splApache-2.0from splunk/security_content
Linux Auditd Service Started
The following analytic detects the suspicious service started. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.
Quality
35
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_service_started.yml
`linux_auditd` proctitle IN ("*systemctl *", "*service *") AND proctitle IN ("* start*", "* enable*")
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY proctitle dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_service_started_filter`