-
Notifications
You must be signed in to change notification settings - Fork 23
Expand file tree
/
Copy pathBaseline - Unix_SUDO_Commands.json
More file actions
123 lines (123 loc) · 3.83 KB
/
Baseline - Unix_SUDO_Commands.json
File metadata and controls
123 lines (123 loc) · 3.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
{
"flows": [
{
"name": "Baseline - Unix_SUDO_Commands",
"nodes": [
{
"id": "7037218e-a579-4271-b6ca-81d11c0841c7",
"name": "Unix_SUDO_Commands_Baseline",
"kind": "eventType",
"isLeaf": false,
"eventType": "eventType-31",
"warnings": [],
"description": "",
"isExplainable": true,
"x": 310,
"y": -180,
"vertices": [],
"isEditable": false,
"isStepImplementable": true,
"executionDependsOn": [],
"outputtedNode": false,
"contentItemIdentifier": {
"kind": "EventTypeContentKind",
"id": "eventType-31"
},
"categoryKind": "FetchData",
"linkToTrigger": true,
"iconTitle": "Fetch Data: Unix_SUDO_Commands_Baseline",
"usedByEventTypes": []
},
{
"id": "eb0ebde9-2fee-48fd-9b51-2450ac0ce736",
"name": "Baseline_SUDO_Commands_By_User",
"kind": "augmentation",
"lql": "`select * from Unix_SUDO_Commands_Baseline`",
"operator": "SELECT",
"isLeaf": true,
"warnings": [],
"description": "",
"isExplainable": true,
"x": 310,
"y": 30,
"vertices": [],
"isEditable": false,
"isStepImplementable": true,
"executionDependsOn": [],
"outputtedNode": false,
"formType": "LQLEditor",
"categoryKind": "Code",
"iconTitle": "Code: SQL",
"usedByEventTypes": []
}
],
"oldId": "flow-1039",
"listNames": [],
"dependentCommands": [],
"resourceFormatVersion": 2,
"fileDataSeq": []
}
],
"baselines": [],
"eventTypes": [
{
"id": "eventType-31",
"data": {
"name": "Unix_SUDO_Commands_Baseline",
"query": "_sourceCategory=server/nutanix/* sudo \"COMMAND=\" \"USER=\" NOT(\"/sbin/fstrim\" AND \"/home/nutanix/data/stargate-storage\") NOT (\"/usr/sbin/iotop\" AND \"PWD=/home/nutanix ; USER=root\") |parse regex field=_raw \".*\\ssudo\\[\\d+\\]:\\s+(?<username>\\w+)\\s+:.*USER=(?<runas>\\w+).*COMMAND=(?<command>[^\\s]+)\\s(?<parameters>.*)\" |count by command,username",
"keyColumns": "command,username",
"connection": "connection-2",
"connectionTypeEntities": {
"entities": [
{
"connectionType": {
"connectionType": "sumologic",
"value": "query"
},
"connectionTypeDetail": {
"query": "_sourceCategory=server/nutanix/* sudo \"COMMAND=\" \"USER=\" NOT(\"/sbin/fstrim\" AND \"/home/nutanix/data/stargate-storage\") NOT (\"/usr/sbin/iotop\" AND \"PWD=/home/nutanix ; USER=root\") |parse regex field=_raw \".*\\ssudo\\[\\d+\\]:\\s+(?<username>\\w+)\\s+:.*USER=(?<runas>\\w+).*COMMAND=(?<command>[^\\s]+)\\s(?<parameters>.*)\" |count by command,username",
"connection": "connection-2"
}
}
]
},
"defaultConnectionType": {
"connectionType": "sumologic",
"value": "query"
}
}
}
],
"connections": [
{
"id": "connection-2",
"data": {
"connectionType": "sumologic",
"name": "SumoLogic",
"isActive": false,
"account": "",
"secret": "",
"url": "https://api.us2.sumologic.com/api/v1"
}
}
],
"modules": [],
"annotations": [],
"filters": [],
"ruleSets": [],
"integrationInstances": [],
"customLists": [],
"streams": [],
"dashboards": [],
"images": [],
"codeBlobs": {},
"customListsData": {},
"executionScripts": [],
"userForms": [],
"flowNodeReferences": [],
"destinations": [],
"fileResources": [],
"fileDataSeq": [],
"eventModels": [],
"version": 1
}