Skip to content

Class: LogSourceReference

A reference linking an analytic to a specific data component and log source pair. Specifies both the data component by STIX ID and the precise (name, channel) log source within that component that provides the raw data consumed by the analytic. Each (x_mitre_data_component_ref, name, channel) tuple must be unique within the x_mitre_log_source_references array of a given analytic.

URI: attack:LogSourceReference

 classDiagram
    class LogSourceReference
    click LogSourceReference href "../LogSourceReference/"
      LogSourceReference : log_source_channel

      LogSourceReference : log_source_name

      LogSourceReference : x_mitre_data_component_ref

Slots

Name Cardinality and Range Description Inheritance
x_mitre_data_component_ref 1
StixIdentifier		 The STIX ID of the x-mitre-data-component object that this log source referen... direct
log_source_name 1
String		 The log source provider or service name (e direct
log_source_channel 1
String		 The specific log channel, event ID, or event category within the log source (... direct

Usages

used by used in type used
Analytic x_mitre_log_source_references range LogSourceReference

In Subsets

Identifier and Mapping Information

Schema Source

  • from schema: https://w3id.org/lmodel/attack

Mappings

Mapping Type Mapped Value
self attack:LogSourceReference
native attack:LogSourceReference

LinkML Source

Direct

name: LogSourceReference
description: A reference linking an analytic to a specific data component and log
  source pair. Specifies both the data component by STIX ID and the precise (name,
  channel) log source within that component that provides the raw data consumed by
  the analytic. Each (x_mitre_data_component_ref, name, channel) tuple must be unique
  within the x_mitre_log_source_references array of a given analytic.
in_subset:
- attack_aux
from_schema: https://w3id.org/lmodel/attack
slots:
- x_mitre_data_component_ref
- log_source_name
- log_source_channel
slot_usage:
  x_mitre_data_component_ref:
    name: x_mitre_data_component_ref
    required: true
  log_source_name:
    name: log_source_name
    required: true
  log_source_channel:
    name: log_source_channel
    required: true

Induced

name: LogSourceReference
description: A reference linking an analytic to a specific data component and log
  source pair. Specifies both the data component by STIX ID and the precise (name,
  channel) log source within that component that provides the raw data consumed by
  the analytic. Each (x_mitre_data_component_ref, name, channel) tuple must be unique
  within the x_mitre_log_source_references array of a given analytic.
in_subset:
- attack_aux
from_schema: https://w3id.org/lmodel/attack
slot_usage:
  x_mitre_data_component_ref:
    name: x_mitre_data_component_ref
    required: true
  log_source_name:
    name: log_source_name
    required: true
  log_source_channel:
    name: log_source_channel
    required: true
attributes:
  x_mitre_data_component_ref:
    name: x_mitre_data_component_ref
    description: The STIX ID of the x-mitre-data-component object that this log source
      reference is associated with. Links the analytic's required data collection
      to a specific data component's log source definition.
    in_subset:
    - attack_aux
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: x_mitre_data_component_ref
    owner: LogSourceReference
    domain_of:
    - LogSourceReference
    range: stix_identifier
    required: true
    pattern: ^x-mitre-data-component--
  log_source_name:
    name: log_source_name
    description: The log source provider or service name (e.g., 'sysmon', 'auditd',
      'unified_logs', 'windows_security'). Together with log_source_channel, uniquely
      identifies a specific log collection configuration.
    in_subset:
    - attack_aux
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: log_source_name
    owner: LogSourceReference
    domain_of:
    - LogSource
    - LogSourceReference
    range: string
    required: true
  log_source_channel:
    name: log_source_channel
    description: The specific log channel, event ID, or event category within the
      log source (e.g., '1' for Sysmon Process Creation event, 'SYSCALL' for Linux
      auditd, 'process' for macOS unified logs). Together with log_source_name, uniquely
      identifies a log collection configuration.
    in_subset:
    - attack_aux
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: log_source_channel
    owner: LogSourceReference
    domain_of:
    - LogSource
    - LogSourceReference
    range: string
    required: true