← Library
splApache-2.0from splunk/security_content

Linux Auditd Add User Account Type

The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_add_user_account_type.yml
`linux_auditd` type=ADD_USER
  | rename host as dest
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY exe pid dest
       res type
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `linux_auditd_add_user_account_type_filter`