Azure linux_auditd_alerts_and_log_analytics_agent_integration Mappings

This integration enables collection of auditd events in all supported Linux distributions, without any prerequisites. Auditd records are collected, enriched, and aggregated into events by using the Log Analytics agent for Linux agent.

Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name Notes
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1059 Command and Scripting Interpreter
Comments
This control may alert on suspicious Unix shell and PHP execution. Mismatched script extensions may also generate alerts of suspicious activity. Only one of the technique's sub-techniques is covered, resulting in a score of Minimal.
References
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1059.004 Unix Shell
Comments
This control may alert on suspicious commandline activity. Alerts may be generated on possible detection of shellcode usage on the commandline, based on arguments, location, user, etc.
References
    linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1068 Exploitation for Privilege Escalation
    Comments
    This control may alert on suspicious arguments used to exploit Xorg vulnerabilities for privilege escalation.
    References
    linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1098 Account Manipulation
    Comments
    This control provides partial detection for only one of this technique's sub-techniques and does not cover most of its procedure examples, resulting in a score of Minimal.
    References
    linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1098.004 SSH Authorized Keys
    Comments
    This control may alert on addition of new SSH keys to the authorized key file and unusual process access of the authorized key file.
    References
      linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1547 Boot or Logon Autostart Execution
      Comments
      This control is only relevant for Linux endpoint machines and the only sub-technique relevant for Linux is Kernel Modules and Extensions.
      References
      linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1547.006 Kernel Modules and Extensions
      Comments
      This control may alert on a suspicious shared object file being loaded as a kernel module. No documentation is provided on the logic but kernel module loading is a relatively rare event and can only be done with a small set of commands.
      References
        linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1136 Create Account
        Comments
        This control is only relevant for Linux endpoints, and it provides partial coverage for the only sub-technique relevant on Linux endpoints, Local Account.
        References
        linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1136.001 Local Account
        Comments
        This control may alert on usage of the useradd command to create new users and the creation of local user accounts with suspicious similarity to other account names.
        References
          linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1505 Server Software Component
          Comments
          This control provides coverage for the only sub-technique this control is relevant for, Web Shell, but that coverage is Minimal.
          References
          linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1505.003 Web Shell
          Comments
          This control may alert on usage of web shells. No documentation is provided on logic for this detection.
          References
            linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1564 Hide Artifacts
            Comments
            This control only provides coverage for a minority of this technique's relevant sub-techniques, resulting in a score of Minimal.
            References
            linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1564.001 Hidden Files and Directories
            Comments
            This control may alert on the execution of hidden files. Since this control is only triggered on execution, it may not fire on a variety of hidden files or directories that are being utilized for malicious purposes.
            References
              linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1564.006 Run Virtual Instance
              Comments
              This control may alert on containers using privileged commands, running SSH servers, or running mining software.
              References
                linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1562 Impair Defenses
                Comments
                This control only provides coverage for a miniority of the sub-techniques under this technique and provides no coverage for other relevant sub-techniques, such as Impair Command History Logging or Disable or Modify Tools, resulting in a score of Minimal.
                References
                linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1562.004 Disable or Modify System Firewall
                Comments
                This control may alert on manipulation of the on-host firewall. Firewall rules should not be changed often in a standard environment and such an event can provide a high fidelity alert.
                References
                  linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1562.006 Indicator Blocking
                  Comments
                  This control may alert on activity which disables auditd logging on Linux endpoints. The auditd package may not be the only logging system being utilized and this control may not alert on activity that disables other logging software.
                  References
                    linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1070 Indicator Removal on Host
                    Comments
                    This control is only relevant for Linux environments and provides partial coverage for multiple Linux-relevant sub-techniques.
                    References
                    linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1070.002 Clear Linux or Mac System Logs
                    Comments
                    This control may alert on possible log tampering activity, including deletion of logs. No documentation is provided on which log sources are targeted by this control.
                    References
                      linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1070.003 Clear Command History
                      Comments
                      This control may alert on clearing of the command history file. Documentation is not provided on the logic for detecting when the command history is cleared but on Linux machines the location of the history file tends not to change from the default.
                      References
                        linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1027 Obfuscated Files or Information
                        Comments
                        This control only provides detection coverage for the Compile After Delivery sub-technique while not providing detection for all other sub-techniques relevant to the Linux platform or most of its procedure examples. As a result of this minimal coverage, the overall score is assessed as Minimal.
                        References
                        linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1027.004 Compile After Delivery
                        Comments
                        This control may alert on suspicious compilation. No documentation is provided on the logic for determining a suspicious compilation event.
                        References
                          linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1110 Brute Force
                          Comments
                          This control provides partial coverage for most of this technique's sub-techniques and procedures.
                          References
                          linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1110.001 Password Guessing
                          Comments
                          This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
                          References
                            linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1110.003 Password Spraying
                            Comments
                            This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
                            References
                              linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1110.004 Credential Stuffing
                              Comments
                              This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
                              References
                                linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1003 OS Credential Dumping
                                Comments
                                This control is only relevant for Linux environments, and provides partial coverage for one of the technique's two Linux-relevant sub-techniques.
                                References
                                linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1003.008 /etc/passwd and /etc/shadow
                                Comments
                                This control may alert on suspicious access to encrypted user passwords. The documentation does not reference "/etc/passwd" and "/etc/shadow" directly nor does it describe the logic in determining suspicious access.
                                References
                                  linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1021 Remote Services
                                  Comments
                                  This control is only relevant for Linux environments. Among the sub-techinques that are relevant for Linux, this control may only alert on SSH.
                                  References
                                  linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1021.004 SSH
                                  Comments
                                  This control may alerts on SSH brute force attempts, addition of new SSH keys, and usage of a SSH server within a container. Alerts may not be generated by usage of existing SSH keys by malicious actors for lateral movement.
                                  References
                                    linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1525 Implant Container Image
                                    Comments
                                    This control may alert on suspicious container images running mining software or SSH servers. Privileged Docker containers and privileged commands running within containers may also be detected. These alerts are only generated on containers in Linux endpoint machines and not for containers running from Azure Docker deployment.
                                    References
                                    linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1113 Screen Capture
                                    Comments
                                    This control may alert on usage of a screenshot tool. Documentation is not provided on the logic for determining a screenshot tool.
                                    References