General Switch User (su)
Classification
| Rule Name | Rule type | classification | common event |
|---|---|---|---|
| General Switch User (su) | Base Rule | Authentication Success | Authentication Activity |
| Successful Switch User (su) | Sub Rule | Authentication Success | Authentication Activity |
| Failed Switch User | Sub Rule | Authentication Failure | User Logon Failure |
| Failed SU Root Access | Sub Rule | Authentication Failure | User Logon Failure |
| Successful SU Root Access | Sub Rule | Authentication Success | Authentication Activity |
Mapping with LogRhythm Schema
Device Key in log message | LogRhythm Schema | Data Type |
|---|---|---|
| 2011-07-06T01:20:02-05:00 | <dname> | Text/String |
| su | <tag1> | Text/String |
| N/A | <login> | Text/String |
| to | <account> | Text/String |