-
Notifications
You must be signed in to change notification settings - Fork 458
Expand file tree
/
Copy pathlinux_secure.yml
More file actions
57 lines (57 loc) · 1.09 KB
/
linux_secure.yml
File metadata and controls
57 lines (57 loc) · 1.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
name: Linux Secure
id: 9a47d88b-1b17-49ce-a0ef-b440ddbd98bb
version: 2
date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs authentication and authorization events on a Linux system, including
login attempts, SSH connections, and privilege escalation activities.
mitre_components:
- User Account Authentication
- Logon Session Creation
- Logon Session Metadata
- User Account Metadata
- Application Log Content
source: /var/log/secure
sourcetype: linux_secure
supported_TA:
- name: Splunk Add-on for Unix and Linux
url: https://splunkbase.splunk.com/app/833
version: 10.0.0
fields:
- _time
- action
- app
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- dest
- dvc
- eventtype
- host
- index
- linecount
- pid
- process
- punct
- source
- sourcetype
- splunk_server
- src
- src_port
- sshd_protocol
- tag
- tag::action
- tag::eventtype
- timeendpos
- timestartpos
- user
- user_name
- vendor_action
- vendor_product
example_log: 'May 27 09:28:36 ip-172-31-24-46 sshd[5617]: Accepted password for mikael
from 84.202.159.161 port 63487 ssh2'