Cmd¶
About¶
Cmd Logging allows clients to search security incident logs in real-time. Many SIEM tools cant index the volume of data fast enough to support real-time searchability. By allowing for this search, Cmd greatly reduces security incident investigation time and increases visibility across the Linux fleet of assets.
Product Details¶
Vendor URL: Cmd Logging
Product Type: Log Aggregation
Product Tier: Tier III
Integration Method: Custom
Integration URL: Cmd Logging
Log Guide: n/a
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 90%
Data Label: CMD
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| args.0-2 | principal.process.command_line |
| cwd | principal.process.file.full_path |
| event_time | metadata.event_timestamp |
| event_type | metadata.product_event_type |
| event_uuid | metadata.product_log_id |
| inception_entry_mechanism | metadata.description |
| parent_ppid | target.process.parent_process.parent_process.pid |
| project_id | metadata.product_deployment_id |
| self_exe | target.process.parent_process.file.full_path |
| self_pid | target.process.pid |
| self_ppid | target.process.parent_process.pid |
| self_user | principal.user.userid |
| server_hostname | target.hostname |
| server_ips | principal.ip |
| server_ips | security_result.about.ip |
| server_name | security_result.about.hostname |
| trigger_name | security_result.summary |
| trigger_query | security_result.about.process.command_line |
| uts_hostname | principal.hostname |
| version | metadata.product_version |
Product Event Types¶
| trigger_name | UDM Event Type |
|---|---|
| all others | PROCESS_LAUNCH |
| Connection | NETWORK_CONNECTION |
| Connection | GENERIC_EVENT |
Log Sample¶
{"session_ppid":73318,"session_pgid":45687,"session_ruid":44278,"session_euid":44278,"last_known_uec_parent_ctty_minor":0,"version":"1.0.0","parent_pid":33588,"inception_session_rgid":40035,"parent_ppid":45687,"session_stderr_minor":0,"cmd_user":"","inception_session_egid":40035,"inception_session_stderr_major":0,"last_known_uec_parent_stdout_minor":0,"parent_egid":4294967295,"parent_stdout_major":0,"parent_sgid":4294967295,"shell_command_number":"0","cri_pod_name":"","process_uuid":"salq-asl1","self_stderr_minor":3,"inception_session_ip_latitude":37.751,"group_uuid":"50t1l1-tlf11","session_exe":"/bin/bash","session_ctty_major":0,"inception_session_euid":44278,"self_stdout_major":0,"cpu_id":20,"self_rgid":40035,"last_known_uec_parent_rgid":0,"last_known_uec_parent_egid":0,"shell_completion":false,"shell_rl_buffer":"","inception_session_city":"","last_known_uec_parent_uuid":"00000000-0000-0000-0000-000000000000","inception_session_start_time_ticks":"406937977","inception_session_suid":44278,"self_stderr_major":1,"session_stdin_major":0,"last_known_uec_parent_ruid":0,"cri_container_id":"","parent_exe":"/bin/bash","parent_stdin_major":0,"session_user":"johndoe","session_stdout_minor":0,"last_known_uec_parent_sgid":0,"inception_session_country":"United States","event_type":"EXEC","self_ctty_major":0,"server_hostname":"hostname","self_egid":40035,"parent_pgid":45687,"exe":"/usr/local/user/bin/gmodulecmd","inception_session_ip_risk":0.23,"cri_container_image":"","self_pid":4782,"self_ruid":44278,"self_ctty_minor":0,"parent_user":"johndoe","inception_session_sid":45687,"inception_session_region":"","project_id":"PRJ-1","boot_id":"dbghh-qll1","parent_suid":4294967295,"parent_stderr_minor":0,"parent_start_time_ticks":"406937984","last_known_uec_parent_exe":"","last_known_uec_parent_pgid":0,"last_known_uec_parent_start_time_ticks":"0","self_sgid":40035,"parent_sid":45687,"cmd_roles":[],"cri_node_name":"","parent_ruid":4294967295,"parent_stdout_minor":0,"session_stderr_major":0,"last_known_uec_parent_stderr_minor":0,"server_groups":["group1","group2","group3"],"uts_domain_name":"(none)","session_uuid":"50t1l1-tlf11","self_suid":44278,"self_start_time_ticks":"406937984","session_sgid":40035,"inception_entry_mechanism":"SSH","inception_session_uuid":"50t1l1-tlf11","thread_id":4782,"cwd":"","server_uuid":"yqyqiwor","parent_stderr_major":0,"inception_session_ruid":44278,"last_known_uec_parent_ppid":0,"last_known_uec_parent_suid":0,"self_pgid":45687,"session_sid":45687,"last_known_uec_parent_stderr_major":0,"inception_estimated_start_time":"2022-09-06T02:03:54.837859851Z","inception_source_ip":"10.1.1.4","inception_session_ctty_major":0,"last_known_uec_parent_stdin_major":0,"self_stdin_major":0,"self_stdout_minor":0,"session_pid":45687,"inception_session_env_vars":[],"self_ppid":33588,"self_euid":44278,"inception_session_ip_longitude":-97.822,"interactive_session":false,"inception_session_stdin_major":0,"session_ctty_minor":0,"inception_session_stderr_minor":0,"last_known_uec_parent_stdout_major":0,"cri_namespace":"","company_id":"company","self_user":"johndoe","session_suid":44278,"last_known_uec_parent_euid":0,"last_known_uec_parent_stdin_minor":0,"event_uuid":"1-040591","self_exe":"/usr/local/user/bin/gmodulecmd","session_rgid":40035,"last_known_uec_parent_user":"","pid_ns_ino":"4026531836","parent_euid":4294967295,"inception_session_stdin_minor":0,"session_egid":40035,"inception_session_user":"johndoe","parent_ctty_minor":0,"inception_session_sgid":40035,"uts_hostname":"hostname","self_sid":45687,"parent_rgid":4294967295,"inception_session_ctty_minor":0,"parent_uuid":"sa11-11e","parent_stdin_minor":0,"self_stdin_minor":0,"last_known_uec_parent_pid":0,"last_known_uec_parent_sid":0,"session_leader":false,"user_typed":false,"server_ips":["127.0.0.1","10.10.3.3","10.10.2.2"],"event_time":"2022-09-06T02:03:54.908826872Z","session_stdout_major":0,"inception_session_ppid":73318,"inception_session_pgid":45687,"inception_session_stdout_major":0,"last_known_uec_parent_ctty_major":0,"server_name":"hostname","cri_container_name":"","session_stdin_minor":0,"inception_session_exe":"/bin/bash","session_start_time_ticks":"406937977","inception_session_pid":45687,"inception_session_stdout_minor":0,"args":["/usr/local/user/bin/gmodulecmd","bash","load","cmake-3.14.4"],"interactive_process":false,"parent_ctty_major":0}
Sample Parsing¶
metadata.product_log_id = "1-040591"
metadata.event_timestamp = "2022-09-06T02:03:54.908826872Z"
metadata.event_type = "PROCESS_LAUNCH"
metadata.vendor_name = "Cmd"
metadata.product_name = "Cmd"
metadata.product_version = "1.0.0"
metadata.product_event_type = "EXEC"
metadata.description = "SSH"
metadata.product_deployment_id = "PRJ-1"
metadata.id = "AQSwasdf="
principal.hostname = "hostname"
principal.user.userid = "johndoe"
principal.process.command_line = "/usr/local/user/bin/gmodulecmd bash load cmake-3.14.4"
principal.ip = "10.10.3.3"
principal.ip = "10.10.2.2"
principal.asset.hostname = "hostname"
principal.asset.ip = "10.10.3.3"
principal.asset.ip = "10.10.2.2"
target.hostname = "hostname"
target.process.pid = "4782"
target.process.parent_process.pid = "33588"
target.process.parent_process.file.full_path = "/usr/local/user/bin/gmodulecmd"
target.process.parent_process.parent_process.pid = "45687"
target.asset.hostname = "hostname"
security_result.about.hostname = "hostname"
security_result.about.ip = "127.0.0.1"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming soon