Tagging Rules
Plaso provides various configuration files for the tagging analysis plugin.
Linux tagging rules
The Linux tagging rules are stored in the file: tag_linux.txt
The sections below provide more context regarding specific tagging rules.
application_execution
This rule tags application execution events on Linux, which are defined as:
a command from bash history
a Docker file system layer event
a SELinux log line where the audit type is “EXECVE”
a command from zsh history
a syslog line that indicates a cron task was run, for example:
Mar 11 00:00:00 ubuntu2015 CRON[3]: (root) CMD (touch /tmp/afile.txt)
a syslog line that contains “COMMAND=”
login
login_failed
logout
session_start
session_stop
boot
shutdown
runlevel
device_connection
device_disconnection
application_install
service_start
service_stop
promiscuous
crash
MacOS tagging rules
The MacOS tagging rules are stored in the file: tag_macos.txt
The sections below provide more context regarding specific tagging rules.
application_execution
application_install
autorun
file_download
device_connection
document_print
Windows tagging rules
The Windows tagging rules are stored in the file: tag_windows.txt
The sections below provide more context regarding specific tagging rules.