion |
| macos:jamf |
RemoteCommandExecution |
| macos:unifiedlog |
Device attached |
| macos:unifiedlog |
Inbound email activity with suspicious domains or mismatched sender information |
| macos:unifiedlog |
App/web server logs ingested via unified logging or filebeat (nginx/apache/node). |
| macos:unifiedlog |
Received messages with embedded or shortened URLs |
| macos:unifiedlog |
Received messages containing embedded links or attachments from non-enterprise services |
| macos:unifiedlog |
process ‘crashed’ |
| macos:unifiedlog |
opendirectoryd crashes or abnormal authentication errors |
| macos:unifiedlog |
Logs from unifiedlogging that show browser crashes, plugin enumerations, extension installs or errors around the same time as suspicious network fetches |
| macos:unifiedlog |
log stream cleared or truncated |
| macos:unifiedlog |
quarantine or AV-related subsystem |
| macos:unifiedlog |
Repeated process crashes logged by CrashReporter or system instability logs in com.apple.console |
| macos:unifiedlog |
Inbound messages with attachments from suspicious domains |
| macos:unifiedlog |
Outgoing or incoming calls with non-standard caller IDs or unusual metadata |
| macos:unifiedlog |
Mail.app or third-party clients sending messages with mismatched From headers |
| macos:unifiedlog |
process crash, abort, code signing violations |
| macos:unifiedlog |
Configuration profile modified or new profile installed |
| macos:unifiedlog |
Crash log entries for a process receiving malformed input or known exploit patterns |
| macos:unifiedlog |
Repetitive inbound email delivery activity logged within a short time window |
| macos:unifiedlog |
Application errors or resource contention from excessive frontend or script invocation |
| macos:unifiedlog |
SPF fail OR DKIM fail OR DMARC fail OR mismatched header vs envelope domains |
| macos:unifiedlog |
new DHCP configuration with anomalous DNS or router values |
| macos:unifiedlog |
Mail or AppleScript subsystem |
| macos:unifiedlog |
opened document |
| macos:unifiedlog |
Anomalous keychain access attempts targeting payment credentials |
| macos:unifiedlog |
Abnormal terminations of com.apple.security.* or 3rd-party security daemons |
| networkdevice:controlplane |
Syslog from edge devices with HTTP 500s on mgmt portal, SmartInstall events, unexpected CLI commands |
| networkdevice:syslog |
config push events |
| networkdevice:syslog |
SIP REGISTER, INVITE, or unusual call destination metadata |
| networkdevice:syslog |
Failed authentication requests redirected to non-standard portals |
| NSM:Connections |
PushNotificationSent |
| NSM:Connections |
Failed password or accepted password for SSH users |
| saas:Airtable |
EXPORT: User-triggered data export via GUI or API |
| saas:application |
High-frequency invocation of SMS-related API endpoints from publicly accessible OTP or verification forms (e.g., Twilio: SendMessage, Cognito: AdminCreateUser) with irregular destination patterns. |
| saas:application |
High-volume API calls or traffic via messaging or webhook service |
| saas:audit |
Rule/ConfigChange: Auto-forward rules, delegate assignments, or changes to financial approval workflows |
| saas:audit |
Application added or consent granted: Integration persisting after original user disabled |
| saas:box |
User navigated to admin interface |
| saas:collaboration |
MessagePosted: Suspicious links or attachment delivery via collaboration tools (Slack, Teams, Zoom) |
| saas:confluence |
access.content |
| saas:email |
AuthenticationFailures (SPF/DKIM/DMARC) OR Domain Mismatch |
| saas:finance |
Transaction/Transfer: Unusual or large transactions initiated outside business hours or by unusual accounts |
| saas:github |
Bulk access to multiple files or large volume of repo requests within short time window |
| saas:gmail |
SendEmail, OpenAttachment, ClickLink |
| saas:googledrive |
FileOpen / FileAccess: Event-driven script triggering on user file actions |
| saas:googleworkspace |
OAuth2 authorization grants / Admin role assignments |
| saas:hubspot |
contact_viewed, contact_exported, login |
| saas:okta |
Conditional Access policy rule modified or MFA requirement disabled |
| saas:okta |
MFAChallengeIssued |
| saas:okta |
WebUI access to administrator dashboard |
| saas:okta |
Federation configuration update or signing certificate change |
| saas:okta |
System API Call: user.read, group.read |
| saas:openai |
High volume of requests to /v1/chat/completions or /v1/images/generations |
| saas:salesforce |
DataExport, RestAPI, Login, ReportExport |
| saas:slack |
file_upload, message_send, message_click |
| saas:slack |
chat.postMessage, files.upload, or discovery API calls involving token/credential regex |
| saas:slack |
OAuth token use by unknown app client_id accessing private channels or files |
| saas:slack |
conversations.history, files.list, users.info, audit_logs |
| saas:Snowflake |
QUERY: Large or repeated SELECT * queries to sensitive tables |
| saas:teams |
ChatMessageSent, ChatMessageEdited, LinkClick |
| saas:zoom |
unusual web session tokens and automation patterns during login |
| WinEventLog:Application |
Outlook errors loading or processing custom form templates |
| WinEventLog:Application |
Office Add-in load errors, abnormal loading context, or unsigned add-in warnings |
| WinEventLog:Application |
Outlook rule execution failure or abnormal rule execution context |
| WinEventLog:Application |
Exchange Transport Service loads unusual .NET assembly or errors upon transport agent execution |
| WinEventLog:Application |
Unexpected spikes in request volume, application-level errors, or thread pool exhaustion in web or API logs |
| WinEventLog:Application |
Browser or plugin/application logs showing script errors, plugin enumerations, or unusual extension load events |
| WinEventLog:Application |
Outlook logs indicating failure to load or render HTML page in Home Page view |
| WinEventLog:Application |
EventCode=1000 |
| WinEventLog:Application |
Service crash, unhandled exception, or application hang warnings for critical services (e.g., IIS, DNS, SQL Server) |
| WinEventLog:Application |
SCCM, Intune logs |
| WinEventLog:Application |
Unexpected web application errors or CMS logs showing modification to index.html, default.aspx, or other public-facing files |
| WinEventLog:Application |
VPN, Citrix, or remote access gateway logs showing external IP addresses |
| WinEventLog:Application |
Outlook rule creation, form load, or homepage redirection |
| WinEventLog:Application |
High-frequency errors or hangs from resource-intensive application components (e.g., .NET, IIS, Office Suite) |
| WinEventLog:Application |
Exchange logs or header artifacts |
| WinEventLog:Application |
Unusual DLL/plugin registration for IIS/SQL/Apache or unexpected error logs |
| WinEventLog:Security |
EventCode=6416 |
| WinEventLog:Security |
EventCode=1102 |
| WinEventLog:Security |
EventCode=4663, 4670, 4656 |
| WinEventLog:System |
Changes to applicationhost.config or DLLs loaded by w3wp.exe |
| WinEventLog:System |
Device started/installed (UMDF) GUIDs |
| WinEventLog:System |
EventCode=1000 |
| WinEventLog:System |
EventCode=104 |
| WinEventLog:System |
EventCode=1341, 1342, 1020, 1063 |