security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

Merge PR #5793 from @nasbench - Rename Auditd Folder Entries and update SYSCALL field

Browse Source 
chore: rename auditd folders and others
update: Audio Capture - Updated syscall field to SYSCALL in order to make use of enriched logs
update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: System Info Discovery via Sysinfo Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Special File Creation via Mknod Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Webshell Remote Command Execution - Updated syscall field to SYSCALL in order to make use of enriched logs
This commit is contained in:
Nasreddine Bencherchali
2025-12-08 16:03:55 +01:00
committed by GitHub
parent 0490e31eb5
commit 5656c48a97
55 changed files with 14 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/logsource.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"title": "Field name by logsource",
"version": "20230113",
"version": "20251205",
"legit":{
"windows":{
"common": ["EventID", "Provider_Name","Channel","Computer","Security_UserID"],
@@ -134,7 +134,7 @@
"oses", "ouid", "outif", "pa", "parent", "path", "pe", "per", "perm", "perm_mask", "permissive", "pfs", "pi", "pid", "pp", "ppid", "printer",
"proctitle", "prom", "proto", "qbytes", "range", "rdev", "reason", "removed", "res", "resrc", "result", "role", "rport", "saddr", "sauid",
"scontext", "selected-context", "seperm", "seperms", "seqno", "seresult", "ses", "seuser", "sgid", "sig", "sigev_signo", "smac", "spid",
"sport", "state", "subj", "success", "suid", "syscall", "table", "tclass", "tcontext", "terminal", "tty", "type", "uid", "unit", "uri", "user",
"sport", "state", "subj", "success", "suid", "syscall", "SYSCALL", "table", "tclass", "tcontext", "terminal", "tty", "type", "uid", "unit", "uri", "user",
"uuid", "val", "val", "ver", "virt", "vm", "vm-ctx", "vm-pid", "watch"],
"vsftpd":[],
"sshd":[],