Alert

Failed Login Attempted on Linux server.

Category: Linux

This alert Detect Failed Login Attempts on Linux Machine

Critical

Alert Rule

title: Failed Login Attempted on Linux server
author: Admin
description: Detect Failed Login Attempts on Linux Machine
detection:
condition: ((selection1 and selection2) and selection3)
selection1:
event.action|contains: PAM:authentication
selection2:
event.category|contains: USER_AUTH
selection3:
event.outcome: failed
level: critical
logsource:
product: linux
service: security
logtype: linux

Alert Data

event.action : PAM:authentication
event.category : USER_AUTH
event.host : BHC.753159
event.module : syslog
event.outcome : failed
host.ip : 10.100.60.231
host.name : BHC.753159
log.type : audit
observer.type : linux
observer.vendor : linux
process.executable : /usr/bin/sudo
process.name : tag_audit_log
process.pid 3120497
server.address : ?
user.name : Rajaram

Provide a Dismiss Comment

Dismissed Reason:

A User deleted a file using remove command.

Category: Linux

This alert Detects the use of the rm command to remove files on a Linux system.

High

Alert Rule

title: A User deleted a file using remove command
author: Admin
description: Detects the use of the rm command to remove files on a Linux system
detection:
condition: selection1 and selection2
selection1:
event.category|contains: fim
selection2:
process.name|contains: rm
level: High
logsource:
category: linux
product: linux
logtype: linux

Alert Data

event.action : process_started
event.category : fim
event.host : BHC-753951
event.module : syslog
event.type : start
host.architecture : x86_64
host.hostname : BHC-753951
host.ip : 10.100.9.75
host.name : BHC-753951
log.type : audit
observer.type : linux
observer.vendor : linux
process.executable : /usr/libexec/platform-python3.6
process.name : rm
process.pid : 3601464
process.working_directory : /
user.name : root

Provide a Dismiss Comment

Dismissed Reason:

Linux Server Shutdown/Reboot happened.

Category: Linux

This alert indicates that the Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Medium

Alert Rule

title: Linux Server Shutdown/Reboot happened
author: Admin
description: Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
detection:
condition: selection
selection:
event.category|contains:
- SYSTEM_BOOT
- SYSTEM_SHUTDOWN
logsource:
product: linux
service: auditd
logtype: Linux
level: Medium

Alert Data

event.action : success
event.category : SYSTEM_SHUTDOWN
event.host : BHC753951
event.module : syslog
host.ip : ?
host.name : BHC753951
log.type : audit
observer.type : linux
observer.vendor : linux
process.executable : /usr/lib/systemd/systemd-update-utmp
process.name : systemd-update-utmp
process.pid : 1194015
user.id : 0

Linux Alerts

Failed Login Attempted on Linux server.

Alert Rule

Alert Data

Provide a Dismiss Comment

Dismissed Reason:

A User deleted a file using remove command.

Alert Rule

Alert Data

Provide a Dismiss Comment

Dismissed Reason:

Linux Server Shutdown/Reboot happened.

Alert Rule

Alert Data

Provide a Dismiss Comment

Dismissed Reason: