Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Import SigmaHQ auditd rules #1194

Open
wants to merge 26 commits into
base: master
Choose a base branch
from
Open

Import SigmaHQ auditd rules #1194

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
e1df296
add EXECVE support, change old syscall+execve generated log type
buixor Dec 13, 2024
0891dc4
reflect change on log_type for syscall+execve
buixor Dec 13, 2024
9d3c8d7
Update index
actions-user Dec 13, 2024
c4bd5ea
update
buixor Dec 16, 2024
d950939
evolve parser
buixor Dec 17, 2024
bfa138c
support new items
buixor Dec 18, 2024
0734647
update collection
buixor Dec 18, 2024
9994a05
add new scenarios add associated tests
buixor Dec 18, 2024
1c3feb0
Update index
actions-user Dec 18, 2024
6280086
Merge branch 'master' into auditd_sigma
buixor Dec 18, 2024
896a71e
Update taxonomy
actions-user Dec 18, 2024
1de45fc
oopsie debug
buixor Dec 18, 2024
c45b845
Update index
actions-user Dec 18, 2024
52cea5e
fix tests
buixor Dec 18, 2024
51e0946
Update index
actions-user Dec 18, 2024
1f8c7a5
debug mode
buixor Dec 18, 2024
018cff4
Update index
actions-user Dec 18, 2024
e1dbfc8
reflect changes on laurel and associated tests
buixor Dec 18, 2024
9a62b8e
Update index
actions-user Dec 18, 2024
4d2d8fd
fix sigmahq tests
buixor Dec 18, 2024
e624671
fix comments, add test
buixor Dec 30, 2024
a47edd0
Update index
actions-user Dec 30, 2024
8ef1d56
fix parser
buixor Dec 30, 2024
d7c3bb4
Update index
actions-user Dec 30, 2024
be52d45
debug
buixor Dec 30, 2024
5ec3010
Update index
actions-user Dec 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
249 changes: 229 additions & 20 deletions .index.json
View file
Open in desktop

Large diffs are not rendered by default.

18 changes: 16 additions & 2 deletions .tests/auditd-base64-exec/scenario.assert
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,22 +5,36 @@ results[0].Overflow.Sources["26843"].Range == ""
results[0].Overflow.Sources["26843"].GetScope() == "pid"
results[0].Overflow.Sources["26843"].GetValue() == "26843"
results[0].Overflow.Alert.Events[0].GetMeta("auditd_eventid") == "2995"
results[0].Overflow.Alert.Events[0].GetMeta("auditd_type") == "SYSCALL"
results[0].Overflow.Alert.Events[0].GetMeta("auid") == "1000"
results[0].Overflow.Alert.Events[0].GetMeta("comm") == "perl"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "auditd-base64-exec.log"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[0].GetMeta("euid") == "1000"
results[0].Overflow.Alert.Events[0].GetMeta("exe") == "/usr/bin/perl"
results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "execve"
results[0].Overflow.Alert.Events[0].GetMeta("gid") == "1000"
results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auditd_syscall_execve"
results[0].Overflow.Alert.Events[0].GetMeta("pid") == "27032"
results[0].Overflow.Alert.Events[0].GetMeta("ppid") == "26843"
results[0].Overflow.Alert.Events[0].GetMeta("ses") == "106985"
results[0].Overflow.Alert.Events[0].GetMeta("syscall_num") == "59"
results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-05-17T13:23:37Z"
results[0].Overflow.Alert.Events[0].GetMeta("tty") == "pts2"
results[0].Overflow.Alert.Events[0].GetMeta("uid") == "1000"
results[0].Overflow.Alert.Events[1].GetMeta("auditd_eventid") == "2996"
results[0].Overflow.Alert.Events[1].GetMeta("auditd_type") == "SYSCALL"
results[0].Overflow.Alert.Events[1].GetMeta("auid") == "1000"
results[0].Overflow.Alert.Events[1].GetMeta("comm") == "base64"
results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "auditd-base64-exec.log"
results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[1].GetMeta("euid") == "1000"
results[0].Overflow.Alert.Events[1].GetMeta("exe") == "/usr/bin/base64"
results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "execve"
results[0].Overflow.Alert.Events[1].GetMeta("gid") == "1000"
results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auditd_syscall_execve"
results[0].Overflow.Alert.Events[1].GetMeta("pid") == "27031"
results[0].Overflow.Alert.Events[1].GetMeta("ppid") == "26843"
results[0].Overflow.Alert.Events[1].GetMeta("ses") == "106985"
results[0].Overflow.Alert.Events[1].GetMeta("syscall_num") == "59"
results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-05-17T13:23:37Z"
results[0].Overflow.Alert.Events[1].GetMeta("tty") == "pts2"
results[0].Overflow.Alert.Events[1].GetMeta("uid") == "1000"
Expand Down
3 changes: 3 additions & 0 deletions .tests/auditd-logs-EXECVE/auditd-logs-EXECVE.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
type=EXECVE msg=audit(1734094314.009:1032): argc=2 a0="id" a1="a=1"
type=EXECVE msg=audit(1734099855.076:1689): argc=3 a0="/bin/sh" a1="/etc/update-motd.d/50-motd-news" a2="--force"
type=EXECVE msg=audit(1734093676.086:1008): argc=14 a0="id" a1="1" a2="2" a3="3" a4="4" a5="5" a6="6" a7="7" a8="8" a9="9" a10="10" a11="11" a12="12" a13="13"
9 changes: 9 additions & 0 deletions .tests/auditd-logs-EXECVE/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
parsers:
- crowdsecurity/syslog-logs
- ./parsers/s01-parse/crowdsecurity/auditd-logs.yaml
scenarios:
- ""
postoverflows:
- ""
log_file: auditd-logs-EXECVE.log
log_type: auditd
90 changes: 90 additions & 0 deletions .tests/auditd-logs-EXECVE/parser.assert
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
len(results) == 3
len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 3
results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true
results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "type=EXECVE msg=audit(1734094314.009:1032): argc=2 a0=\"id\" a1=\"a=1\""
results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "auditd"
results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "auditd-logs-EXECVE.log"
results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file"
results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false
results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true
results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "type=EXECVE msg=audit(1734099855.076:1689): argc=3 a0=\"/bin/sh\" a1=\"/etc/update-motd.d/50-motd-news\" a2=\"--force\""
results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "auditd"
results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"] == "auditd-logs-EXECVE.log"
results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file"
results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false
results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true
results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "type=EXECVE msg=audit(1734093676.086:1008): argc=14 a0=\"id\" a1=\"1\" a2=\"2\" a3=\"3\" a4=\"4\" a5=\"5\" a6=\"6\" a7=\"7\" a8=\"8\" a9=\"9\" a10=\"10\" a11=\"11\" a12=\"12\" a13=\"13\""
results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "auditd"
results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"] == "auditd-logs-EXECVE.log"
results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file"
results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Whitelisted == false
len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 3
results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false
results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false
results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false
len(results["s01-parse"]["crowdsecurity/auditd-logs"]) == 3
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Success == true
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Parsed["event_inc_id"] == "1032"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Parsed["message"] == "type=EXECVE msg=audit(1734094314.009:1032): argc=2 a0=\"id\" a1=\"a=1\""
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Parsed["msg_type"] == "audit"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Parsed["program"] == "auditd"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Parsed["timestamp"] == "1734094314.009"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["auditd_eventid"] == "1032"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["datasource_path"] == "auditd-logs-EXECVE.log"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["datasource_type"] == "file"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["execve_full_str"] == "id a=1"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["log_type"] == "auditd_execve"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Unmarshaled["auditd"]["a0"] == "id"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Unmarshaled["auditd"]["a1"] == "a=1"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Unmarshaled["auditd"]["argc"] == "2"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Unmarshaled["auditd"]["msg"] == "audit(1734094314.009:1032):"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Unmarshaled["auditd"]["type"] == "EXECVE"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Whitelisted == false
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Success == true
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Parsed["event_inc_id"] == "1689"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Parsed["message"] == "type=EXECVE msg=audit(1734099855.076:1689): argc=3 a0=\"/bin/sh\" a1=\"/etc/update-motd.d/50-motd-news\" a2=\"--force\""
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Parsed["msg_type"] == "audit"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Parsed["program"] == "auditd"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Parsed["timestamp"] == "1734099855.076"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["auditd_eventid"] == "1689"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["datasource_path"] == "auditd-logs-EXECVE.log"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["datasource_type"] == "file"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["execve_full_str"] == "/bin/sh /etc/update-motd.d/50-motd-news --force"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["log_type"] == "auditd_execve"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Unmarshaled["auditd"]["a0"] == "/bin/sh"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Unmarshaled["auditd"]["a1"] == "/etc/update-motd.d/50-motd-news"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Unmarshaled["auditd"]["a2"] == "--force"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Unmarshaled["auditd"]["argc"] == "3"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Unmarshaled["auditd"]["msg"] == "audit(1734099855.076:1689):"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Unmarshaled["auditd"]["type"] == "EXECVE"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Whitelisted == false
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Success == true
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Parsed["event_inc_id"] == "1008"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Parsed["message"] == "type=EXECVE msg=audit(1734093676.086:1008): argc=14 a0=\"id\" a1=\"1\" a2=\"2\" a3=\"3\" a4=\"4\" a5=\"5\" a6=\"6\" a7=\"7\" a8=\"8\" a9=\"9\" a10=\"10\" a11=\"11\" a12=\"12\" a13=\"13\""
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Parsed["msg_type"] == "audit"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Parsed["program"] == "auditd"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Parsed["timestamp"] == "1734093676.086"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["auditd_eventid"] == "1008"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["datasource_path"] == "auditd-logs-EXECVE.log"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["datasource_type"] == "file"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["execve_full_str"] == "id 1 2 3 4 5 6 7 8 9 10 11 12 13"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["log_type"] == "auditd_execve"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a9"] == "9"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a10"] == "10"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a3"] == "3"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a4"] == "4"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a5"] == "5"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a8"] == "8"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["argc"] == "14"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["msg"] == "audit(1734093676.086:1008):"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["type"] == "EXECVE"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a0"] == "id"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a1"] == "1"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a12"] == "12"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a13"] == "13"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a6"] == "6"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a11"] == "11"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a2"] == "2"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Unmarshaled["auditd"]["a7"] == "7"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Whitelisted == false
len(results["success"][""]) == 0
8 changes: 4 additions & 4 deletions .tests/auditd-logs/parser.assert
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Parsed["message"] == "t
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["datasource_path"] == "auditd-logs.log"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["datasource_type"] == "file"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["exe"] == "/usr/bin/perl"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["log_type"] == "execve"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["log_type"] == "auditd_syscall_execve"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["tty"] == "pts2"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["uid"] == "1000"
results["s01-parse"]["crowdsecurity/auditd-logs"][0].Evt.Meta["auditd_eventid"] == "2995"
Expand Down Expand Up @@ -75,7 +75,7 @@ results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Parsed["timestamp"] ==
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Parsed["event_inc_id"] == "2996"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Parsed["message"] == "type=SYSCALL msg=audit(1684329817.579:2996): arch=c000003e syscall=59 success=yes exit=0 a0=237f5e8 a1=238d408 a2=2384008 a3=59a items=2 ppid=26843 pid=27031 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=106985 comm=\"base64\" exe=\"/usr/bin/base64\" key=(null)"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["datasource_type"] == "file"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["log_type"] == "execve"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["log_type"] == "auditd_syscall_execve"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["auditd_eventid"] == "2996"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["auid"] == "1000"
results["s01-parse"]["crowdsecurity/auditd-logs"][1].Evt.Meta["datasource_path"] == "auditd-logs.log"
Expand Down Expand Up @@ -120,7 +120,7 @@ results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["auditd_eventid"]
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["datasource_path"] == "auditd-logs.log"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["datasource_type"] == "file"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["exe"] == "/usr/bin/perl"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["log_type"] == "execve"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["log_type"] == "auditd_syscall_execve"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["ppid"] == "26843"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["auid"] == "1000"
results["s01-parse"]["crowdsecurity/auditd-logs"][2].Evt.Meta["tty"] == "pts2"
Expand Down Expand Up @@ -164,7 +164,7 @@ results["s01-parse"]["crowdsecurity/auditd-logs"][3].Evt.Meta["tty"] == "pts2"
results["s01-parse"]["crowdsecurity/auditd-logs"][3].Evt.Meta["auditd_eventid"] == "2998"
results["s01-parse"]["crowdsecurity/auditd-logs"][3].Evt.Meta["auid"] == "1000"
results["s01-parse"]["crowdsecurity/auditd-logs"][3].Evt.Meta["exe"] == "/usr/bin/id"
results["s01-parse"]["crowdsecurity/auditd-logs"][3].Evt.Meta["log_type"] == "execve"
results["s01-parse"]["crowdsecurity/auditd-logs"][3].Evt.Meta["log_type"] == "auditd_syscall_execve"
results["s01-parse"]["crowdsecurity/auditd-logs"][3].Evt.Meta["ppid"] == "26843"
results["s01-parse"]["crowdsecurity/auditd-logs"][3].Evt.Meta["uid"] == "1000"
results["s01-parse"]["crowdsecurity/auditd-logs"][3].Evt.Unmarshaled["auditd"]["success"] == "yes"
Expand Down
6 changes: 3 additions & 3 deletions .tests/auditd-postexploit-exec-from-net/scenario.assert
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ results[0].Overflow.Alert.Events[0].GetMeta("auid") == "1000"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "auditd-postexploit-exec-from-net.log"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[0].GetMeta("exe") == "/usr/bin/wget"
results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "execve"
results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auditd_syscall_execve"
results[0].Overflow.Alert.Events[0].GetMeta("ppid") == "26843"
results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-05-17T13:45:27Z"
results[0].Overflow.Alert.Events[0].GetMeta("tty") == "pts2"
Expand All @@ -19,7 +19,7 @@ results[0].Overflow.Alert.Events[1].GetMeta("auid") == "1000"
results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "auditd-postexploit-exec-from-net.log"
results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[1].GetMeta("exe") == "/bin/chmod"
results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "execve"
results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auditd_syscall_execve"
results[0].Overflow.Alert.Events[1].GetMeta("ppid") == "26843"
results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-05-17T13:45:27Z"
results[0].Overflow.Alert.Events[1].GetMeta("tty") == "pts2"
Expand All @@ -29,7 +29,7 @@ results[0].Overflow.Alert.Events[2].GetMeta("auid") == "1000"
results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "auditd-postexploit-exec-from-net.log"
results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[2].GetMeta("exe") == "/tmp/blitz64"
results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "execve"
results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "auditd_syscall_execve"
results[0].Overflow.Alert.Events[2].GetMeta("ppid") == "26843"
results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-05-17T13:45:27Z"
results[0].Overflow.Alert.Events[2].GetMeta("tty") == "pts2"
Expand Down
Loading