Audit Logs Integration: Sigma Rule and Field Mapping Mismatch

[hodan112]

Hello,

Our objective is to integrate "Auditd logs" into our endpoint agent policy to collect auditd logs from endpoints and apply playbooks or Sigma rules to enhance detection capabilities.

1. We have successfully added the "Auditd logs" integration to the endpoint agent policy and installed auditd on our endpoints.
   2.The logs are ingested into Elasticsearch without issue and can be visualized in Kibana.

3.However, when activating the playbooks, we encounter errors across all rules due to a mismatch between the fields in the rules and the log field mappings. While testing the rule's query in Kibana, we noticed this issue.

Question: Could you kindly advise if we need to manually adjust each rule to match the log field mappings, or if there is an alternative solution to address this issue?

We thank you in advance for your time and assistance.

[cm-ops]

What does your sigma rule look like?

[hodan112]

title: Credentials In Files - Linux
id: df3fcaea-2715-4214-99c5-0056ea59eb35
status: test
description: Detecting attempts to extract passwords with grep
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: Igor Fits, oscd.community
date: "2020-10-15"
modified: "2023-04-30"
tags:
- attack.credential-access
- attack.t1552.001
logsource:
product: linux
service: auditd
detection:
selection:
type: EXECVE
keywords:
'|all':
- grep
- password
condition: selection and keywords
falsepositives:
- Unknown
level: high