Skip to content

DS0015 Application Log

Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)1

Item Value
ID DS0015
Platforms Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Collection Layers Cloud Control Plane, Host
Version 1.0
Created 20 October 2021
Last Modified 30 March 2022

Data Components

Application Log Content

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

Domain ID Name
enterprise T1098 Account Manipulation
enterprise T1098.002 Additional Email Delegate Permissions
enterprise T1098.005 Device Registration
enterprise T1557 Adversary-in-the-Middle
enterprise T1557.003 DHCP Spoofing
enterprise T1110 Brute Force
enterprise T1110.001 Password Guessing
enterprise T1110.002 Password Cracking
enterprise T1110.003 Password Spraying
enterprise T1110.004 Credential Stuffing
enterprise T1213 Data from Information Repositories
enterprise T1213.001 Confluence
enterprise T1213.002 Sharepoint
enterprise T1213.003 Code Repositories
enterprise T1622 Debugger Evasion
enterprise T1491 Defacement
enterprise T1491.001 Internal Defacement
enterprise T1491.002 External Defacement
enterprise T1610 Deploy Container
enterprise T1189 Drive-by Compromise
enterprise T1114 Email Collection
enterprise T1114.003 Email Forwarding Rule
enterprise T1499 Endpoint Denial of Service
enterprise T1499.002 Service Exhaustion Flood
enterprise T1499.003 Application Exhaustion Flood
enterprise T1499.004 Application or System Exploitation
enterprise T1190 Exploit Public-Facing Application
enterprise T1203 Exploitation for Client Execution
enterprise T1210 Exploitation of Remote Services
enterprise T1133 External Remote Services
enterprise T1564 Hide Artifacts
enterprise T1564.008 Email Hiding Rules
enterprise T1562 Impair Defenses
enterprise T1562.002 Disable Windows Event Logging
enterprise T1534 Internal Spearphishing
enterprise T1621 Multi-Factor Authentication Request Generation
enterprise T1137 Office Application Startup
enterprise T1137.003 Outlook Forms
enterprise T1137.004 Outlook Home Page
enterprise T1137.005 Outlook Rules
enterprise T1069 Permission Groups Discovery
enterprise T1069.003 Cloud Groups
enterprise T1566 Phishing
enterprise T1566.001 Spearphishing Attachment
enterprise T1566.002 Spearphishing Link
enterprise T1566.003 Spearphishing via Service
enterprise T1598 Phishing for Information
enterprise T1598.001 Spearphishing Service
enterprise T1598.002 Spearphishing Attachment
enterprise T1598.003 Spearphishing Link
enterprise T1594 Search Victim-Owned Websites
enterprise T1505 Server Software Component
enterprise T1505.001 SQL Stored Procedures
enterprise T1505.002 Transport Agent
enterprise T1505.003 Web Shell
enterprise T1072 Software Deployment Tools
enterprise T1199 Trusted Relationship
enterprise T1550 Use Alternate Authentication Material
enterprise T1550.004 Web Session Cookie
enterprise T1204 User Execution
enterprise T1204.003 Malicious Image


  1. Confluence Support. (2021, April 22). Working with Confluence Logs. Retrieved September 23, 2021. 

  2. SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019. 

  3. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020. 

  4. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. 

  5. Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020. 

  6. Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019. 

  7. Microsoft. (2006, August 31). DHCP Server Operational Events. Retrieved March 7, 2022. 

  8. Chris Taylor. (2017, October 5). When Phishing Starts from the Inside. Retrieved October 8, 2019. 

  9. Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit in the Wild. Retrieved April 26, 2019. 

  10. US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016. 

  11. Dr. Nestori Syynimaa. (2021, January 31). BPRT unleashed: Joining multiple devices to Azure AD and Intune. Retrieved March 4, 2022. 

  12. Microsoft. (2022, February 18). Manage device identities by using the Azure portal. Retrieved April 13, 2022. 

  13. Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in Microsoft Exchange. Retrieved October 12, 2021. 

  14. McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019. 

  15. Sutherland, S. (2016, March 7). Maintaining Persistence via SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019. 

  16. Shoemaker, E. (2015, December 31). Solution: Monitor DHCP Scopes and Detect Man-in-the-Middle Attacks with PRTG and PowerShell. Retrieved March 7, 2022. 

Back to top