The below table shows how Graylog is mapping gim_event_type_code, created in a pipeline, to a normalized category in Illuminate content. Normalized categories allow for dashboards, searches, and alert rules to use a common name across all device types utilizing this format. An example of this line in lookup tables is:
"100000","|authentication|","|logon|","logon"
The code 100000 is attached to the log in the processing pipeline and allows for the lookup function to attach a category, sub category, and event type further down the processing chain.
The category in the above case is |authentication|, where many types of events can fall. Log on, log off and, session disconnect all fall under authentication for easy grouping on dashboards. A subcategory of |logon| is applied as well to this log to signify this is happening during the log on process. There can be many under log on, like log on success and log on failure. Finally, the event type is added as logon for further granularity of what this event was processed as.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type |
|---|---|---|---|---|
| 000000 | message | message.log_message | message | |
| 100000 | authentication | authentication.logon | logon | |
| 100003 | authentication | authentication.logon | logon with alternate credentials | |
| 100004 | authentication | authentication.logon | session reconnect | |
| 100500 | authentication | authentication.credential validation | credential validation | |
| 100501 | authentication | authentication.credential validation | error | |
| 100502 | authentication | authentication.credential validation | mfa | |
| 100503 | authentication | authentication.credential validation | sms_send_message | |
| 100504 | authentication | authentication.credential validation | voice_call | |
| 101000 | authentication | authentication.access notice | special logon | |
| 101001 | authentication | authentication.access notice | error | |
| 101500 | authentication | authentication.access policy | access policy violation | |
| 101501 | authentication | authentication.access policy | device policy violation | |
| 101502 | authentication | authentication.access policy | account policy violation | |
| 102000 | authentication | authentication.kerberos request | service ticket renewed | |
| 102001 | authentication | authentication.kerberos request | service ticket requested | |
| 102002 | authentication | authentication.kerberos request | tgt request | |
| 102003 | authentication | authentication.kerberos request | error | |
| 102500 | authentication | authentication.logoff | logoff | |
| 102501 | authentication | authentication.logoff | session disconnect | |
| 109999 | authentication | authentication.default | authentication message | |
| 110000 | iam | iam.object create | account created | |
| 110001 | iam | iam.object create | error | |
| 110002 | iam | iam.object create | group created | |
| 110500 | iam | iam.object delete | account deleted | |
| 110501 | iam | iam.object delete | group deleted | |
| 111000 | iam | iam.object modify | account modified | |
| 111001 | iam | iam.object modify | privileges assigned | |
| 111002 | iam | iam.object modify | privileges removed | |
| 111003 | iam | iam.object modify | account renamed | |
| 111004 | iam | iam.object modify | password change | |
| 111005 | iam | iam.object modify | administrative password reset | |
| 111006 | iam | iam.object modify | error | |
| 111007 | iam | iam.object modify | group member added | |
| 111008 | iam | iam.object modify | group member removed | |
| 111009 | iam | iam.object modify | group properties modified | |
| 111500 | iam | iam.object disable | account locked | |
| 111501 | iam | iam.object disable | account disabled | |
| 112000 | iam | iam.object enable | account unlocked | |
| 112001 | iam | iam.object enable | account enabled | |
| 112002 | iam | iam.object enable | error | |
| 119500 | iam | iam.information | group membership enumerated | |
| 119999 | iam | iam.default | iam message | |
| 120000 | network | network.network connection | network connection | |
| 120100 | network | network.routing | network routing | |
| 120200 | network | network.open | network connection initiated | |
| 120300 | network | network.close | network connection ended | |
| 120500 | network | network.flow | flow record | |
| 120600 | network | network.icmp_request | icmp_request | |
| 120700 | network | network.icmp_reply | icmp_reply | |
| 129999 | network | network.default | network message | |
| 130000 | messaging | messaging.email | email sent | |
| 130500 | messaging | messaging.email | email blocked | |
| 131000 | messaging | messaging.email | email rejected | |
| 131500 | messaging | messaging.email | email quarantined | |
| 132000 | messaging | messaging.email | email deleted | |
| 139999 | messaging | messaging.default | message | |
| 140000 | protocol | name resolution | name resolution.dns request | dns query |
| 140200 | protocol | name resolution | name resolution.dns answer | dns response |
| 140300 | protocol | name resolution | name resolution.error | dns error |
| 140500 | protocol | name resolution | name resolution.ddns update | ddns update |
| 149999 | protocol | name resolution | name resolution.default | dns message |
| 150000 | database | database.query | database query | |
| 150500 | database | database.update | update rows | |
| 151000 | database | database.add | insert rows | |
| 151001 | database | database.add | add table | |
| 151002 | database | database.add | create database | |
| 151500 | database | database.delete | delete rows | |
| 151501 | database | database.delete | drop table | |
| 151502 | database | database.delete | drop database | |
| 159999 | database | database.default | database message | |
| 170000 | alert | alert.network alert | ids alert | |
| 170001 | alert | alert.network alert | network alert | |
| 170002 | alert | alert.network alert | network dlp alert | |
| 171000 | alert | alert.host alert | malware alert | |
| 171001 | alert | alert.host alert | host dlp alert | |
| 171002 | alert | alert.host alert | hips alert | |
| 171003 | alert | alert.host alert | fim alert | |
| 179999 | alert | alert.default | alert message | |
| 180000 | protocol | http | http.default | http message |
| 180100 | protocol | http | http.request | http request |
| 180200 | protocol | http | http.communication | http communication |
| 180300 | protocol | http | http.proxied | http proxied communication |
| 190000 | endpoint | process | process.execute | process started |
| 190100 | endpoint | process | process.end | process stopped |
| 190500 | endpoint | process | process.interaction | process accessed |
| 190501 | endpoint | process | process.interaction | remote thread created |
| 191000 | endpoint | process | process.action | process altered |
| 191001 | endpoint | process | process.action | image loaded |
| 199990 | endpoint | process | process.default | process message |
| 200000 | endpoint | file | file.create | file created |
| 200100 | endpoint | file | file.delete | file deleted |
| 201000 | endpoint | file | file.modify | file modified |
| 201001 | endpoint | file | file.modify | file timestamp modified |
| 201002 | endpoint | file | file.modify | file stream created |
| 201500 | endpoint | file | file.access | file accessed |
| 201501 | endpoint | file | file.access | raw file access |
| 202000 | endpoint | file | file.integrity | file signature invalid |
| 202001 | endpoint | file | file.integrity | file integrity notice |
| 209999 | endpoint | file | file.default | file event |
| 210000 | endpoint | service | service.start | service started |
| 210100 | endpoint | service | service.stop | service stopped |
| 211000 | endpoint | service | service.configuration | service configuration change |
| 211500 | endpoint | service | service.state | service installed |
| 211501 | endpoint | service | service.state | service removed |
| 211502 | endpoint | service | service.state | service enabled |
| 211503 | endpoint | service | service.state | service disabled |
| 211504 | endpoint | service | service.state | service error |
| 219999 | endpoint | service | service.default | service event |
| 220000 | endpoint | audit | audit.integrity | audit log cleared |
| 220100 | endpoint | audit | audit.state | audit service started |
| 220101 | endpoint | audit | audit.state | audit service stopped |
| 220102 | endpoint | audit | audit.state | audit error |
| 220500 | endpoint | audit | audit.policy | audit policy changed |
| 229999 | endpoint | audit | audit.default | audit event |
| 230000 | endpoint | pipe | pipe.add | pipe created |
| 230100 | endpoint | pipe | pipe.remove | pipe deleted |
| 230500 | endpoint | pipe | pipe.state | pipe connected |
| 239999 | endpoint | pipe | pipe.default | pipe event |
| 240000 | endpoint | wmi | wmi.filter | wmi filter created |
| 240001 | endpoint | wmi | wmi.filter | wmi filter removed |
| 240500 | endpoint | wmi | wmi.consumer | wmi consumer created |
| 240501 | endpoint | wmi | wmi.consumer | wmi consumer removed |
| 241000 | endpoint | wmi | wmi.binding | wmi binding created |
| 249999 | endpoint | wmi | wmi.default | wmi event |
| 250000 | endpoint | registry | registry.value_change | registry value set |
| 250001 | endpoint | registry | registry.value_change | registry value added |
| 250002 | endpoint | registry | registry.value_change | registry value deleted |
| 250003 | endpoint | registry | registry.value_change | registry value modified |
| 250500 | endpoint | registry | registry.key_change | registry key added |
| 250501 | endpoint | registry | registry.key_change | registry key deleted |
| 250502 | endpoint | registry | registry.key_change | registry key renamed |
| 251000 | endpoint | registry | registry.object_renamed | registry object renamed |
| 259999 | endpoint | registry | registry.default | registry event |
| 260000 | endpoint | system_time | system_time.time_change | system time changed |
| 269999 | endpoint | system_time | system_time.default | system time event |
| 270000 | endpoint | driver | driver.loaded | system driver loaded |
| 270100 | endpoint | driver | driver.unloaded | system driver unloaded |
| 279999 | endpoint | driver | driver.default | system driver event |
| 280000 | endpoint | agent | agent.activity | agent activity |
| 280001 | endpoint | agent | agent.activity | antivirus and malware scan |
| 280100 | endpoint | agent | agent.update | agent update |
| 280200 | endpoint | agent | agent.status | agent status |
| 289999 | endpoint | agent | agent.default | agent default |
| 290000 | protocol | dhcp | dhcp.request | dhcp request |
| 290100 | protocol | dhcp | dhcp.offer | dhcp offer |
| 290200 | protocol | dhcp | dhcp.discovery | dhcp discovery |
| 290300 | protocol | dhcp | dhcp.acknowledgement | dhcp acknowledgement |
| 299999 | protocol | dhcp | dhcp.default | dhcp default event |
| 300000 | detection | detection.network_detection | ids_detection | |
| 300001 | detection | detection.network_detection | network_detection | |
| 300002 | detection | detection.network_detection | network_dlp_detection | |
| 301000 | detection | detection.host_detection | host_malware_detection | |
| 301001 | detection | detection.host_detection | host_dlp_detection | |
| 301002 | detection | detection.host_detection | hips_detection | |
| 301003 | detection | detection.host_detection | fim_detection | |
| 309999 | detection | detection.default | detection_message |
