Eventum Hub

The Security channel of Windows Event Log — logon/logoff sessions, process creation, privilege escalation, account management, and audit policy changes from a 120-host Active Directory fleet.

Cisco ASA adaptive security appliance syslog — TCP/UDP/ICMP connection lifecycle, ACL permit/deny decisions, NAT translations, VPN tunnel events, and failover status messages.

Nginx reverse proxy and web server — access logs with upstream timing, error logs with module context, bot/crawler traffic, scanner probes, and correlated 4xx/5xx error entries.

Suricata EVE JSON output — IDS alerts with ET Open signatures, DNS/HTTP/TLS/SSH protocol logs, NetFlow records, and anomaly detections with correlated flow IDs and MITRE ATT&CK mapping.

AWS CloudTrail audit trail — API calls across EC2, IAM, STS, and S3 from a multi-account organization. Includes console logins, role assumptions, error injection, and 4 identity types.

AWS GuardDuty threat detection findings across EC2, IAM, and S3 resources. Covers 8 categories — Recon, UnauthorizedAccess, Policy, Trojan, Impact, CryptoCurrency, Stealth, and Backdoor — with 27 finding types, 10 threat actor IPs, and geo/ASN enrichment.

AWS VPC Flow Logs (v5) — network traffic records across multiple accounts, VPCs, and subnets. TCP/UDP/ICMP flows with ACCEPT/REJECT actions, NAT gateway traffic, and realistic byte/packet distributions.

Azure Monitor Activity Log — control plane operations across VMs, storage, networking, and RBAC. Covers all 7 log categories: Administrative, Security, Service Health, Alert, Autoscale, Policy, and Recommendation.

Microsoft Entra ID sign-in and audit logs — interactive and non-interactive authentication, service principal sign-ins, and directory changes. Covers MFA, Conditional Access, AADSTS errors, and role/group management.

GCP Cloud Audit Logs — API calls across Compute Engine, IAM, Cloud Storage, GKE, BigQuery, and VPC networking from a multi-project organization. Includes console logins, service account operations, error injection, and 3 caller identity types.

Microsoft 365 Unified Audit Log — Azure AD sign-ins and MFA, Exchange mailbox activity, SharePoint/OneDrive file operations, Teams meetings and messaging, DLP alerts, and admin configuration changes.

PowerShell classic and operational channels — engine lifecycle, script block logging, module invocations, pipeline execution, and provider starts. Includes obfuscated command detection and suspicious script patterns.

Sysmon (System Monitor) operational channel — process creation with full command lines, network connections, file creates, registry modifications, DNS queries, and WMI events. SwiftOnSecurity-style tuning.

Check Point Security Gateway SmartLog — 8 software blades including Firewall, IPS, Application Control, URL Filtering, Anti-Bot, Anti-Virus, Threat Emulation, and Identity Awareness.

Network traffic events enriched with continent-level geographic information. Models cross-continent and same-continent flows for both inbound and outbound directions, with realistic allow/deny outcomes based on geographic policy.

Passive DNS transaction logs — query/response pairs for A, AAAA, CNAME, MX, TXT, PTR, SRV, SOA, NS, and DNSKEY records. Mixed internal/external resolvers with NXDOMAIN, SERVFAIL, and REFUSED errors.

Vendor-agnostic firewall — ECS-normalized traffic flow decisions, session lifecycle, NAT translations, and IDS/IPS threat detections. Plug into any SIEM pipeline without vendor lock-in.

FortiGate next-gen firewall logs — traffic forwarding, UTM security modules (web filter, IPS, app control, DNS filter, antivirus), anomaly detection, and system operational events across the full FortiOS log taxonomy.

Juniper SRX series security gateway — RT_FLOW session lifecycle, RT_UTM Enhanced Web Filtering, RT_IDP intrusion detection alerts, and RT_IDS screen-based DoS protection with JunOS structured syslog.

NetFlow v9 / IPFIX biflow records — network telemetry as exported by routers, switches, and firewalls. TCP, UDP, and ICMP flows with byte/packet counters, AS numbers, and interface indexes.

Palo Alto PAN-OS Threat logs — IPS vulnerability exploits, antivirus detections, anti-spyware (DNS sinkhole and C2 callback), WildFire cloud verdicts, file type matching, and network scan detection with correlated severity, action, and threat category fields.

Palo Alto PAN-OS Traffic logs — network session lifecycle with start/end/drop/deny subtypes, zone-aware flow profiles (trust, untrust, DMZ), source NAT translation, 30 App-ID applications, and byte/packet counters with lognormal distributions.

Palo Alto PAN-OS URL Filtering logs — web browsing activity with 65+ URL categories, allow/block/continue/override actions, App-ID application attribution, and content type inspection.

Snort IDS/IPS alert output — malware C2 callbacks, web application attacks, network reconnaissance, policy violations, protocol anomalies, and DoS detection across 13 alert classifications.

UserGate next-generation firewall and UTM appliance logs — traffic accept/deny decisions, web content filtering, DNS queries, IDS/IPS alerts, user authentication, VPN sessions, and system operational events.

Aruba wireless controller syslog — client association/disassociation, 802.1X/web/MAC authentication, AP up/down events, WIDS rogue AP detection, and ARM radio channel management across 20 access points.

Apache httpd access and error logs — page/asset/API requests, bot crawlers (Googlebot, GPTBot), scanner probes, 3xx redirects, and correlated 4xx/5xx error log entries with module context.

Linux audit framework (auditd) — syscall tracing (execve, openat, connect), PAM authentication, credential changes, user login/logout, sudo privilege escalation, and systemd service management.

Linux syslog (RFC 3164) — SSH authentication, sudo/su privilege escalation, cron jobs, systemd service lifecycle, kernel messages, UFW firewall, PAM, DHCP, Postfix mail, and package management from rsyslog/syslog-ng.

Exchange Server 2019 message tracking — SMTP receive/send, mailbox delivery, transport routing, shadow redundancy, anti-spam filtering, distribution group expansion, and delivery failure DSNs.