Go to Settings >> Knowledge Base >> Dashboards.
Select VENDOR DASHBOARD from the drop-down.
Click Add from the Actions column.
Adding the Unix Dashboard¶
Click Choose Repos.
Selecting a Repo¶
Select the repo and click Done.
Selecting a Repo¶
Click Ok.
You can find the Unix dashboards under Dashboards.
Unix Dashboard¶
Widgets available in LP_Unix Overview provide:
Widget Name |
Description |
|---|---|
Top 10 Process Running |
An overview of the top 10 Unix processes, such as parents or child process, zombie or orphan process, or list running process. |
Events Timetrend |
A time trend of the Unix events. |
Top 10 Commands Used |
An overview of the top 10 most used Unix commands, such as sudo. |
Top 10 Sudo Commands |
An overview of the top 10 sudo commands that allows you to run programs with the security privileges of another user (by default, as the superuser). |
Top 10 Sources in Denied Connection |
An overview of the top 10 denied source addresses. |
Top 10 Users in Successful Logins |
An overview of the top 10 users who successfully logged in. |
Top 10 Users in Failed Logins |
An overview of the top 10 users who failed to log in. |
Top 10 Sources in Successful User Logins |
An overview of the top 10 source addresses in successful user logins. |
Top 10 Sources in Failed User Logins |
An overview of the top 10 source addresses in failed user logins. |
User Login Status |
An overview of the user login status, which may be a successful login or failed login. |
Widgets available in LP_Unix Privilege Escalation provide:
Widget Name |
Description |
|---|---|
Session Duration |
An overview of Unix user session so you can see the full context of what happened through the session by session start timestamp, session end timestamp, user, root ID, and session ID. |
Root Privilege Command Execution |
An overview of the commands executed that require privileges not granted to a standard UNIX user account by root session start timestamp, root session end timestamp, user, command execute timestamp, and command. |
Top 10 Users in Privilege Escalation |
An overview of the top 10 users in privilege escalation who have gained elevated access to resources that are normally protected from an application or user. |
Top 10 Command Executed |
An overview of the top 10 executed Unix commands. |
Widgets available in LP_Unix:Authentication provide:
Widget Name |
Description |
|---|---|
Top 10 Successful Administrative Logins |
An overview of the top 10 successful administrative logins. You need a list of ADMINS to run this query. |
Top 10 Users in Successful Login |
An overview of the top 10 users who logged in successfully. |
Users in Successful Login - List |
A detailed list of the successful user logins by a user, action, and source address. |
Top 10 Users in Failed Login |
An overview of the top 10 users who failed to log in successfully. |
Users in Failed Login - List |
A detailed list of the failed user logins by a user, action, and source address. |
Top 10 Failed Administrative Logins |
An overview of the top 10 admin users who could not log in successfully. You need a list of ADMINS to run this query. |
Top 10 User Login Activities |
An overview of the top 10 successful user activities, such as successful login or failed login. |
Widgets available in LP_Unix:User Account Management provide:
Widget Name |
Description |
|---|---|
Created Accounts - List |
A detailed list of created accounts. |
User Accounts Created |
An overview of the created user accounts. |
User Accounts Deleted |
An overview of the deleted user accounts. |
Activities in User Account Management |
An overview of the activities in the user account management, such as user adds or group adds. |
Activities in User Account Management - List |
A detailed list of activities in user account management by user and action. |
Top 10 Actions in User Account Management |
An overview of the top 10 actions performed in the user account management. |
User Account Password Change |
An overview of the changed user account password. |
Locked User Account |
An overview of the locked user account due to a bad password. |
User Account Unlocked |
An overview of the unlocked user account. |
User Account Locked/Unlocked - Status |
An overview of the locked or unlocked user account’s status by user, action, and object. |
Newly Created Group - List |
A detailed list of a newly created group. |
Deleted Group - List |
A detailed list of deleted groups. |
Group User Deletion - List |
A detailed list of the users deleted or removed from a group. |
User Added in Group |
An overview of the users added to a group. |
Alerts available in Unix are:
Trigger Condition: An account is not present but is used repeatedly to login. This may be a brute force attack by a bot, malware, or threat agent.
ATT&CK Category: Credential Access
ATT&CK Tag: Brute Force
ATT&CK ID: T1110
Minimum Log Source Requirement: Unix
Query:
norm_id=Unix ((label=Account label=Absent) OR (label=User label=Authentication label=Fail)) user=* | chart count() as cnt by user | search cnt>10
Trigger Condition: Unix Kernel stops logging that may violate the audit compliance of the organization.
ATT&CK Category: Defense Evasion
ATT&CK Tag: Impair Defenses, Indicator Blocking
ATT&CK ID: T1562, T1562.006
Minimum Log Source Requirement: Unix
Query:
norm_id=Unix OR norm_id=Kernel label=Logging label=Stop "process"="kernel" action="stopped"
Trigger Condition: A user account is deleted.
ATT&CK Category: Impact
ATT&CK Tag: Account Access Removal
ATT&CK ID: T1531
Minimum Log Source Requirement: Unix
Query:
norm_id=Unix label=User label=Account label=Management label=Delete label=Remove user=*
Trigger condition: Information on password expiry information is changed for a user.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Unix
Query:
norm_id=Unix label=User label=Password label=Expire label=Account label=Management label=Change user=*
Trigger condition: A group is deleted.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Unix
Query:
norm_id=Unix label=Group label=Management label=Remove group=*
Trigger condition: Security violation is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Vmware
Query:
norm_id=Unix label=Security label=Violation message=*
Trigger condition: Unlocked user account detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Unix
Query:
norm_id=Unix label=User label=Account label=Management label=Unlock user=*
Trigger condition: An excessive denied connection from the same source is detected i.e., 100 denied connections within two minutes.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Unix
Query:
norm_id=Unix label=Connection label=Deny | chart count() as cnt by source_address | search cnt>100
Trigger condition: A user account is removed from the privileged group. For this alert to work, you must update the list ADMIN_GROUPS, with the name of privileged groups.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Unix
Query:
norm_id=Unix label=User label=Group label=Management label=Member label=Remove user=* (group=admin OR group IN ADMIN_GROUPS)
Trigger condition: The user account tries to escalate the privilege and fails.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Unix
Query:
norm_id=Unix label=User label=Fail (label=Login OR label=Authentication) user=root caller_user=*
Trigger condition: A user session detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Unix
Query:
[norm_id=Unix "successful su for" user=root user=* process_id=*] as s1 join [norm_id=Unix command=exit role_id=* session_id=*] as s2 on s1.user=s2.user and s1.process_id=s2.role_id |
rename s1.log_ts as start_ts, s2.log_ts as end_ts, user as User, s2.role_id as role_id, s2.session_id as session_id | chart count() by start_ts, end_ts, User, role_id, session_id
Labels available in LP_Unix are:
Labels |
Description |
|---|---|
Cron, Job |
Events with the pam_unix(cron:session) message. |
Cron, Job |
Events with the /USR/SBIN/CRON message. |
Cron, Job |
Events with the CRON or cron process. |
NSCD |
Events with the nscd process. |
Successful |
Events with the Successful, Success, or Login successful status. |
Fail |
Events with the Failed, Fail, or Login failed status. |
Login |
Events with the object in authentication, keyboardinteractive/pam, publickey, or password. |
User, Login, Successful |
Events with the Accepted Password, Accepted publickey, or Session opened. |
User, Login, Fail |
Events with the Authentication Failure or Failed Password. |
User, Logoff |
Events with the Session closed message. |
User, Account, Management, Password, Change |
Events with the Password changed message. |
User, Account, Management, Remove |
Events with the Delete user message. |
User, Account, Management, Create |
Events with the A new user message. |
Privilege, Access |
Events with the sudo or su process. |
Service, Start |
Events with the Starting or Start action for all Unix services. |
Service, Restart |
Events with the Re-starting, Restarting, or Restart action for all Unix services. |
Service, Stop |
Events with the Stop or Stopping action for all Unix services. |
FTP |
Events with the ftp or ftpd process. |
ssh |
Events with the sshd process. |
Command, Execute |
Events with the Unix command. |
Remove |
Events with the Delete or Deleted action. |
Modify |
Events with the Replace action. |
Start, Change, Edit |
Events with the Beign Edit action. |
Add |
Events with the Account added action. |
Remove |
Events with the Account removed action. |
Labels available in LP_Unix SSHD are:
Labels |
Description |
|---|---|
Session, Close |
Events with the closed action or the closed status. |
Session, Open |
Events with the opened action or the opened status. |
Labels available in LP_Common Unix Systems are:
Labels |
Description |
|---|---|
Open |
Events with the opened message. |
Close |
Events with the closed action |
Add |
Events with the added action. |
Delete |
Events with the deleted action. |
User, Delete |
Events with the userdel process. |
User, Add |
Events with the useradd process. |
Add |
Events with the account added action. |
Remove |
Events with the removed action. |
Successful |
Events with the successful status. |
Fail |
Events with the failed status. |
Labels available in LP_Unix Systemd are:
Labels |
Description |
|---|---|
Session, Start |
Session start events. |
Go to Report >> Report Template >> Vendor Report Templates.
Using the Unix Report Template¶
Click Add from the Actions column.
Using Unix Report Template¶
Click Run this Report under the Actions column.
Running Unix Report Template¶
Select Repos, Time Zone, Time Range, Export Type, and enter the Email address.
Click Submit.
You can view the reports being generated under Report Jobs and download the generated reports from Inbox with .pdf extension by clicking PDF under the Download section.
A report contains widgets enabling you to analyze the data in different formats like graphs, time trends, lists, and text. Reports are time-bound, which means they are incident summaries over a period of time, for example, the last 24 hours or last five minutes. While generating a report, you can customize the calendar period according to your needs.
Report templates available for Unix are:
LP_Unix: User Privilege Escalation is the incident summary report that provides statistical information on the session duration, commands executed, users in privilege escalation, and root privilege command execution in different formats, such as graphs and lists.
LP_Unix: User Account Management is the incident summary report that provides statistical information on the user account created or deleted, activities in user account management, user account locked or unlocked, newly formed group or deleted group, and account status in different formats, such as graphs or lists.
LP_Unix: Authentication is the incident summary report that provides statistical information on the successful or unsuccessful administrative logins and user login activities in different formats, such as graphs or lists.