Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Logging Configuration Changes on Linux Host

Detect changes of syslog daemons configuration files

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Mikhail Larin, oscd.communityCreated Fri Oct 25Updated Sat Nov 27c830f15d-6f6e-430f-8074-6f73d6807841linux
Log Source
Linuxauditd
ProductLinux← raw: linux
Serviceauditd← raw: auditd
Detection Logic
Detection Logic1 selector
detection:
    selection:
        type: 'PATH'
        name:
            - /etc/syslog.conf
            - /etc/rsyslog.conf
            - /etc/syslog-ng/syslog-ng.conf
    condition: selection
False Positives

Legitimate administrative activity

References
1
Resolving title…
self experience
MITRE ATT&CK
Rule Metadata
Rule ID
c830f15d-6f6e-430f-8074-6f73d6807841
Status
test
Level
high
Type
Detection
Created
Fri Oct 25
Modified
Sat Nov 27
Author
Mikhail Larin, oscd.community
Path
rules/linux/auditd/path/lnx_auditd_logging_config_change.yml
Raw Tags
attack.defense-evasionattack.t1562.006
View on GitHub