Document toolboxDocument toolbox

Platform alert pack: Linux

Owned by Anthony Shevlin (Deactivated)
Last updated: Jan 10, 2024 by Borja Moro Moreno
2 min read
[ 1 Purpose ] [ 2 Included Alerts ] [ 3 Prerequisites ] [ 4 Open alert pack  ] [ 5 Use alert pack  ]

Purpose

Our Linux Log-Based Threat Detection Suite is a comprehensive set of alerts designed to identify and respond to an unprecedented surge of cybersecurity threats that leverage Linux logs as their primary attack vector. With the increasing adoption of Linux systems in various industries and organizations, it has become imperative to proactively monitor and safeguard these critical assets from potential breaches and unauthorized access.

Included Alerts

 SecOpsLinuxWebserverAccessLogsDeleted

SecOpsLinuxHijackLibraryCalls

SecOpsLinuxInsertKernelInsmod

SecOpsLinuxRestrictedShellBreakoutSSH

SecOpsLinuxDoasToolExec

SecOpsLinuxStrangeProcessExec

SecOpsLinuxSudoFileModification

SecOpsLinuxSetuiSecapUtility

SecOpsLinuxFileDDOverwrite

SecOpsLinuxSystemLogFileDeletion

SecOpsLinuxAppendCronjobEntry

SecOpsLinuxFileOwnerNowRoot

SecOpsLinuxDeletionSSHKey

SecOpsLinuxAddFilestoCrontabDir

SecOpsLinuxInitDaemonDeletion

SecOpsLinuxAuditdMaxFailedLoginAttempts

SecOpsLinuxDoasConfigCreate

SecOpsLinuxHiddenFilesCreated

SecOpsLinuxFileCreateProfile

SecOpsLinuxDeletionofSslCert

SecOpsLinuxInstallKernelModprobe

SecOpsLinuxSvcEnabled

SecOpsLinuxIrregularLogin

SecOpsLinuxSetuidUsingChmod

SecOpsLinuxMaxSessionsPerUser

SecOpsLinuxBashShellProfileMod

SecOpsLinuxHighFileDeletesEtc

SecOpsLinuxFileCreateInitBoot

SecOpsLinuxIntNetworkviaTelnet

SecOpsLinuxSshAuthKeyModification

SecOpsLinuxPotentialDisableSELinux

SecOpsLinuxExtNetworkviaTelnet

SecOpsLinuxSvcFileCreated

SecOpsLinuxAppendCommandToProfileConfig

SecOpsLinuxDeletionofService

SecOpsLinuxNOPASSWDSudoers

SecOpsLinuxCurlExecution

SecOpsLinuxCompressEncryptData

SecOpsLinuxNcUseDetected

SecOpsLinuxPamdKeylogging

SecOpsLinuxClipboardCopyXclip

SecOpsLinuxAbMaliciousExecution

SecOpsLinuxRdpMountShare

SecOpsLinuxWgetUseDetected

SecOpsLinuxSCPDetect

SecOpsLinuxPhpServerStarted

SecOpsLinuxRubyHttpServerStarted

SecOpsLinuxPythonServerStarted

SecOpsLinuxAudioCapture

SecOpsLinuxSuspciousExecutionCommand

SecOpsLinuxCommandExecutionWebUserPrerequisites

Prerequisites

To use this alert pack, you must have the following data sources available on your domain:

  • box.unix

Open alert pack 

Once you have installed the desired alerts individually, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find them and later manage them as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

Platform alert packs (use alert pack).png

Use alert pack 

The alerts installed are deactivated by default. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.