Application Log

Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)^[1]

ID: DS0015

ⓘ

Platforms: Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS

ⓘ

Collection Layers: Cloud Control Plane, Host

Version: 1.0

Created: 20 October 2021

Last Modified: 20 October 2021

Data Components

Application Log: Application Log Content

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

Application Log: Application Log Content

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

Domain	ID		Name
Enterprise	T1098	.002	Account Manipulation: Exchange Email Delegate Permissions
Enterprise	T1110		Brute Force
		.001	Password Guessing
		.002	Password Cracking
		.003	Password Spraying
		.004	Credential Stuffing
Enterprise	T1613		Container and Resource Discovery
Enterprise	T1213		Data from Information Repositories
		.001	Confluence
		.002	Sharepoint
		.003	Code Repositories
Enterprise	T1491		Defacement
		.001	Internal Defacement
		.002	External Defacement
Enterprise	T1610		Deploy Container
Enterprise	T1189		Drive-by Compromise
Enterprise	T1114		Email Collection
		.003	Email Forwarding Rule
Enterprise	T1499		Endpoint Denial of Service
		.002	Service Exhaustion Flood
		.003	Application Exhaustion Flood
		.004	Application or System Exploitation
Enterprise	T1190		Exploit Public-Facing Application
Enterprise	T1210		Exploitation of Remote Services
Enterprise	T1133		External Remote Services
Enterprise	T1564		Hide Artifacts
		.008	Email Hiding Rules
Enterprise	T1562	.002	Impair Defenses: Disable Windows Event Logging
Enterprise	T1534		Internal Spearphishing
Enterprise	T1137		Office Application Startup
		.003	Outlook Forms
		.004	Outlook Home Page
		.005	Outlook Rules
Enterprise	T1069		Permission Groups Discovery
		.003	Cloud Groups
Enterprise	T1566		Phishing
		.001	Spearphishing Attachment
		.002	Spearphishing Link
		.003	Spearphishing via Service
Enterprise	T1598		Phishing for Information
		.001	Spearphishing Service
		.002	Spearphishing Attachment
		.003	Spearphishing Link
Enterprise	T1594		Search Victim-Owned Websites
Enterprise	T1505		Server Software Component
		.001	SQL Stored Procedures
		.002	Transport Agent
		.003	Web Shell
Enterprise	T1072		Software Deployment Tools
Enterprise	T1199		Trusted Relationship
Enterprise	T1550		Use Alternate Authentication Material
		.001	Application Access Token
		.004	Web Session Cookie
Enterprise	T1204		User Execution
		.003	Malicious Image

References

Confluence Support. (2021, April 22). Working with Confluence Logs. Retrieved September 23, 2021.