From d073f8f03ad71df9f801e704b0b95037b23c2287 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Wed, 16 Apr 2025 13:05:53 +0200 Subject: [PATCH 1/4] linux_syscall_auditd_update --- .../linux_auditd_at_application_execution.yml | 17 ++++++++------- ...transfer_size_limits_via_split_syscall.yml | 17 ++++++++------- .../linux_auditd_doas_tool_execution.yml | 17 ++++++++------- ...linux_auditd_edit_cron_table_parameter.yml | 18 +++++++++------- ...ert_kernel_module_using_insmod_utility.yml | 17 ++++++++------- ...l_kernel_module_using_modprobe_utility.yml | 17 ++++++++------- ...linux_auditd_kernel_module_enumeration.yml | 15 +++++++------ ...ditd_kernel_module_using_rmmod_utility.yml | 17 ++++++++------- ...system_network_configuration_discovery.yml | 21 +++++++++++-------- .../linux_auditd_whoami_user_discovery.yml | 17 ++++++++------- 10 files changed, 101 insertions(+), 72 deletions(-) diff --git a/detections/endpoint/linux_auditd_at_application_execution.yml b/detections/endpoint/linux_auditd_at_application_execution.yml index 04e207d7a1..b6661ed6de 100644 --- a/detections/endpoint/linux_auditd_at_application_execution.yml +++ b/detections/endpoint/linux_auditd_at_application_execution.yml @@ -1,7 +1,7 @@ name: Linux Auditd At Application Execution id: 9f306e0a-1c36-469e-8892-968ca12470dd -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-04-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -16,10 +16,13 @@ description: The following analytic detects the execution of the "At" applicatio and mitigate potential risks. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm IN ("at", "atd") OR exe IN ("/usr/bin/at","/usr/bin/atd") - AND NOT (UID IN("daemon")) | rename host as dest | stats count min(_time) as firstTime - max(_time) as lastTime by comm exe SYSCALL UID ppid pid dest | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `linux_auditd_at_application_execution_filter`' +search: '`linux_auditd` type=SYSCALL comm IN ("at", "atd") OR exe IN ("/usr/bin/at","/usr/bin/atd") AND NOT (uid IN("daemon")) + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime + by comm exe syscall uid ppid pid dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_at_application_execution_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -75,6 +78,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at_execution.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_auditd_new_at.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml index 486d997610..420eeb7c4a 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml @@ -1,7 +1,7 @@ name: Linux Auditd Data Transfer Size Limits Via Split Syscall id: c03d4a49-cf9d-435b-86e9-c6f8c9b6c42e -version: 4 -date: '2024-02-20' +version: 5 +date: '2024-04-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -15,10 +15,13 @@ description: The following analytic detects suspicious data transfer activities from the network. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=split OR exe= "*/split" | rename host as - dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL - UID ppid pid success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `linux_auditd_data_transfer_size_limits_via_split_syscall_filter`' +search: '`linux_auditd` type=SYSCALL comm=split OR exe= "*/split" + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime + by comm exe syscall uid ppid pid success dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_data_transfer_size_limits_via_split_syscall_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -72,6 +75,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_new_split.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_doas_tool_execution.yml b/detections/endpoint/linux_auditd_doas_tool_execution.yml index 02f6c4ea83..aa762ec3c3 100644 --- a/detections/endpoint/linux_auditd_doas_tool_execution.yml +++ b/detections/endpoint/linux_auditd_doas_tool_execution.yml @@ -1,7 +1,7 @@ name: Linux Auditd Doas Tool Execution id: 91b8ca78-f205-4826-a3ef-cd8d6b24e97b -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-04-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -14,10 +14,13 @@ description: The following analytic detects the execution of the 'doas' tool on the entire system. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=doas | rename host as dest | stats count - min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid - success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `linux_auditd_doas_tool_execution_filter`' +search: '`linux_auditd` type=SYSCALL comm=doas + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime + by comm exe syscall uid ppid pid success dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_doas_tool_execution_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -71,6 +74,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_new_doas.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml index 33311670ec..759a4cb8e6 100644 --- a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml @@ -1,7 +1,7 @@ name: Linux Auditd Edit Cron Table Parameter id: f4bb7321-7e64-4d1e-b1aa-21f8b019a91f -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-04-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -14,11 +14,13 @@ description: The following analytic detects the suspicious editing of cron jobs compromise. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL SYSCALL=rename (comm IN ("crontab") OR exe IN - ("*/crontab")) success=yes AND NOT (UID IN("daemon")) | rename host as dest | stats - count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid - pid dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `linux_auditd_edit_cron_table_parameter_filter`' +search: '`linux_auditd` type=SYSCALL syscall IN ("rename", "execve") (comm IN ("crontab") OR exe IN ("*/crontab")) success=yes AND NOT (UID IN("daemon")) + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime + by comm exe syscall uid ppid pid dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_edit_cron_table_parameter_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -73,6 +75,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_new_crontab.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml index f79c5a9b34..684df14ee2 100644 --- a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml +++ b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Insert Kernel Module Using Insmod Utility id: bc0ca53f-dea6-4906-9b12-09c396fdf1d3 -version: 6 -date: '2025-02-20' +version: 7 +date: '2025-04-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -14,10 +14,13 @@ description: The following analytic detects the insertion of a Linux kernel modu execution, persistent access, and severe compromise of the affected system. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=insmod | rename host as dest | stats count - min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid - success dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `linux_auditd_insert_kernel_module_using_insmod_utility_filter`' +search: '`linux_auditd` type=SYSCALL comm=insmod + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime + by comm exe syscall uid ppid pid success dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_insert_kernel_module_using_insmod_utility_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should @@ -74,6 +77,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_new_insmod.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml index b9e5e8f45c..484e5d091e 100644 --- a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml +++ b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Install Kernel Module Using Modprobe Utility id: 95165985-ace5-4d42-9c42-93a89a5af901 -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-04-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -14,10 +14,13 @@ description: The following analytic detects the installation of a Linux kernel m access to the system, compromising its integrity and security. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=modprobe | rename host as dest | stats count - min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid - success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| - `linux_auditd_install_kernel_module_using_modprobe_utility_filter`' +search: '`linux_auditd` type=SYSCALL comm=modprobe + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime + by comm exe syscall uid ppid pid success dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_install_kernel_module_using_modprobe_utility_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should @@ -73,6 +76,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_new_modprobe.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml index 3fce0c9f78..81c3561d60 100644 --- a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml +++ b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml @@ -1,7 +1,7 @@ name: Linux Auditd Kernel Module Enumeration id: d1b088de-c47a-4572-9339-bdcc26493b32 -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-04-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -14,9 +14,12 @@ description: The following analytic identifies the use of the 'kmod' process to other malicious actions within the system. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=lsmod | rename host as dest | stats count - min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid - success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` +search: '`linux_auditd` type=SYSCALL comm=lsmod + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime + by comm exe syscall uid ppid pid success dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `linux_auditd_kernel_module_enumeration_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures @@ -71,6 +74,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_new_lsmod.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml index f31c9ddf36..b90632c5c2 100644 --- a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml +++ b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Kernel Module Using Rmmod Utility id: 31810b7a-0abe-42be-a210-0dec8106afee -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-04-16' author: Teoderick Contreras, Splunk status: production type: TTP @@ -15,10 +15,13 @@ description: The following analytic detects suspicious use of the `rmmod` utilit to protect system integrity and security. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=rmmod | rename host as dest | stats count - min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL UID ppid pid - success dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| - `linux_auditd_kernel_module_using_rmmod_utility_filter`' +search: '`linux_auditd` type=SYSCALL comm=rmmod + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime + by comm exe syscall uid ppid pid success dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_kernel_module_using_rmmod_utility_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -72,6 +75,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_new_rmmod.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml index 6eb0e19f4d..2ff08b4af7 100644 --- a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml +++ b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml @@ -1,7 +1,7 @@ name: Linux Auditd System Network Configuration Discovery id: 5db16825-81bd-4923-a8d6-d6a13a59832a -version: 4 -date: '2025-02-20' +version: 5 +date: '2025-04-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -15,12 +15,15 @@ description: The following analytic detects suspicious system network configurat reconnaissance operations, mitigating the risk of further compromise. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm IN ("arp", "ifconfig", "ip", "netstat", - "firewall-cmd", "ufw", "iptables", "ss", "route") | bucket _time span=15m | rename - host as dest | stats dc(comm) as unique_commands, values(comm) as comm, values(exe) - as exe, values(SYSCALL) as SYSCALL, values(UID) as UID, values(ppid) as ppid, values(pid) - as pid, count, min(_time) as firstTime, max(_time) as lastTime by success dest | - where unique_commands >= 4 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: '`linux_auditd` type=SYSCALL comm IN ("arp", "ifconfig", "ip", "netstat", "firewall-cmd", "ufw", "iptables", "ss", "route") + | bucket _time span=15m + | rename host as dest + | stats dc(comm) as unique_commands, values(comm) as comm, values(exe) + as exe, values(syscall) as syscall, values(uid) as uid, values(ppid) as ppid, values(pid) + as pid, count, min(_time) as firstTime, max(_time) as lastTime by success dest + | where unique_commands >= 4 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `linux_auditd_system_network_configuration_discovery_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line @@ -75,6 +78,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_bucket_new.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_whoami_user_discovery.yml b/detections/endpoint/linux_auditd_whoami_user_discovery.yml index 67d3f903b3..147c2bcc7a 100644 --- a/detections/endpoint/linux_auditd_whoami_user_discovery.yml +++ b/detections/endpoint/linux_auditd_whoami_user_discovery.yml @@ -1,7 +1,7 @@ name: Linux Auditd Whoami User Discovery id: d1ff2e22-310d-446a-80b3-faedaa7b3b52 -version: 4 -date: '2025-02-20' +version: 5 +date: '2025-04-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -15,10 +15,13 @@ description: The following analytic detects the suspicious use of the whoami com further malicious operations. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm=whoami OR exe= "*/whoami" | rename host - as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe SYSCALL - UID ppid pid dest success | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `linux_auditd_whoami_user_discovery_filter`' +search: '`linux_auditd` type=SYSCALL comm=whoami OR exe= "*/whoami" + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime + by comm exe syscall uid ppid pid dest success + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `linux_auditd_whoami_user_discovery_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested @@ -73,6 +76,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_new_whoami.log source: auditd sourcetype: auditd From b32a6bd148716edb9d7c3d38af29434504d50afe Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 16 Apr 2025 16:38:30 -0700 Subject: [PATCH 2/4] mionr fix --- detections/endpoint/linux_auditd_at_application_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/linux_auditd_at_application_execution.yml b/detections/endpoint/linux_auditd_at_application_execution.yml index b6661ed6de..32ce89572f 100644 --- a/detections/endpoint/linux_auditd_at_application_execution.yml +++ b/detections/endpoint/linux_auditd_at_application_execution.yml @@ -16,7 +16,7 @@ description: The following analytic detects the execution of the "At" applicatio and mitigate potential risks. data_source: - Linux Auditd Syscall -search: '`linux_auditd` type=SYSCALL comm IN ("at", "atd") OR exe IN ("/usr/bin/at","/usr/bin/atd") AND NOT (uid IN("daemon")) +search: '`linux_auditd` type=SYSCALL comm IN ("at", "atd") OR exe IN ("/usr/bin/at","/usr/bin/atd") AND NOT (uid IN ("daemon")) | rename host as dest | stats count min(_time) as firstTime max(_time) as lastTime by comm exe syscall uid ppid pid dest From 8b9a070ec116cc077546b83af218b692f066e14e Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 5 May 2025 10:09:54 +0200 Subject: [PATCH 3/4] linux_syscall_auditd_update --- data_sources/linux_auditd_syscall.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/data_sources/linux_auditd_syscall.yml b/data_sources/linux_auditd_syscall.yml index 838787f1fe..90140cc103 100644 --- a/data_sources/linux_auditd_syscall.yml +++ b/data_sources/linux_auditd_syscall.yml @@ -59,6 +59,13 @@ fields: - EGID - SGID - FSGID +output_fields: +- comm +- exe +- syscall +- uid +- ppid +- pid example_log: 'type=SYSCALL msg=audit(1723035666.627:3663): arch=c000003e syscall=59 success=yes exit=0 a0=556a6d697a58 a1=556a6d68ad00 a2=556a6d69c980 a3=0 items=2 ppid=1300 pid=1301 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 From fcb1c407cd24cd922042efe0f4b45350a9413365 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 5 May 2025 11:07:20 -0700 Subject: [PATCH 4/4] add dest to output_field --- data_sources/linux_auditd_syscall.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/data_sources/linux_auditd_syscall.yml b/data_sources/linux_auditd_syscall.yml index 90140cc103..5445708d04 100644 --- a/data_sources/linux_auditd_syscall.yml +++ b/data_sources/linux_auditd_syscall.yml @@ -66,6 +66,7 @@ output_fields: - uid - ppid - pid +- dest example_log: 'type=SYSCALL msg=audit(1723035666.627:3663): arch=c000003e syscall=59 success=yes exit=0 a0=556a6d697a58 a1=556a6d68ad00 a2=556a6d69c980 a3=0 items=2 ppid=1300 pid=1301 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0