{ // Linux syslog/auditd parser — OCSF v1.3.0 attributes: { "metadata.version": "1.3.0", "metadata.product.vendor_name": "Linux", "metadata.product.name": "Linux OS", "metadata.log_provider": "syslog", "Category": "host", "dataSource.vendor": "Linux", "dataSource.name": "Linux OS", "dataSource.category": "host", "category_uid": 1, "category_name": "System Activity", "class_uid": 1001, "class_name": "File System Activity", "activity_id": 0, "activity_name": "Unknown", "type_uid": 100100, "status_id": 1, "status": "Success", "severity_id": 1, "severity": "Informational" }, patterns: { ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+", word: "\\S+", rest: ".*", creds: "(mimikatz|hashdump|secretsdump|kerbrute)", revshell: ".*socket\\.socket.*" }, formats: [ // SSH failed authentication { id: "ssh_failed", attributes: { class_uid: 2004, class_name: "Detection Finding", category_uid: 2, category_name: "Findings", activity_id: 1, activity_name: "Create", type_uid: 200401, finding_title: "Linux SSH Authentication Failure", severity_id: 4, severity: "High", disposition_id: 2, disposition: "Blocked" }, format: ".*Failed password for $user_name=word$ from $src_ip=ipv4$ port $src_port=word$.*", halt: true }, // SSH successful authentication { id: "ssh_success", attributes: { class_uid: 3002, class_name: "Authentication", category_uid: 3, category_name: "IAM", activity_id: 1, activity_name: "Logon", type_uid: 300201, status_id: 1, status: "Success" }, format: ".*Accepted password for $user_name=word$ from $src_ip=ipv4$ port $src_port=word$.*", halt: true }, // sudo NOT in sudoers (priv-esc attempt) { id: "sudo_not_in_sudoers", attributes: { class_uid: 2004, class_name: "Detection Finding", category_uid: 2, category_name: "Findings", activity_id: 1, activity_name: "Create", type_uid: 200401, finding_title: "Linux Sudo Not In Sudoers", severity_id: 5, severity: "Critical", disposition_id: 2, disposition: "Blocked" }, format: ".*sudo: $user_name=word$ : user NOT in sudoers ; TTY=$tty=word$ ; PWD=$pwd=word$ ; USER=$target_user=word$ ; COMMAND=$process_cmd_line=rest$", halt: true }, // useradd — new user account created { id: "useradd", attributes: { class_uid: 3001, class_name: "Account Change", category_uid: 3, category_name: "IAM", activity_id: 1, activity_name: "Create", type_uid: 300101, finding_title: "Linux New User Account Created", severity_id: 4, severity: "High" }, format: ".*useradd\\[$pid=word$\\]: new user: name=$new_user=word$, UID=$uid=word$, GID=$gid=word$.*", halt: true }, // Mimikatz / credential dumping signatures { id: "credential_dump", attributes: { class_uid: 2004, class_name: "Detection Finding", category_uid: 2, category_name: "Findings", type_uid: 200401, finding_title: "Linux Credential Dumping Tool", severity_id: 5, severity: "Critical", disposition_id: 2, disposition: "Blocked" }, format: ".*$tool=creds$.*", halt: true }, // Reverse shell (python -c socket) { id: "reverse_shell", attributes: { class_uid: 2004, class_name: "Detection Finding", category_uid: 2, category_name: "Findings", type_uid: 200401, finding_title: "Linux Reverse Shell Execution", severity_id: 5, severity: "Critical", disposition_id: 2, disposition: "Blocked" }, format: ".*python$ver=word$ -c $cmd=revshell$.*", halt: true }, // Generic auditd EXECVE { id: "auditd_execve", attributes: { class_uid: 1007, class_name: "Process Activity", category_uid: 1, category_name: "System Activity", activity_id: 1, activity_name: "Launch", type_uid: 100701 }, format: ".*auditd\\[$pid=word$\\]: EXECVE argc=$argc=word$ a0=\"$process_name=word$\" $cmdline=rest$", halt: true }, // Cron job executed (suspicious if from /tmp/.hidden) { id: "cron_suspicious", attributes: { class_uid: 2004, class_name: "Detection Finding", category_uid: 2, category_name: "Findings", type_uid: 200401, finding_title: "Linux Suspicious Cron Job", severity_id: 4, severity: "High" }, format: ".*cron\\[$pid=word$\\]: \\($cron_user=word$\\) CMD \\($cron_cmd=rest$\\)", halt: true } ] }