## ## SPDX-FileCopyrightText: 2024 Splunk, Inc. ## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 ## ## [nix_ta_custom_eventtype] search = NOT * [nix_ta_data] search = eventtype=nix_ta_custom_eventtype OR (sourcetype IN (vmstat_metric, iostat_metric, ps_metric, df_metric, interfaces_metric, cpu_metric, vmstat, iostat, ps, top, netstat, bandwidth, protocol, openPorts, time, lsof, df, who, usersWithLoginPrivs, lastlog, interfaces, cpu, auditd, package, hardware, bash_history, Unix:ListeningPorts, Unix:UserAccounts, Linux:SELinuxConfig, Unix:Service, Unix:SSHDConfig, Unix:Update, Unix:Uptime, Unix:Version, Unix:VSFTPDConfig, config_file, dhcpd, nfsiostat, ignored_type, aix_secure, osx_secure, linux_secure, linux_audit, syslog) OR source IN (/Library/Logs/*, /var/log/*, /var/adm/*, /etc/*)) ###### Globals ###### [nix_security] search = sourcetype="*_secure" #tags = os unix [nix_configs] search = eventtype=nix_ta_data AND (source="/etc/*" OR source="*.conf" OR source="*.cfg") [nix_errors] search = eventtype=nix_ta_data error OR critical OR failure OR fail OR failed OR fatal #tags = error ###### DHCP ###### [dhcpd_server] search = sourcetype=dhcpd (DHCPACK OR DHCPNAK OR DHCPRELEASE) #tags = dhcp network session unix [dhcpd_start] search = sourcetype=dhcpd signature=DHCPACK #tags = start [dhcpd_unable_unexpected] search = sourcetype=dhcpd unable OR unexpected #tags = error [dhcpd_server_dhcpack] search = sourcetype=dhcpd DHCPACK [dhcpd_server_dhcpdiscover] search = sourcetype=dhcpd DHCPDISCOVER [dhcpd_server_dhcpoffer] search = sourcetype=dhcpd DHCPOFFER [dhcpd_server_dhcprelease] search = sourcetype=dhcpd DHCPRELEASE #tags = end [dhcpd_server_dhcprequest] search = sourcetype=dhcpd DHCPREQUEST ###### Scripted Inputs ###### ## CPU stats [cpu] search = sourcetype=cpu #tags = performance os resource report unix cpu [cpu_anomalous] search = sourcetype=cpu PercentSystemTime>90 #tags = enabled [df] search = sourcetype=df #tags = df host check success storage performance [iostat] search = sourcetype=iostat [nfsiostat] search = sourcetype=nfsiostat [lsof] search = sourcetype=lsof [hardware] search = sourcetype=hardware [interfaces] search = sourcetype=interfaces # tags = Inventory Network [lastlog] search = sourcetype=lastlog [netstat] search = sourcetype=netstat # listening port [openPorts] search = sourcetype=openPorts [package] search = sourcetype=package [protocol] search = sourcetype=protocol [ps] search = sourcetype=ps #tags = process oshost success ps cpu performance [top] search = sourcetype=top [time] search = sourcetype=time [usersWithLoginPrivs] search = sourcetype=usersWithLoginPrivs [vmstat] search = sourcetype=vmstat #tags = performance os avail unix report vmstat resource success memory [who] search = sourcetype=who [bandwidth] search = sourcetype=bandwidth ###### System Logs ###### #### Account Management [useradd] search = eventtype=nix_ta_data useradd user #tags = account management add change # Aug 20 20:21:12 host useradd[12811]: new account added - account=splunk, uid=1003, gid=1000, home=/opt/splunk, shell=/bin/false, by=0 [useradd-suse] search = eventtype=nix_ta_data useradd new account added #tags = account management add change [userdel] search = eventtype=nix_ta_data userdel user #tags = account management delete change [groupadd] search = eventtype=nix_ta_data groupadd group #tags = account management add change #Aug 20 20:21:12 host useradd[12811]: account added to group - account=splunk, group=services, gid=33, by=0 [groupadd-suse] search = eventtype=nix_ta_data useradd account added group #tags = account management add change [groupdel] search = eventtype=nix_ta_data (NOT *deleting-user-from*) (groupdel OR userdel) group #tags = account management delete change [linux-password-change] search = eventtype=nix_ta_data process=passwd password changed #tags = account management password modify change #Feb 21 11:24:45 host passwd[17805]: password change failed, pam error 11 - account=root, uid=0, by=0 [linux-password-change-failed] search = eventtype=nix_ta_data process=passwd password change failed #tags = account management password modify change #### acpi [nix_acpi] search = eventtype=nix_ta_data ACPI: #tags = os unix power #### agpgart [nix_agpgart] search = eventtype=nix_ta_data agpgart: #tags = os unix graphics #### apm [nix_apm] search = eventtype=nix_ta_data apm: #tags = os unix power #### auditd [auditd] search = sourcetype=auditd #tags = os unix resource file [auditd_modify] search = source=auditd PATH #tags = modify #### Authentication ## ksu [ksu_authentication] # NOTE: May want to restrict search `ksu` to `cmd="ksu"` to reduce false positives. search = eventtype=nix_ta_data ksu ("authentication failed" OR authenticated OR (Account authorization (failed OR successful))) #tags = authentication ## login [login_authentication] search = eventtype=nix_ta_data login: "Login failure on" #tags = authentication ## pam [pam_unix_authentication] search = eventtype=nix_ta_data pam_unix (gdm OR sudo OR su) ("authentication failure" OR "session opened") #tags = authentication ## passwd #Oct 2 20:45:29 host passwd[15323]: User admin: Authentication failure [passwd-auth-failure] search = eventtype=nix_ta_data process=passwd Authentication failure punct="*__::_*_[]:__:__" #tags = application authentication ## rlogin [rlogin_too_many_failures] search = eventtype=nix_ta_data "general syslog msg" "TOO MANY LOGIN TRIES" #tags = application attack watchlist ## Detects a failed user login via Telnet or Rlogin (except root) on Linux Red Hat 6.2 or 7 server. [remote_login_failure] search = eventtype=nix_ta_data "pam_rhosts_auth" AND ("denied to" OR "access not allowed") #tags = application authentication remote ## Detects a allowed user login via Telnet or Rlogin (except root) on Linux Red Hat 6.2 or 7 server. [remote_login_allowed] search = eventtype=nix_ta_data "pam_rhosts_auth" AND "allowed to" #tags = application authentication remote ## sshd [sshd_authentication] # osx sshd authentication error # Jul 16 11:10:45 mycomputer sshd[34666]: error: PAM: authentication error for xxx from localhost via ::1 # Apr 2 12:42:08 mycomputer sshd[15578]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=host search = eventtype=nix_ta_data "sshd[" (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") (from OR ())) OR "Authorized to" OR "Authentication tried" OR "Login restricted") NOT ("POSSIBLE BREAK-IN ATTEMPT") #tags = authentication remote [ssh_login_postponed] search = eventtype=nix_ta_data punct="*_::_*_[]:____*_...___" sshd Postponed # no tags assigned to this eventtype [ssh_open] search = eventtype=nix_ta_data punct="*__::_*_[]:_(:):_____*__(=)" sshd (session opened) OR (connection from) #tags = communicate connect # example = Dec 17 15:15:12 domU-12-31-39-03-01-11 sshd[24912]: Connection closed by 195.43.9.246 [ssh_close] search = eventtype=nix_ta_data punct="*__::_*_[]:____*..." OR punct="*__::_*_[]:_(:):_____" OR punct="*__::_*_()[]:_____" sshd (Closing connection to) OR (Connection closed by) OR (session closed) #tags = access stop logoff # example = Dec 17 18:31:44 domU-12-31-39-03-01-11 sshd[31792]: Received disconnect from 74.53.187.50: 11: Bye Bye [ssh_disconnect] search = eventtype=nix_ta_data punct="*__::_*_[]:___*...:_:__" Bye Received disconnect #tags = access stop logoff [ssh_check_pass] search = eventtype=nix_ta_data sshd check pass user unknown (punct="__*::_*_()[]:__;__" OR punct="*__::_*_[]:_(:):__;__") #no tags assigned to this eventtype ## su [su_authentication] # Example event, from su on CentOS7 # type=USER_AUTH msg=audit(1611753517.687:2310): pid=10012 uid=0 auid=2024 ses=181 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_rootok acct="root" exe="/usr/bin/su" hostname=so1 addr=? terminal=pts/1 res=success' search = eventtype=nix_ta_data NOT "USER_CMD" ((from to) OR succeeded OR success OR successful OR failed OR failure) (cmd="su" OR ("USER_AUTH" AND exe=*/su*) OR ((NOT BAD) su: from to at)) #tags = authentication [su_failed] search = eventtype=nix_ta_data (("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR ("BAD SU ")) #tags = authentication [su_session] search = eventtype=nix_ta_data su: session #tags = session [su_root_session] search = eventtype=nix_ta_data su: session root #tags = session privileged ## Telnet [wksh_authentication] search = eventtype=nix_ta_data wksh "HANDLING TELNET CALL" # no tags assigned to this eventtype #### automount [nix_automount] search = eventtype=nix_ta_data automount punct="::__::_*:_*" #tags = os unix #### Config [nix_config_change] search = eventtype=nix_ta_data Configuration changed #tags = os unix host configuration modify #### Console [nix_console] search = eventtype=nix_ta_data Console: #tags = os unix #### cron [nix_cron] search = eventtype=nix_ta_data cron OR crond punct="::__::_*:_*" NOT Install: NOT Updated: NOT Erased: #tags = os unix #### CUPS [nix_cups_access] search = eventtype=nix_ta_data punct="_-_-_[//:::_-]_\"_//._/.\"___-_-" #tags = os unix access printer [nix_cups_error] search = eventtype=nix_ta_data punct="_[//:::_-]_*" #tags = os unix printer [nix_cups_page] search = eventtype=nix_ta_data punct="___[//:::_-]___-_" #tags = os unix printer #### dhclient [nix_dhclient] search = eventtype=nix_ta_data dhclient punct="__::_*:_*" NOT punct="//_::_*:_*." NOT punct="\"///*\"" NOT Rule NOT Name #tags = os unix #### DMA [nix_dma] search = eventtype=nix_ta_data DMA zone: #tags = os unix memory access #### Firewall # These firewall accept and deny rules are based on iptables logs. For additional firewalls the user must develop a device add # on and tag their events with these tags [iptables_firewall_accept] search = eventtype=nix_ta_data signature=firewall action=PASS OR action=permit #tags = os unix host firewall communicate success [iptables_firewall_deny] search = eventtype=nix_ta_data signature=firewall action=BLOCK OR action=dropped #tags = os unix host firewall communicate failure #### FTP [nix_ftp_xferlog] search = eventtype=nix_ta_data punct="___*::___...__///*" #tags = os unix ftp transfer [nix_ncftpd_logins] search = eventtype=nix_ta_data ncftpd punct="*__::_*:_*" #tags = os unix ftp authentication #### Fingerprinting [nix_fingerprinting] search = eventtype=nix_ta_data Client OS detected: #tags = os unix #### gconfd [nix_gconfd] search = eventtype=nix_ta_data gconfd #tags = os unix [nix_gconfd_error] search = eventtype=nix_ta_data gconfd Error #tags = error [nix_gconfd_exiting] search = eventtype=nix_ta_data gconfd Exiting OR signal #tags = stop [nix_gconfd_resolved_address] search = eventtype=nix_ta_data gconfd Resolved address [nix_gconfd_starting] search = eventtype=nix_ta_data gconfd starting #tags = start #### gdm [nix_gdm] search = eventtype=nix_ta_data gdm punct="*__::_*:_*" NOT scrollkeeper NOT Updated: NOT Installed: NOT Erased: NOT pam* #tags = os unix #### gpm [nix_gpm] search = eventtype=nix_ta_data gpm NOT Installed: NOT Updated: NOT Erased: NOT user NOT *.rpm punct="*__::_*:_*." #tags = os unix #### FreeBSD [freebsd_refresh_na_answer] search = eventtype=nix_ta_data refresh named punct="*__::_*_[]:__./:_:_-____...#_(_...#)" #tags = os unix [freebsd_refresh_retry_exceeded] search = eventtype=nix_ta_data refresh named punct="*__::_*_[]:__./:_:_____...#__(_...#)" #tags = os unix #### hald [nix_hald] search = eventtype=nix_ta_data hald punct="*__::_*:_*" #tags = os unix #### hpiod [hpiod_Linux_syslog] search = eventtype=nix_ta_data hpiod punct="*__::_*:_*" #tags = os unix #### kernel [nix_kernel_attached] search = eventtype=nix_ta_data kernel #tags = os unix kernel #### kill [nix_process_kill] search = eventtype=nix_ta_data exiting signal 15 #tags = os unix process stop #### mDNSResponder [nix_mDNSResponder] search = eventtype=nix_ta_data mDNSResponder punct="*__::_*:_*" #tags = os unix dns #### named [nix_named1] search = eventtype=nix_ta_data named punct="*__::_/_[]:__*" OR punct="*__::_..._[]:_*" #tags = os unix dns [nix_named2] search = eventtype=nix_ta_data named punct="*__::_*_[]:__*" NOT punct="__::_*_[]:_____..." #tags = os unix dns #### OSX Crash Log [osx_crash_log] search = eventtype=nix_ta_data Host Name Date/Time #tags = os unix error #### Netlabel [nix_netlabel] search = eventtype=nix_ta_data NetLabel: #tags = os unix kernel #### PCI [nix_pci] search = eventtype=nix_ta_data PCI: NOT BIOS #tags = os unix #### Plug-n-play [nix_pnp] search = eventtype=nix_ta_data pnp: #tags = os unix #### POP3 [nix_popper] search = eventtype=nix_ta_data popper #tags = os unix mail #### postfix [nix_postfix] search = eventtype=nix_ta_data postfix punct="*__::_*:_*" #tags = os unix #### Prelink [nix_prelink] search = eventtype=nix_ta_data /usr/sbin/prelink: OR Prelinking #tags = os unix #### RPC [nix_rpc_statd] search = eventtype=nix_ta_data rpc.statd #tags = os unix #### RPM [nix_rpm] search = eventtype=nix_ta_data *.rpm punct="*-*.*." #tags = os update #### Runlevel [nix_runlevel_change] search = eventtype=nix_ta_data init: punct="*__::_*:_*" #tags = os unix configuration modify #### SNMPD [snmpd] search = eventtype=nix_ta_data snmpd #tags = os unix snmp [snmpd_failure] search = eventtype=nix_ta_data snmpd SNMPD_*_FAILURE #tags = failure #### scrollkeeper [nix_scrollkeeper] search = eventtype=nix_ta_data scrollkeeper punct="__::__*" #tags = os unix ## Shutdown [nix_halt] search = eventtype=nix_ta_data shutdown: system halt #tags = os unix stop [nix_restart] search = eventtype=nix_ta_data shutdown: system reboot #tags = os unix stop #### smartd [nix_smartd] search = eventtype=nix_ta_data smartd punct="*__::_*:_*" #tags = os unix #### Time [nix_timesync] search = eventtype=nix_ta_data (ntpd OR ntpdate OR xntpd OR xntpdate OR "MS Name/IP address") (("LastRx" AND "stratum") OR "Adjusting system clock" OR "synchronized to" OR "step time server" OR "adjust time server") #tags = report time synchronize success [nix_timesync_failure] search = eventtype=nix_ta_data (ntpd OR ntpdate OR xntpd OR xntpdate OR 506) ("NTP Server Unreachable" OR "Cannot talk to daemon") #tags = report time synchronize failure #### Update [nix_yum_update] search = eventtype=nix_ta_data yum Updated #tags = report update success #### udevd [nix_udevd] search = eventtype=nix_ta_data udevd #tags = os unix kernel #### USB [nix_usb] search = eventtype=nix_ta_data usb*: NOT punct="<>:__*" #tags = os unix usb #### userhelper [nix_userhelper] search = eventtype=nix_ta_data userhelper* NOT punct="__*::_*:_*" #tags = os unix ###### ADDED FROM UNIX APP ###### [failed_login] search = eventtype=nix_ta_data "failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for" #tags = authentication [Failed_SU] search = eventtype=nix_ta_data ("failed SU to another user" AND "Agent platform:" AND "linux-x86") OR ("failed SU to another user" AND "authentication failure" AND "for su service") OR ("failed SU to another user" AND logname=*) OR (exe="/bin/su" AND res="failed") OR (FAILED su for) OR (source="/var/adm/sulog" SU " - ") OR ("BAD SU ") #tags = authentication [nix-all-logs] search = eventtype=nix_ta_data AND (source="*.log" OR source="*.log.*" OR source="*/log/*" OR source="/var/adm/*" OR source="access*" OR source="*error*" OR sourcetype="syslo*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog) ###### END FROM UNIX APP ###### ###### ADDED FROM TA-deploymentapps ###### ###### Scripted Inputs ###### ## Global [aix_scripted_input] search = sourcetype=AIX:* #tags = check report [hpux_scripted_input] search = sourcetype=HPUX:* #tags = check report [linux_scripted_input] search = sourcetype=Linux:* #tags = check report [osx_scripted_input] search = sourcetype=OSX:* #tags = check report [solaris_scripted_input] search = sourcetype=Solaris:* #tags = check report [unix_scripted_input] search = sourcetype=Unix:* #tags = check report ## CPUTime [cputime] search = NOT (sourcetype=WMI:CPUTime OR sourcetype=Perfmon:CPUTime) sourcetype=*:CPUTime #tags = performance os avail cpu [cputime_anomalous] search = NOT (sourcetype=WMI:CPUTime OR sourcetype=Perfmon:CPUTime) sourcetype=*:CPUTime PercentSystemTime>90 #tags = anomalous ## Disk [freediskspace] search = NOT (sourcetype=WMI:FreeDiskSpace OR sourcetype=Perfmon:FreeDiskSpace) sourcetype=*:FreeDiskSpace #tags = performance os avail disk storage [freediskspace_anomalous] search = NOT (sourcetype=WMI:FreeDiskSpace OR sourcetype=Perfmon:FreeDiskSpace) sourcetype=*:FreeDiskSpace PercentFreeSpace<10 #tags = anomalous ## Listening Ports [listeningports] search = (NOT sourcetype=WMI:ListeningPorts) sourcetype=*:ListeningPorts (NOT file_hash=*) #tags = os config report ## Local Processes [localprocesses] search = (NOT sourcetype=WMI:LocalProcesses) sourcetype=*:LocalProcesses #tags = os avail process [localprocesses_anomalous] search = (NOT sourcetype=WMI:LocalProcesses) sourcetype=*:LocalProcesses (PercentSystemTime>50 OR PercentMemory>50) NOT app=Total #tags = anomalous ## Memory [memory] search = NOT (sourcetype=WMI:Memory OR sourcetype=Perfmon:Memory) sourcetype=*:Memory #tags = performance os avail memory [memory_anomalous] search = NOT (sourcetype=WMI:Memory OR sourcetype=Perfmon:Memory) sourcetype=*:Memory mem_free<104857600 #tags = anomalous ## SELinux Config [selinuxconfig] search = sourcetype=Linux:SELinuxConfig #tags = application config selinux ## Service [service] search = (NOT sourcetype=WMI:Service) sourcetype=*:Service (NOT file_hash=*) #tags = os config service report [service_runlevel_anomalous] search = sourcetype=*:Service (runlevel0=on OR runlevel6=on) #tags = anomalous ## SSHD Config [sshdconfig] search = sourcetype=*:SSHDConfig #tags = application config ssh [sshd_insecure] search = eventtype=nix_ta_data sshd_protocol=*1* #tags = insecure ## Update [update] search = sourcetype=*:Update #tags = os info update [update_status] search = sourcetype=*:Update NOT total_updates #tags = status ## Uptime [uptime] search = (NOT sourcetype=WMI:Uptime) sourcetype=*:Uptime #tags = os info report uptime performance [uptime_anomalous] search = (NOT sourcetype=WMI:Uptime) sourcetype=*:Uptime SystemUpTime>2592000 #tags = anomalous ## User Accounts [useraccounts] search = sourcetype=*:UserAccounts (NOT file_hash=*) #tags = (os) config user inventory [useraccounts_anomalous] search = sourcetype=*:UserAccounts NOT password=x NOT password=\* (NOT file_hash=*) #tags = anomalous ## Version [nix_version] search = (NOT sourcetype=WMI:Version) sourcetype=*:Version #tags = os info report system version inventory ## VSFTDP Config [vsftpd_config] search = sourcetype=*:VSFTPDConfig #tags = application config ftp cleartext [vsftpd_config_anonymous] search = sourcetype=*:VSFTPDConfig anonymous_enable=YES #tags = anonymous ###### END FROM TA-deploymentapps ######