Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples:
This data component can be collected through the following measures:
Configure Application Logging
Centralized Log Management
Cloud-Specific Collection
SIEM Integration
| Name | Channel |
|---|---|
| Application Log | None |
| Application:Mail | smtpd$.*$: .*from=[.*@internaldomain.com](mailto:.*@internaldomain.com) to=[.*@internaldomain.com](mailto:.*@internaldomain.com) |
| Application:Mail | Inbound messages with anomalous headers, spoofed SPF/DKIM failures |
| Application:Mail | Inbound emails containing hyperlinks from suspicious sources |
| Application:Mail | Inbound email attachments logged from MTAs with suspicious metadata |
| Application:Mail | Mismatch between authenticated username and From header in email |
| Application:Mail | High-frequency inbound mail activity to a specific recipient address |
| ApplicationLog:API | Docker/Kubernetes API access from external sources |
| ApplicationLog:CallRecords | Outbound or inbound calls to high-risk or blocklisted numbers |
| ApplicationLog:EntraIDPortal | DeviceRegistration events |
| ApplicationLog:IIS | IIS W3C logs in C:\inetpub\logs\LogFiles\W3SVC* (spikes in 5xx, RCE/SQLi/path traversal/JNDI patterns) |
| ApplicationLog:Ingress | Kubernetes NGINX/Envoy ingress controller logs with anomalous payloads and 5xx spikes |
| ApplicationLog:Intune/MDM Logs | Enrollment events (e.g., MDMDeviceRegistration) |
| ApplicationLog:MailServer | Unexpected additions of sieve rules or filtering directives |
| ApplicationLog:Outlook | Outlook client-level rule creation actions not consistent with normal user activity |
| ApplicationLog:WebServer | /var/log/httpd/access_log, /var/log/apache2/access.log, /var/log/nginx/access.log with exploit indicators and burst errors |
| AWS:CloudTrail | SendEmail |
| AWS:CloudTrail | InvokeModel |
| AWS:CloudTrail | InvokeFunction: Unexpected or repeated invocation of functions not tied to known workflows |
| AWS:CloudTrail | CreateUser|AttachRolePolicy|CreateAccessKey|UpdateAssumeRolePolicy|CreateLoginProfile |
| AWS:CloudTrail | StopLogging, DeleteTrail, UpdateTrail: API calls that disable or modify logging services |
| AWS:CloudWatch | Repeated crash pattern within container or instance logs |
| AWS:CloudWatch | Elevated 5xx response rates in application logs or gateway layer |
| azure:activity | Add role assignment / ElevateAccess / Create service principal |
| azure:audit | App registrations or consent grants by abnormal users or at unusual times |
| azure:signinLogs | ConsentGrant: Suspicious consent grants to non-approved or unknown applications |
| azure:signinlogs | Modify Conditional Access Policy |
| azure:signinlogs | Register PTA Agent or Modify AD FS trust |
| azure:signinlogs | Resource access initiated using application credentials, not user accounts |
| docker:daemon | container_create,container_start |
| docker:events | Container exited with non-zero code repeatedly in short period |
| docker:runtime | execution of cloud CLI tool (e.g., aws, az) inside container |
| EDR:detection | ThreatDetected, QuarantineLog |
| EDR:detection | ThreatLog |
| esxi:esxupdate | /var/log/esxupdate.log contains VIB installed with `--force` or `--no-sig-check` and non-standard acceptance levels |
| esxi:hostd | /var/log/hostd.log anomalies (faults, crashes, restarts) around inbound connections |
| esxi:hostd | Keywords: 'Backtrace','Signal 11','PANIC','hostd restarted','assert' or 'Service terminated unexpectedly' in /var/log/hostd.log, /var/log/vmkernel.log, /var/log/syslog.log. |
| esxi:hostd | unexpected script/command invocations via hostd |
| esxi:hostd | Guest Operations API invocation: StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, InitiateFileTransferFromGuest |
| esxi:hostd | unexpected script invocations producing long encoded strings |
| esxi:hostd | Host daemon command log entries related to vib enumeration |
| esxi:hostd | New extension/module install with unknown vendor ID |
| esxi:vmkernel | vmkernel / OpenSLP logs for malformed requests |
| esxi:vpxd | Symmetric crypto routines triggered for external session |
| esxi:vpxd | ESXi process initiating asymmetric handshake with external host |
| gcp:workspaceaudit | SendAs: Outbound messages with alias identities that differ from primary account |
| journald:Application | Segfault or crash log entry associated with specific application binary |
| journald:systemd | Repeated service restart attempts or unit failures |
| kubernetes:orchestrator | Access to orchestrator logs containing credentials (Docker/Kubernetes logs) |
| linux:cli | cleared or truncated .bash_history |
| linux:syslog | usb * new|thunderbolt|pci .* added|block.*: new .* device |
| linux:syslog | Inbound messages from webmail services containing attachments or URLs |
| linux:syslog | kernel|systemd messages indicating 'segmentation fault'|'core dumped'|'service terminated unexpectedly' for sshd, smbd, vsftpd, mysqld, httpd, etc. |
| linux:syslog | System daemons initiating encrypted sessions with unexpected destinations |
| linux:syslog | milter configuration updated, transport rule initialized, unexpected script execution |
| linux:syslog | Repetitive HTTP 408, 500, or 503 errors logged within short timeframe |
| linux:syslog | Application or browser logs (webview errors, plugin enumerations) indicating suspicious script evaluation or plugin loads |
| linux:syslog | processes binding to non-standard ports or sshd configured on unexpected port |
| linux:syslog | system daemons initiating TLS sessions outside expected services |
| linux:syslog | browser/office crash, segfault, abnormal termination |
| linux:syslog | Error/warning logs from services indicating load spike or worker exhaustion |
| linux:syslog | SPF fail OR DKIM fail OR DMARC fail OR mismatched from_domain vs return_path_domain |
| linux:syslog | suspicious DHCP lease assignment with unexpected DNS or gateway |
| linux:syslog | opened document|clicked link|segfault|abnormal termination|sandbox |
| linux:syslog | Authentication attempts into finance-related servers from unusual IPs or times |
| linux:syslog | sshd sessions with unusual port forwarding parameters |
| linux:syslog | Non-standard processes negotiating SSL/TLS key exchanges |
| linux:syslog | Module registration or stacktrace logs indicating segmentation faults or unknown module errors |
| linux:syslog | Segfaults, kernel oops, or crashes in security software processes |
| m365:exchange | Emails containing cleartext secrets (password=, api_key=, token=) shared across internal/external domains |
| m365:exchange | Transport Rule Modification |
| m365:exchange | Admin Audit Logs, Transport Rules |
| m365:exchange | MailDelivery: High-frequency delivery of messages or attachments to a single recipient |
| m365:exchange | New-InboxRule: Automation that triggers abnormal forwarding or external link generation |
| m365:exchange | MessageTrace logs |
| m365:mailboxaudit | Outlook rule creation or custom form deployment |
| m365:messagetrace | AuthenticationDetails=fail OR SPF=fail OR DKIM=fail OR DMARC=fail |
| m365:messagetrace | X-MS-Exchange-Organization-AutoForwarded |
| m365:purview | MailItemsAccessed & Exchange Audit |
| m365:purview | MailItemsAccessed, Search-Mailbox events |
| m365:unified | Unusual form activity within Outlook client, including load of non-default forms |
| m365:unified | SendOnBehalf, MessageSend, ClickThrough, MailItemsAccessed |
| m365:unified | SendOnBehalf, MessageSend, AttachmentPreviewed |
| m365:unified | Send/Receive: Emails with suspicious sender domains, spoofed headers, or anomalous attachment types |
| m365:unified | FileAccessed: Access of email attachments by Office applications |
| m365:unified | Creation or modification of inbox rule outside of normal user behavior |
| m365:unified | Send/Receive: Inbound emails containing embedded or shortened URLs |
| m365:unified | AppRegistration: Unexpected application registration or OAuth authorization |
| m365:unified | MessageSend, MessageRead, or FileAttached events containing credential-like patterns |
| m365:unified | Set-Mailbox, Add-InboxRule, RegisterWebhook |
| m365:unified | ConsentGranted: Abuse of application integrations to mint tokens bypassing MFA |
| m365:unified | Application Consent grants, new OAuth client registrations, or unusual admin-level activities executed by a user account shortly after suspected drive-by compromise |
| m365:unified | Folder configuration updated with external or HTML-formatted Home Page via Set-MailboxFolder |
| m365:unified | PurgeAuditLogs, Remove-MailboxAuditLog |
| m365:unified | Set-CsOnlineUser or UpdateAuthPolicy |
| m365:unified | New-InboxRule or Set-InboxRule events recorded in Exchange Online |
| m365:unified | Transport rule or inbox rule creation events |
| m365:unified | GAL Lookup or Address Book download |
| m365:unified | Send/Receive: Inbound emails with attachments from suspicious or spoofed senders |
| m365:unified | certificate added or modified in application credentials |
| m365:unified | Unusual MFA requests or OAuth consent events temporally aligned with user-reported vishing call |
| m365:unified | Set federation settings on domain|Set domain authentication|Add federated identity provider |
| m365:unified | SendOnBehalf/SendAs: Emails sent where the sending identity mismatches account ownership |
| m365:unified | Set-MailboxAutoReplyConfiguration: Unexpected rule changes creating impersonated replies |
| m365:unified | SendOnBehalf/SendAs: Office Suite initiated messages using impersonated identities |
| m365:unified | Read-only configuration review from GUI |
| m365:unified | Modify Federation Settings or Update Authentication Policy |
| m365:unified | Send/Receive: Unusual spikes in inbound messages to a single recipient |
| m365:unified | PowerShell: Add-MailboxPermission |
| m365:unified | Add-MailboxPermission or Set-ManagementRoleAssignment |
| m365:unified | Set-PartnerOfRecord / CompanyAdministrator role assignments / New-DelegatedAdminRelationship |
| m365:unified | Add-DelegatedAdmin, Set-PartnerOfRecord, Add-MailboxPermission, Set-OrganizationRelationship |
| m365:unified | MailSend: Outlook messages with suspicious subject/body terms (e.g., urgent payment, wire transfer) targeting finance teams |
| m365:unified | FileAccessed, FileDownloaded, SearchQueried |
| m365:unified | Detection of hidden macro streams or SetHiddenAttribute actions |
| m365:unified | RunMacro |
| m365:unified | FileUploaded or FileCopied events |
| m365:unified | TeamsMessageAccess, TeamsExport, ExternalAppAccess |
| m365:unified | TeamsMessagesAccessedViaEDiscovery, TeamsGraphMessageExport |
| m365:unified | FileAccessed |
| m365:unified | ApplicationModified, ConsentGranted: Unexpected app consent or modification events linked to security evasion |
| macos:jamf | RemoteCommandExecution |
| macos:unifiedlog | Device attached|enumerated VID/PID |
| macos:unifiedlog | Inbound email activity with suspicious domains or mismatched sender information |
| macos:unifiedlog | App/web server logs ingested via unified logging or filebeat (nginx/apache/node). |
| macos:unifiedlog | Received messages with embedded or shortened URLs |
| macos:unifiedlog | Received messages containing embedded links or attachments from non-enterprise services |
| macos:unifiedlog | process 'crashed'|'EXC_BAD_ACCESS' for sshd, screensharingd, httpd; launchd restarts of these daemons. |
| macos:unifiedlog | opendirectoryd crashes or abnormal authentication errors |
| macos:unifiedlog | Logs from unifiedlogging that show browser crashes, plugin enumerations, extension installs or errors around the same time as suspicious network fetches |
| macos:unifiedlog | log stream cleared or truncated |
| macos:unifiedlog | quarantine or AV-related subsystem |
| macos:unifiedlog | Repeated process crashes logged by CrashReporter or system instability logs in com.apple.console |
| macos:unifiedlog | Inbound messages with attachments from suspicious domains |
| macos:unifiedlog | Outgoing or incoming calls with non-standard caller IDs or unusual metadata |
| macos:unifiedlog | Mail.app or third-party clients sending messages with mismatched From headers |
| macos:unifiedlog | process crash, abort, code signing violations |
| macos:unifiedlog | Configuration profile modified or new profile installed |
| macos:unifiedlog | Crash log entries for a process receiving malformed input or known exploit patterns |
| macos:unifiedlog | Repetitive inbound email delivery activity logged within a short time window |
| macos:unifiedlog | Application errors or resource contention from excessive frontend or script invocation |
| macos:unifiedlog | SPF fail OR DKIM fail OR DMARC fail OR mismatched header vs envelope domains |
| macos:unifiedlog | new DHCP configuration with anomalous DNS or router values |
| macos:unifiedlog | Mail or AppleScript subsystem |
| macos:unifiedlog | opened document|clicked link|EXC_BAD_ACCESS|abort|LSQuarantine |
| macos:unifiedlog | Anomalous keychain access attempts targeting payment credentials |
| macos:unifiedlog | Abnormal terminations of com.apple.security.* or 3rd-party security daemons |
| networkdevice:controlplane | Syslog from edge devices with HTTP 500s on mgmt portal, SmartInstall events, unexpected CLI commands |
| networkdevice:syslog | config push events |
| networkdevice:syslog | SIP REGISTER, INVITE, or unusual call destination metadata |
| networkdevice:syslog | Failed authentication requests redirected to non-standard portals |
| NSM:Connections | PushNotificationSent |
| NSM:Connections | Failed password or accepted password for SSH users |
| saas:Airtable | EXPORT: User-triggered data export via GUI or API |
| saas:application | High-frequency invocation of SMS-related API endpoints from publicly accessible OTP or verification forms (e.g., Twilio: SendMessage, Cognito: AdminCreateUser) with irregular destination patterns. |
| saas:application | High-volume API calls or traffic via messaging or webhook service |
| saas:audit | Rule/ConfigChange: Auto-forward rules, delegate assignments, or changes to financial approval workflows |
| saas:audit | Application added or consent granted: Integration persisting after original user disabled |
| saas:box | User navigated to admin interface |
| saas:collaboration | MessagePosted: Suspicious links or attachment delivery via collaboration tools (Slack, Teams, Zoom) |
| saas:confluence | access.content |
| saas:email | AuthenticationFailures (SPF/DKIM/DMARC) OR Domain Mismatch |
| saas:finance | Transaction/Transfer: Unusual or large transactions initiated outside business hours or by unusual accounts |
| saas:github | Bulk access to multiple files or large volume of repo requests within short time window |
| saas:gmail | SendEmail, OpenAttachment, ClickLink |
| saas:googledrive | FileOpen / FileAccess: Event-driven script triggering on user file actions |
| saas:googleworkspace | OAuth2 authorization grants / Admin role assignments |
| saas:hubspot | contact_viewed, contact_exported, login |
| saas:okta | Conditional Access policy rule modified or MFA requirement disabled |
| saas:okta | MFAChallengeIssued |
| saas:okta | WebUI access to administrator dashboard |
| saas:okta | Federation configuration update or signing certificate change |
| saas:okta | System API Call: user.read, group.read |
| saas:openai | High volume of requests to /v1/chat/completions or /v1/images/generations |
| saas:salesforce | DataExport, RestAPI, Login, ReportExport |
| saas:slack | file_upload, message_send, message_click |
| saas:slack | chat.postMessage, files.upload, or discovery API calls involving token/credential regex |
| saas:slack | OAuth token use by unknown app client_id accessing private channels or files |
| saas:slack | conversations.history, files.list, users.info, audit_logs |
| saas:Snowflake | QUERY: Large or repeated SELECT * queries to sensitive tables |
| saas:teams | ChatMessageSent, ChatMessageEdited, LinkClick |
| saas:zoom | unusual web session tokens and automation patterns during login |
| WinEventLog:Application | Outlook errors loading or processing custom form templates |
| WinEventLog:Application | Office Add-in load errors, abnormal loading context, or unsigned add-in warnings |
| WinEventLog:Application | Outlook rule execution failure or abnormal rule execution context |
| WinEventLog:Application | Exchange Transport Service loads unusual .NET assembly or errors upon transport agent execution |
| WinEventLog:Application | Unexpected spikes in request volume, application-level errors, or thread pool exhaustion in web or API logs |
| WinEventLog:Application | Browser or plugin/application logs showing script errors, plugin enumerations, or unusual extension load events |
| WinEventLog:Application | Outlook logs indicating failure to load or render HTML page in Home Page view |
| WinEventLog:Application | EventCode=1000-1026 |
| WinEventLog:Application | Service crash, unhandled exception, or application hang warnings for critical services (e.g., IIS, DNS, SQL Server) |
| WinEventLog:Application | SCCM, Intune logs |
| WinEventLog:Application | Unexpected web application errors or CMS logs showing modification to index.html, default.aspx, or other public-facing files |
| WinEventLog:Application | EventCode=1000 |
| WinEventLog:Application | EventCode=1000, 1001, 1002 |
| WinEventLog:Application | VPN, Citrix, or remote access gateway logs showing external IP addresses |
| WinEventLog:Application | Outlook rule creation, form load, or homepage redirection |
| WinEventLog:Application | High-frequency errors or hangs from resource-intensive application components (e.g., .NET, IIS, Office Suite) |
| WinEventLog:Application | Exchange logs or header artifacts |
| WinEventLog:Application | EventCode=1000,1001 |
| WinEventLog:Application | Unusual DLL/plugin registration for IIS/SQL/Apache or unexpected error logs |
| WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational | Device started/installed (UMDF) GUIDs |
| WinEventLog:Security | EventCode=6416 |
| WinEventLog:Security | EventCode=1102 |
| WinEventLog:Security | EventCode=4663 |
| WinEventLog:System | Changes to applicationhost.config or DLLs loaded by w3wp.exe |
| WinEventLog:System | EventCode=7031,7034,1000,1001 |
| WinEventLog:System | EventCode=104 |
| WinEventLog:System | EventCode=1341,1342,1020,1063 |