Class: LogSource
A platform-specific log collection configuration embedded within a data component. Defines a specific log provider (name) and event category or channel identifier (channel) that together specify where to collect telemetry relevant to the parent data component's detection context. The (name, channel) pair must be unique within the x_mitre_log_sources array of a given data component.
URI: attack:LogSource
classDiagram
class LogSource
click LogSource href "../LogSource/"
LogSource : log_source_channel
LogSource : log_source_name
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| log_source_name | 1 String |
The log source provider or service name (e | direct |
| log_source_channel | 1 String |
The specific log channel, event ID, or event category within the log source (... | direct |
Usages
| used by | used in | type | used |
|---|---|---|---|
| DataComponent | x_mitre_log_sources | range | LogSource |
In Subsets
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/attack
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | attack:LogSource |
| native | attack:LogSource |
LinkML Source
Direct
name: LogSource
description: A platform-specific log collection configuration embedded within a data
component. Defines a specific log provider (name) and event category or channel
identifier (channel) that together specify where to collect telemetry relevant to
the parent data component's detection context. The (name, channel) pair must be
unique within the x_mitre_log_sources array of a given data component.
in_subset:
- attack_aux
from_schema: https://w3id.org/lmodel/attack
slots:
- log_source_name
- log_source_channel
slot_usage:
log_source_name:
name: log_source_name
required: true
log_source_channel:
name: log_source_channel
required: true
Induced
name: LogSource
description: A platform-specific log collection configuration embedded within a data
component. Defines a specific log provider (name) and event category or channel
identifier (channel) that together specify where to collect telemetry relevant to
the parent data component's detection context. The (name, channel) pair must be
unique within the x_mitre_log_sources array of a given data component.
in_subset:
- attack_aux
from_schema: https://w3id.org/lmodel/attack
slot_usage:
log_source_name:
name: log_source_name
required: true
log_source_channel:
name: log_source_channel
required: true
attributes:
log_source_name:
name: log_source_name
description: The log source provider or service name (e.g., 'sysmon', 'auditd',
'unified_logs', 'windows_security'). Together with log_source_channel, uniquely
identifies a specific log collection configuration.
in_subset:
- attack_aux
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: log_source_name
owner: LogSource
domain_of:
- LogSource
- LogSourceReference
range: string
required: true
log_source_channel:
name: log_source_channel
description: The specific log channel, event ID, or event category within the
log source (e.g., '1' for Sysmon Process Creation event, 'SYSCALL' for Linux
auditd, 'process' for macOS unified logs). Together with log_source_name, uniquely
identifies a log collection configuration.
in_subset:
- attack_aux
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: log_source_channel
owner: LogSource
domain_of:
- LogSource
- LogSourceReference
range: string
required: true