Sigma rules for syslog/filebeat #9350
-
|
Hello, Is there a way I can use Playbook to write sigma rules for Syslog? For example, I have a switch that is sending syslogs and I want there to be a way where I can get an alert when specific cmd commands are run.
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 6 replies
-
|
You can do something like this - just make sure to match up the
|
Beta Was this translation helpful? Give feedback.
-
|
Are you using a Filebeat module to ingest the syslog? |
Beta Was this translation helpful? Give feedback.
-
|
No, these syslogs are coming from a switch so I think it is using port 514 but I am not sure why it says filebeat for metadata.beat? |
Beta Was this translation helpful? Give feedback.
-
|
Well, you should be able to still do a wildcard search of the message field |
Beta Was this translation helpful? Give feedback.
-
|
Do you mean on the Dashboard or ssh into the server? |
Beta Was this translation helpful? Give feedback.
-
|
In Hunt or Dashboards |
Beta Was this translation helpful? Give feedback.
You can do something like this - just make sure to match up the
event.dataset+event.module- Play around with theconvertfunctionality until you get the resulting query you need. Also, have you parsed out themessagefield?