Products: Linux - Sysmon for Linux
| Rule ID | Rule Name |
|---|---|
| AGGREGATION-S00006 | Docker Enumeration Detected on Host |
| MATCH-S00682 | Excessive Use of Escape Characters in Command Line |
| MATCH-S00837 | Kubernetes Secrets Enumeration via Kubectl |
| MATCH-S00745 | Loadable Kernel Module Enumeration |
| MATCH-S00723 | Loadable Kernel Module Modifications |
| MATCH-S00865 | Potential Docker Escape via Command Line |
| CHAIN-S00014 | Potential Docker container escape via Cgroups |
| MATCH-S00824 | Potential XMRig Execution with Traffic |
| AGGREGATION-S00004 | Suspicious K8s Enumeration |
| CHAIN-S00015 | Suspicious Linux Execution Chain |
| MATCH-S00918 | Suspicious cat of PAM common-password policy |
| MATCH-S00919 | chage command use on host |
| Log Mapper ID | Log Mapper Name |
|---|---|
| 4844d90e-5bea-4473-b9d5-39bba4b0d829 | Linux-Sysmon/Operational - 1 |
| f9c340b9-7b87-4040-be6e-b54bbb7afb67 | Linux-Sysmon/Operational - 10 |
| 427c3ec5-0320-41f2-b069-e15cd08eefd0 | Linux-Sysmon/Operational - 11 |
| 19410c41-18a3-4aa5-96c3-d6cd18110a72 | Linux-Sysmon/Operational - 15 |
| 186bcb86-9ac2-43ae-8e26-0bed2367d737 | Linux-Sysmon/Operational - 16 |
| c9b36f1b-b624-4a9d-a564-91afaa277fe3 | Linux-Sysmon/Operational - 17 |
| 703f7d62-a28f-4f57-8df7-684d6af19a1c | Linux-Sysmon/Operational - 18 |
| 928fa5c2-ceeb-4c1b-b41e-c5ed6f18b24f | Linux-Sysmon/Operational - 2 |
| 2d8a8585-9f03-4668-9e97-fa7b6853accc | Linux-Sysmon/Operational - 23 |
| ba65552f-d9d8-4d03-8814-7610121a6759 | Linux-Sysmon/Operational - 3 |
| fd0e13bb-ad85-45f2-adc2-aa76151bb2c2 | Linux-Sysmon/Operational - 4 |
| 770ca3b8-d91c-4646-a2b9-323817e2f0e4 | Linux-Sysmon/Operational - 5 |
| 0b27b51c-7656-4812-b9c6-4d565c244eaa | Linux-Sysmon/Operational - 6 |
| d5920e42-6d98-41d1-833c-7d1e15e0a542 | Linux-Sysmon/Operational - 7 |
| 6425b13a-0242-4dba-ab72-002747e1aa05 | Linux-Sysmon/Operational - 8 |
| df9365c8-edf6-46e3-a151-5e9819ce8776 | Linux-Sysmon/Operational - 9 |