heroui logo

Unusual Sudo Activity

Elastic Detection Rules

View Source
Summary
The detection rule 'Unusual Sudo Activity' is designed to identify abnormal sudo command executions from a user context that is not typically associated with normal administrative tasks. By leveraging machine learning, the rule flags users who may have executed sudo commands in an unusual manner, potentially indicating a situation where compromised credentials are being used to escalate privileges. This enhances the security posture against possible unauthorized access attempts or system compromises. The rule operates on data collected through Elastic’s integrations, specifically requiring both Elastic Defend and Auditd Manager setups. The rule assesses sudo command logs over a 45-minute window, checking for anomalies compared to learned patterns of normal behavior. Various measures include setup instructions for enabling integrations, guidance on investigating alerts, and recommendations for false-positive handling to ensure relevant alerts are properly contextualized for investigation.
Categories
  • Endpoint
  • Linux
Data Sources
  • User Account
  • Application Log
  • Process
ATT&CK Techniques
  • T1548
Created: 2020-09-03