Application Log

Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)[1]

ID: DS0015
Platforms: Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Collection Layers: Cloud Control Plane, Host
Version: 1.0
Created: 20 October 2021
Last Modified: 20 October 2021

Data Components

Application Log: Application Log Content

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

Application Log: Application Log Content

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

Domain ID Name
Enterprise T1098 .002 Account Manipulation: Exchange Email Delegate Permissions
Enterprise T1110 Brute Force
.001 Password Guessing
.002 Password Cracking
.003 Password Spraying
.004 Credential Stuffing
Enterprise T1613 Container and Resource Discovery
Enterprise T1213 Data from Information Repositories
.001 Confluence
.002 Sharepoint
.003 Code Repositories
Enterprise T1491 Defacement
.001 Internal Defacement
.002 External Defacement
Enterprise T1610 Deploy Container
Enterprise T1189 Drive-by Compromise
Enterprise T1114 Email Collection
.003 Email Forwarding Rule
Enterprise T1499 Endpoint Denial of Service
.002 Service Exhaustion Flood
.003 Application Exhaustion Flood
.004 Application or System Exploitation
Enterprise T1190 Exploit Public-Facing Application
Enterprise T1210 Exploitation of Remote Services
Enterprise T1133 External Remote Services
Enterprise T1564 Hide Artifacts
.008 Email Hiding Rules
Enterprise T1562 .002 Impair Defenses: Disable Windows Event Logging
Enterprise T1534 Internal Spearphishing
Enterprise T1137 Office Application Startup
.003 Outlook Forms
.004 Outlook Home Page
.005 Outlook Rules
Enterprise T1069 Permission Groups Discovery
.003 Cloud Groups
Enterprise T1566 Phishing
.001 Spearphishing Attachment
.002 Spearphishing Link
.003 Spearphishing via Service
Enterprise T1598 Phishing for Information
.001 Spearphishing Service
.002 Spearphishing Attachment
.003 Spearphishing Link
Enterprise T1594 Search Victim-Owned Websites
Enterprise T1505 Server Software Component
.001 SQL Stored Procedures
.002 Transport Agent
.003 Web Shell
Enterprise T1072 Software Deployment Tools
Enterprise T1199 Trusted Relationship
Enterprise T1550 Use Alternate Authentication Material
.001 Application Access Token
.004 Web Session Cookie
Enterprise T1204 User Execution
.003 Malicious Image

References