File: Tagging-Rules.md

package info (click to toggle)
plaso 20201007-2
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 519,924 kB
  • sloc: python: 79,002; sh: 629; xml: 72; sql: 14; vhdl: 11; makefile: 10
file content (125 lines) | stat: -rw-r--r-- 2,118 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
 
# Tagging Rules

Plaso provides various configuration files for the [tagging analysis plugin](Analysis-plugin-tagging.md).

## Linux tagging rules

The Linux tagging rules are stored in the file: [tag_linux.txt](https://github.com/log2timeline/plaso/blob/master/data/tag_linux.txt)

The sections below provide more context regarding specific tagging rules.

### application_execution

This rule tags application execution events on Linux, which are defined as:

* a command from bash history
* a Docker file system layer event
* a SELinux log line where the audit type is "EXECVE"
* a command from zsh history
* a syslog line that indicates a cron task was run, for example:
```
Mar 11 00:00:00 ubuntu2015 CRON[3]: (root) CMD (touch /tmp/afile.txt)
```

* a syslog line that contains "COMMAND="

### login

### login_failed

### logout

### session_start

### session_stop

### boot

### shutdown

### runlevel

### device_connection

### device_disconnection

### application_install

### service_start

### service_stop

### promiscuous

### crash

## MacOS tagging rules

The MacOS tagging rules are stored in the file: [tag_macos.txt](https://github.com/log2timeline/plaso/blob/master/data/tag_macos.txt)

The sections below provide more context regarding specific tagging rules.

### application_execution

### application_install

### autorun

### file_download

### device_connection

### document_print

## Windows tagging rules

The Windows tagging rules are stored in the file: [tag_windows.txt](https://github.com/log2timeline/plaso/blob/master/data/tag_windows.txt)

The sections below provide more context regarding specific tagging rules.

### application_execution

### application_install

### application_update

### application_removal

### document_open

### login_failed

### login_attempt

### logoff

### session_disconnection

### session_reconnection

### shell_start

### task_schedule

### job_success

### action_success

### name_resolution_timeout

### time_change

### shutdown

### system_start

### system_sleep

### autorun

### file_download

### document_print

### firewall_change