How to trigger an Alert by creating play in playbook when someone execute sudo command

[sandraimmaculate]

Hi,
i created a play

I'm able to see about the play in kibana>discover dashboard when someone execute sudo command

but not in security onion alert dashboard.
do i have do anything else apart from this because im not getting alert still!
please reply!

[InfosecGoon]

Does the query

process.command_line: *sudo*

Return results in Hunt?

[sandraimmaculate]

yea i have when i itself execute sudo command it will get store in /var/log/audit/audit.log

cat audit.log.4 | grep "sudo"
type=USER_END msg=audit(17078118.56:148148): pid=186102 uid=102 auid=102 ses=21912 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'UID="sandra" AUID="sandra"

here is an example event of someone running sudo in environment
even this log event, i can see in security onion because i added the system integration audit

[InfosecGoon]

Can you post a screenshot of this event in Security Onion? I want to see what the process.command_line field says.

[sandraimmaculate]

This is from security onion > kibana discover i filter it to log.file.path : /var/log/audit/audit.log and process.executable: "/usr/bin/sudo"

Sorry i have change the play now from process.command_line field to

Sorry idk how to filter this event in security onion dashboard or hunt because if i add the filter like process.executable: "/usr/bin/sudo" I'm not getting any result

And i have a doubt that im able to see the sudo command log in kibana why not in security onion dashboard

kindly help in this! thank you

[sandraimmaculate]

after changing the process.command_line to process.executable: "/usr/bin/sudo" i got the alert in alert dashboard BUT only on that time.

on that day at 16/02/2024 at 6 pm I'm able to see the sudo command execution alert in alert dashboard, after that i have tried executing sudo command but i didn't got any alert inn alert dashboard. that was the first and last alert i got. why its happening like that!

but its not happening in kibana > discover im getting the info of sudo command execution when ever the sudo command is executed

[sandraimmaculate]

only sometimes its displaying the alert in alert dashboard about the sudo command execution. Sometimes it not displaying the alert even though sudo command is executed

please suggest!