This dashboard consists of the following widgets:
Widget Name |
Description |
|---|---|
Top 10 Process Running |
The top ten Unix processes running in the Logpoint for the administrator to see what is running, the resources that processes are using, how the system is affected by the load and how memory is being used. |
Events Timetrend |
A time trend of the Unix events generated based on event severity or event type to analyze the performance of Logpoint over time. |
Top 10 Commands Used |
The top ten most used Unix commands, such as sudo allowing direct communication with the Logpoint via a terminal, hence being very interactive and giving the user direct control over the Logpoint resources. |
Top 10 Sudo Commands |
The top ten sudo commands allow you to run programs with the security privileges of another user (by default, as the superuser). |
Top 10 Sources in Denied Connection |
The top ten denied source addresses from accessing Unix networks to protect your system. |
Top 10 Users in Successful Logins |
The top ten users who successfully logged in allowing the administrator to view the user account name, date and login time. |
Top 10 Users in Failed Logins |
The top ten users who failed to log in indicated invalid login attempts, forgot their password or mistyped it. |
Top 10 Sources in Successful User Logins |
The top ten source addresses in successful user logins. |
Top 10 Sources in Failed User Logins |
The top ten source addresses in failed user logins. |
User Login Status |
The user login status may be a successful or failed login. |
This dashboard consists of the following widgets:
Widget Name |
Description |
|---|---|
Session Duration |
The session duration from when a user arrives, interacts and exits a Unix system. |
Root Privilege Command Execution |
The commands executed that require permissions not granted to a standard UNIX user account. These commands include root session start timestamp, root session end timestamp, user, command execute timestamp and command. |
Top 10 Users in Privilege Escalation |
The top ten users who gained unauthorized admin or root level privileges in a Unix system. It enables the administrator to discover opportunities to improve the Unix privilege management and security to reduce the risk of a cyber attack. |
Top 10 Command Executed |
The top ten executed Unix commands that administrators check for successful execution. |
This dashboard consists of the following widgets:
Widget Name |
Description |
|---|---|
Top 10 Successful Administrative Logins |
The top ten successful administrative logins with rights to control or restrict the activity of other users. You need a list of ADMINS to run this query. |
Top 10 Users in Successful Login |
The top ten users with valid credentials successfully logged in to gain access to the Unix system. |
Users in Successful Login - List |
The list of successful users logins using valid user credentials, action and source address. |
Top 10 Users in Failed Login |
The top ten users with invalid or expired credentials failed to login so administartor can trace the source of the login attempts and a sign of brute force attack. |
Users in Failed Login - List |
The list of failed user logins by a user, action and source address. |
Top 10 Failed Administrative Logins |
The top ten administrative users (ADMINS, root or administrator) failed login attempts as the Unix system didn’t recognize the authentication details. You need a list of ADMINS to run this query. |
Top 10 User Login Activities |
The top ten successful or failed login activities so the administrator better determines which user behavior is legitimate to prevent brute force attacks in the Unix system. |
This dashboard consists of the following widgets:
Widget Name |
Description |
|---|---|
Created Accounts - List |
The list of created accounts to access the Unix system or any service running on the Unix system for an administrator to authenticate, trace, log and monitor its services. |
User Accounts Created |
The created user accounts with a user name and password and assigned permission levels. |
User Accounts Deleted |
The deleted user accounts barred from accessing data, services, systems and network resources. |
Activities in User Account Management |
The activities in the user account management, such as user adds or group adds. It allows administrators to group users and define flexible access policies. |
Activities in User Account Management - List |
The list of activities in user account management by user and action. |
Top 10 Actions in User Account Management |
The top ten actions performed in the user account management. |
User Account Password Change |
The changed user account password to ensure account security, prevent the default password problem and for the administrator to authenticate the user. |
Locked User Account |
The locked user account when the number of incorrect password entries exceeds the maximum number allowed by the account password policy. |
User Account Unlocked |
Accounts reset by an administrator. |
User Account Locked/Unlocked - Status |
The locked or unlocked user account’s status by user, action and object. |
Newly Created Group - List |
The list of a newly created group in Unix. |
Deleted Group - List |
The list of deleted groups from Unix. |
Group User Deletion - List |
The users deleted or removed from a group in Unix. |
User Added in Group |
The users added to a group in Unix. |
Go to Settings >> Knowledge Base from the navigation bar and click Dashboards.
Select VENDOR DASHBOARD from the drop-down.
Click the Use icon from Actions of the required dashboard.
Click Choose Repos.
Selecting a Repo¶
Select the repo configured to store the Unix logs and click Done.
Selecting a Repo¶
Select the dashboard and click Ok.
You can find the Unix dashboards under Dashboards.
Unix Dashboard¶
Alerts available in Unix are:
Trigger Condition: An account is not present but is used repeatedly to login. This may be a brute force attack by a bot, malware or threat agent.
ATT&CK Category: Credential Access
ATT&CK Tag: Brute Force
ATT&CK ID: T1110
Minimum Log Source Requirement: Unix
Query:
norm_id=Unix ((label=Account label=Absent) OR (label=User label=Authentication label=Fail)) user=* | chart count() as cnt by user | search cnt>10
Trigger Condition: Unix Kernel stops logging that may violate the audit compliance of the organization.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Impair Defenses, Indicator Blocking
ATT&CK ID: T1562, T1562.006
Minimum Log Source Requirement: Unix
Query:
norm_id=Unix OR norm_id=Kernel label=Logging label=Stop "process"="kernel" action="stopped"
Trigger Condition: A user account is deleted.
ATT&CK Category: Impact
ATT&CK Tag: Account Access Removal
ATT&CK ID: T1531
Minimum Log Source Requirement: Unix
Query:
norm_id=Unix label=User label=Account label=Management label=Delete label=Remove user=*
Trigger condition: Information on password expiry information is changed for a user.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Unix
Query:
norm_id=Unix label=User label=Password label=Expire label=Account label=Management label=Change user=*
Trigger condition: Unlocked user account detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Unix
Query:
norm_id=Unix label=User label=Account label=Management label=Unlock user=*
Trigger condition: An excessive denied connection from the same source is detected i.e., 100 denied connections within two minutes.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Unix
Query:
norm_id=Unix label=Connection label=Deny | chart count() as cnt by source_address | search cnt>100
Trigger condition: Unauthorized default Application Layer Protocol and DNS server modification is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Unix
Query:
norm_id=Unix label=File label=Info label=Path (path="/etc/resolv.conf" OR path="/etc/hosts")
Trigger condition: A group is deleted.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Unix
Query:
norm_id=Unix label=Group label=Management (label=Remove OR label=Delete) group=*
Trigger condition: Authentication for a user is successful and session of a previous user is exited.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Unix
Query:
(norm_id=Unix label=Login label=Open label=Session label=Successful label=User label=Start) OR (norm_id=Unix label=Session label=User)
Trigger condition: A user account is removed from the privileged group.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Unix
Query:
norm_id=Unix label=Group label=Management label=Remove label=User (group=sudo)
Labels available in LP_Unix are:
Labels |
Description |
|---|---|
Cron, Job |
Events with the pam_unix(cron:session) message. |
Cron, Job |
Events with the /USR/SBIN/CRON message. |
Cron, Job |
Events with the CRON or cron process. |
NSCD |
Events with the nscd process. |
Successful |
Events with the Successful, Success, or Login successful status. |
Fail |
Events with the Failed, Fail, or Login failed status. |
Login |
Events with the object in authentication, keyboardinteractive/pam, publickey, or password. |
User, Login, Successful |
Events with the Accepted Password, Accepted publickey, or Session opened. |
User, Login, Fail |
Events with the Authentication Failure or Failed Password. |
User, Logoff |
Events with the Session closed message. |
User, Account, Management, Password, Change |
Events with the Password changed message. |
User, Account, Management, Remove |
Events with the Delete user message. |
User, Account, Management, Create |
Events with the A new user message. |
Privilege, Access |
Events with the sudo or su process. |
Service, Start |
Events with the Starting or Start action for all Unix services. |
Service, Restart |
Events with the Re-starting, Restarting, or Restart action for all Unix services. |
Service, Stop |
Events with the Stop or Stopping action for all Unix services. |
FTP |
Events with the ftp or ftpd process. |
ssh |
Events with the sshd process. |
Command, Execute |
Events with the Unix command. |
Remove |
Events with the Delete or Deleted action. |
Modify |
Events with the Replace action. |
Start, Change, Edit |
Events with the Beign Edit action. |
Add |
Events with the Account added action. |
Remove |
Events with the Account removed action. |
Labels available in LP_Unix SSHD are:
Labels |
Description |
|---|---|
Session, Close |
Events with the closed action or the closed status. |
Session, Open |
Events with the opened action or the opened status. |
Labels available in LP_Common Unix Systems are:
Labels |
Description |
|---|---|
Open |
Events with the opened message. |
Close |
Events with the closed action |
Add |
Events with the added action. |
Delete |
Events with the deleted action. |
User, Delete |
Events with the userdel process. |
User, Add |
Events with the useradd process. |
Add |
Events with the account added action. |
Remove |
Events with the removed action. |
Successful |
Events with the successful status. |
Fail |
Events with the failed status. |
Labels available in LP_Unix Systemd are:
Labels |
Description |
|---|---|
Session, Start |
Session start events. |
Go to Report >> Report Template >> Vendor Report Templates.
Using the Unix Report Template¶
Click Add from the Actions column.
Using Unix Report Template¶
Click Run this Report under the Actions column.
Running Unix Report Template¶
Select Repos, Time Zone, Time Range, Export Type, and enter the Email address.
Click Submit.
You can view the reports being generated under Report Jobs and download the generated reports from Inbox with .pdf extension by clicking PDF under the Download section.
A report contains widgets enabling you to analyze the data in different formats like graphs, time trends, lists, and text. Reports are time-bound, which means they are incident summaries over a period of time, for example, the last 24 hours or last five minutes. While generating a report, you can customize the calendar period according to your needs.
Report templates available for Unix are:
LP_Unix: User Privilege Escalation is the incident summary report that provides statistical information on the session duration, commands executed, users in privilege escalation, and root privilege command execution in different formats, such as graphs and lists.
LP_Unix: User Account Management is the incident summary report that provides statistical information on the user account created or deleted, activities in user account management, user account locked or unlocked, newly formed group or deleted group, and account status in different formats, such as graphs or lists.
LP_Unix: Authentication is the incident summary report that provides statistical information on the successful or unsuccessful administrative logins and user login activities in different formats, such as graphs or lists.