Linux Base Sigma Model
#
This model is designed for triage of dead disk or file based live
analysis. The rules that use this model will be evaluated once on
all events.
After all relevant rules are evaluated, the collection is complete.
NOTE: Auditd configuration based on
https://raw.githubusercontent.com/Neo23x0/auditd/refs/heads/master/audit.rules
Log Sources
#
Following is a list of recognized log sources.
Field Mappings
#
The following field mappings can be used to access fields within the
event. Note that it is also possible to access the fields directly
(e.g. EventData.AccessMask)
View all Field Mappings
| Name | Mapping |
|---|
| x=>x |
| CommandLine | x=>x.Process.title |
| DestinationHostname | x=>host(name=x.Dest.ip, type="PTR", tracker_only=TRUE) |
| DestinationIp | x=>x.Dest.ip |
| DestinationPort | x=>x.Dest.port |
| Image | x=>x.Process.exe |
| Initiated | x=>x.Net.direction =~ "egress" |
| TargetFilename | x=>x.File.path |
| a0 | x=>x.Process.args[0] |
| a1 | x=>x.Process.args[1] |
| a2 | x=>x.Process.args[2] |
| a3 | x=>x.Process.args[3] |
| a4 | x=>x.Process.args[4] |
| a5 | x=>x.Process.args[5] |
| a6 | x=>x.Process.args[6] |
| a7 | x=>x.Process.args[7] |
| comm | x=>x.Process.name |
| exe | x=>x.Process.exe |
| key | x=>x.Tags[0] |
| name | x=>x.Process.name |
| nametype | x=>x.Paths.nametype |
| syscall | x=>x.Data.syscall |
| type | x=>upcase(string=x.Type) |
| unit | x=>x.Data.unit |
*/linux/*
#
Details
VQL Query
#
SELECT * FROM ParseLogFile(ROOT=ROOT, Filter="auth.log|syslog|secure")
Sample use in a sigma rule:
#
logsource:
product: linux
*/linux/sshd
#
Details
VQL Query
#
SELECT * FROM ParseLogFile(ROOT=ROOT, Filter="auth.log|secure")
WHERE Line =~ "sshd"
Sample use in a sigma rule:
#
logsource:
product: linux
service: sshd
*/linux/cron
#
Details
VQL Query
#
SELECT * FROM ParseLogFile(ROOT=ROOT, Filter="syslog")
WHERE Line =~ "cron"
Sample use in a sigma rule:
#
logsource:
product: linux
service: cron
*/linux/auth
#
Details
VQL Query
#
SELECT * FROM ParseLogFile(ROOT=ROOT, Filter="auth.log|secure")
Sample use in a sigma rule:
#
logsource:
product: linux
service: auth
*/linux/syslog
#
Details
VQL Query
#
SELECT * FROM ParseLogFile(ROOT=ROOT, Filter="syslog")
Sample use in a sigma rule:
#
logsource:
product: linux
service: syslog
*/linux/sudo
#
Details
VQL Query
#
SELECT * FROM ParseLogFile(ROOT=ROOT, Filter="auth.log|secure")
WHERE Line =~ "sudo:"
Sample use in a sigma rule:
#
logsource:
product: linux
service: sudo
*/linux/auditd
#
Details
VQL Query
#
SELECT * FROM AuditdEvents
Sample use in a sigma rule:
#
logsource:
product: linux
service: auditd
network_connection/linux/*
#
Details
VQL Query
#
SELECT * FROM AuditdEvents
WHERE Summary.action = "connected-to"
Sample use in a sigma rule:
#
logsource:
category: network_connection
product: linux
process_creation/linux/*
#
Details
VQL Query
#
SELECT * FROM ParseAuditdLogFile(ROOT=ROOT + "/audit/", Filter="audit.log")
Sample use in a sigma rule:
#
logsource:
category: process_creation
product: linux