Merge pull request #3467 from splunk/linux_syscall_auditd_update

linux_syscall_auditd_update

Author: patel-bhavin

data_sources/linux_auditd_syscall.yml

@@ -59,6 +59,14 @@ fields:
 - EGID
 - SGID
 - FSGID
+output_fields:
+- comm 
+- exe
+- syscall
+- uid
+- ppid
+- pid
+- dest
 example_log: 'type=SYSCALL msg=audit(1723035666.627:3663): arch=c000003e syscall=59
   success=yes exit=0 a0=556a6d697a58 a1=556a6d68ad00 a2=556a6d69c980 a3=0 items=2
   ppid=1300 pid=1301 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0

detections/endpoint/linux_auditd_at_application_execution.yml

@@ -16,10 +16,13 @@ description: The following analytic detects the execution of the "At" applicatio
   and mitigate potential risks.
 data_source:
 - Linux Auditd Syscall
-search: '`linux_auditd` type=SYSCALL comm IN ("at", "atd") OR exe IN ("/usr/bin/at","/usr/bin/atd")
-  AND NOT (UID IN("daemon")) | rename host as dest | stats count min(_time) as firstTime
-  max(_time) as lastTime by comm exe  SYSCALL UID ppid pid dest | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)`| `linux_auditd_at_application_execution_filter`'
+search: '`linux_auditd` type=SYSCALL comm IN ("at", "atd") OR exe IN ("/usr/bin/at","/usr/bin/atd") AND NOT (uid IN ("daemon")) 
+  | rename host as dest 
+  | stats count min(_time) as firstTime max(_time) as lastTime 
+  by comm exe  syscall uid ppid pid dest 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `linux_auditd_at_application_execution_filter`'
 how_to_implement: To implement this detection, the process begins by ingesting auditd
   data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line
   executions and process details on Unix/Linux systems. These logs should be ingested
@@ -75,6 +78,6 @@ tests:
 - name: True Positive Test
   attack_data:
   - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at_execution.log
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_auditd_new_at.log
     source: auditd
     sourcetype: auditd

detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml

@@ -15,10 +15,13 @@ description: The following analytic detects suspicious data transfer activities
   from the network.
 data_source:
 - Linux Auditd Syscall
-search: '`linux_auditd` type=SYSCALL comm=split OR exe= "*/split" | rename host as
-  dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe  SYSCALL
-  UID ppid pid success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|
-  `linux_auditd_data_transfer_size_limits_via_split_syscall_filter`'
+search: '`linux_auditd` type=SYSCALL comm=split OR exe= "*/split" 
+  | rename host as dest 
+  | stats count min(_time) as firstTime max(_time) as lastTime 
+  by comm exe syscall uid ppid pid success dest 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `linux_auditd_data_transfer_size_limits_via_split_syscall_filter`'
 how_to_implement: To implement this detection, the process begins by ingesting auditd
   data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line
   executions and process details on Unix/Linux systems. These logs should be ingested
@@ -72,6 +75,6 @@ tests:
 - name: True Positive Test
   attack_data:
   - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.log
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_new_split.log
     source: auditd
     sourcetype: auditd

detections/endpoint/linux_auditd_doas_tool_execution.yml

@@ -14,10 +14,13 @@ description: The following analytic detects the execution of the 'doas' tool on
   the entire system.
 data_source:
 - Linux Auditd Syscall
-search: '`linux_auditd` type=SYSCALL comm=doas | rename host as dest | stats count
-  min(_time) as firstTime max(_time) as lastTime by comm exe  SYSCALL UID ppid pid
-  success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|
-  `linux_auditd_doas_tool_execution_filter`'
+search: '`linux_auditd` type=SYSCALL comm=doas 
+  | rename host as dest 
+  | stats count min(_time) as firstTime max(_time) as lastTime 
+  by comm exe  syscall uid ppid pid success dest 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `linux_auditd_doas_tool_execution_filter`'
 how_to_implement: To implement this detection, the process begins by ingesting auditd
   data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line
   executions and process details on Unix/Linux systems. These logs should be ingested
@@ -71,6 +74,6 @@ tests:
 - name: True Positive Test
   attack_data:
   - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.log
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_new_doas.log
     source: auditd
     sourcetype: auditd

detections/endpoint/linux_auditd_edit_cron_table_parameter.yml

@@ -14,11 +14,13 @@ description: The following analytic detects the suspicious editing of cron jobs
   compromise.
 data_source:
 - Linux Auditd Syscall
-search: '`linux_auditd` type=SYSCALL SYSCALL=rename (comm IN ("crontab") OR exe IN
-  ("*/crontab")) success=yes AND NOT (UID IN("daemon")) | rename host as dest | stats
-  count min(_time) as firstTime max(_time) as lastTime by comm exe  SYSCALL UID ppid
-  pid dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|
-  `linux_auditd_edit_cron_table_parameter_filter`'
+search: '`linux_auditd` type=SYSCALL syscall IN ("rename", "execve") (comm IN ("crontab") OR exe IN ("*/crontab")) success=yes AND NOT (UID IN("daemon"))
+  | rename host as dest 
+  | stats count min(_time) as firstTime max(_time) as lastTime 
+  by comm exe  syscall uid ppid pid dest 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `linux_auditd_edit_cron_table_parameter_filter`'
 how_to_implement: To implement this detection, the process begins by ingesting auditd
   data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line
   executions and process details on Unix/Linux systems. These logs should be ingested
@@ -73,6 +75,6 @@ tests:
 - name: True Positive Test
   attack_data:
   - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.log
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_new_crontab.log
     source: auditd
     sourcetype: auditd

detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml

@@ -14,10 +14,13 @@ description: The following analytic detects the insertion of a Linux kernel modu
   execution, persistent access, and severe compromise of the affected system.
 data_source:
 - Linux Auditd Syscall
-search: '`linux_auditd` type=SYSCALL comm=insmod | rename host as dest | stats count
-  min(_time) as firstTime max(_time) as lastTime by comm exe  SYSCALL UID ppid pid
-  success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|
-  `linux_auditd_insert_kernel_module_using_insmod_utility_filter`'
+search: '`linux_auditd` type=SYSCALL comm=insmod 
+  | rename host as dest 
+  | stats count min(_time) as firstTime max(_time) as lastTime 
+  by comm exe  syscall uid ppid pid success dest 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `linux_auditd_insert_kernel_module_using_insmod_utility_filter`'
 how_to_implement: To implement this detection, the process begins by ingesting auditd
   data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures
   command-line executions and process details on Unix/Linux systems. These logs should
@@ -74,6 +77,6 @@ tests:
 - name: True Positive Test
   attack_data:
   - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.log
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_new_insmod.log
     source: auditd
     sourcetype: auditd

detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml

@@ -14,10 +14,13 @@ description: The following analytic detects the installation of a Linux kernel m
   access to the system, compromising its integrity and security.
 data_source:
 - Linux Auditd Syscall
-search: '`linux_auditd` type=SYSCALL comm=modprobe | rename host as dest | stats count
-  min(_time) as firstTime max(_time) as lastTime by comm exe  SYSCALL UID ppid pid
-  success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`|
-  `linux_auditd_install_kernel_module_using_modprobe_utility_filter`'
+search: '`linux_auditd` type=SYSCALL comm=modprobe 
+  | rename host as dest 
+  | stats count min(_time) as firstTime max(_time) as lastTime 
+  by comm exe  syscall uid ppid pid success dest 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `linux_auditd_install_kernel_module_using_modprobe_utility_filter`'
 how_to_implement: To implement this detection, the process begins by ingesting auditd
   data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures
   command-line executions and process details on Unix/Linux systems. These logs should
@@ -73,6 +76,6 @@ tests:
 - name: True Positive Test
   attack_data:
   - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.log
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_new_modprobe.log
     source: auditd
     sourcetype: auditd

detections/endpoint/linux_auditd_kernel_module_enumeration.yml

@@ -14,9 +14,12 @@ description: The following analytic identifies the use of the 'kmod' process to
   other malicious actions within the system.
 data_source:
 - Linux Auditd Syscall
-search: '`linux_auditd` type=SYSCALL comm=lsmod | rename host as dest  | stats count
-  min(_time) as firstTime max(_time) as lastTime by comm exe  SYSCALL UID ppid pid
-  success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
+search: '`linux_auditd` type=SYSCALL comm=lsmod
+  | rename host as dest 
+  | stats count min(_time) as firstTime max(_time) as lastTime 
+  by comm exe  syscall uid ppid pid success dest 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
   | `linux_auditd_kernel_module_enumeration_filter`'
 how_to_implement: To implement this detection, the process begins by ingesting auditd
   data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures
@@ -71,6 +74,6 @@ tests:
 - name: True Positive Test
   attack_data:
   - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.log
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_new_lsmod.log
     source: auditd
     sourcetype: auditd

detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml

@@ -15,10 +15,13 @@ description: The following analytic detects suspicious use of the `rmmod` utilit
   to protect system integrity and security.
 data_source:
 - Linux Auditd Syscall
-search: '`linux_auditd` type=SYSCALL comm=rmmod | rename host as dest  | stats count
-  min(_time) as firstTime max(_time) as lastTime by comm exe  SYSCALL UID ppid pid
-  success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`|
-  `linux_auditd_kernel_module_using_rmmod_utility_filter`'
+search: '`linux_auditd` type=SYSCALL comm=rmmod
+  | rename host as dest 
+  | stats count min(_time) as firstTime max(_time) as lastTime 
+  by comm exe  syscall uid ppid pid success dest 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `linux_auditd_kernel_module_using_rmmod_utility_filter`'
 how_to_implement: To implement this detection, the process begins by ingesting auditd
   data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line
   executions and process details on Unix/Linux systems. These logs should be ingested
@@ -72,6 +75,6 @@ tests:
 - name: True Positive Test
   attack_data:
   - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.log
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_new_rmmod.log
     source: auditd
     sourcetype: auditd

detections/endpoint/linux_auditd_system_network_configuration_discovery.yml

@@ -15,12 +15,15 @@ description: The following analytic detects suspicious system network configurat
   reconnaissance operations, mitigating the risk of further compromise.
 data_source:
 - Linux Auditd Syscall
-search: '`linux_auditd` type=SYSCALL comm IN ("arp", "ifconfig", "ip", "netstat",
-  "firewall-cmd", "ufw", "iptables", "ss", "route") | bucket _time span=15m | rename
-  host as dest | stats dc(comm) as unique_commands, values(comm) as comm, values(exe)
-  as exe, values(SYSCALL) as SYSCALL, values(UID) as UID, values(ppid) as ppid, values(pid)
-  as pid, count, min(_time) as firstTime, max(_time) as lastTime by success dest |
-  where unique_commands >= 4 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+search: '`linux_auditd` type=SYSCALL comm IN ("arp", "ifconfig", "ip", "netstat", "firewall-cmd", "ufw", "iptables", "ss", "route")
+  | bucket _time span=15m 
+  | rename host as dest 
+  | stats dc(comm) as unique_commands, values(comm) as comm, values(exe)
+  as exe, values(syscall) as syscall, values(uid) as uid, values(ppid) as ppid, values(pid)
+  as pid, count, min(_time) as firstTime, max(_time) as lastTime by success dest 
+  | where unique_commands >= 4 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
   | `linux_auditd_system_network_configuration_discovery_filter`'
 how_to_implement: To implement this detection, the process begins by ingesting auditd
   data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line
@@ -75,6 +78,6 @@ tests:
 - name: True Positive Test
   attack_data:
   - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.log
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_bucket_new.log
     source: auditd
     sourcetype: auditd