System Call Activity
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| System Call Activity | Base Rule | System Call | Other Audit Success |
| x64 File Open Permission Denied | Sub Rule | Access Object Failure | Access Failure |
| x64 File Delete Failed | Sub Rule | File Delete Failure | Error |
| CHMOD Filesystem Object | Sub Rule | Object Modified | Access Success |
| CHOWN Filesystem Object | Sub Rule | Object Modified | Access Success |
| Signal Return | Sub Rule | Return Status Ignore | Information |
| FCHMOD Filesystem Object | Sub Rule | Object Modified | Access Success |
| CHMOD Filesystem Object | Sub Rule | Object Modified | Access Success |
| x64 File Open Permission Denied | Sub Rule | Access Object Failure | Access Failure |
| Unmount Volume | Sub Rule | File System Unmounted | Information |
| Mount Volume | Sub Rule | File System Mounted | Information |
| Program Executed | Sub Rule | Program Executed | Information |
| CHMOD Filesystem Object x64 | Sub Rule | Object Modified | Access Success |
| CHMOD Filesystem Object x32 | Sub Rule | Object Modified | Access Success |
| CHMOD Filesystem Object x32 | Sub Rule | Object Modified | Access Success |
| CHMOD Filesystem Object x32 | Sub Rule | Object Modified | Access Success |
| CHOWN Filesystem Object x64 | Sub Rule | Object Modified | Access Success |
| CHOWN Filesystem Object x64 | Sub Rule | Object Modified | Access Success |
| CHOWN Filesystem Object x64 | Sub Rule | Object Modified | Access Success |
| CHOWN Filesystem Object x32 | Sub Rule | Object Modified | Access Success |
| CHOWN Filesystem Object x32 | Sub Rule | Object Modified | Access Success |
| CHOWN Filesystem Object x32 | Sub Rule | Object Modified | Access Success |
| CHOWN Filesystem Object x32 | Sub Rule | Object Modified | Access Success |
| Mount Volume x32 | Sub Rule | File System Mounted | Information |
| Unmount Volume x32 | Sub Rule | File System Unmounted | Information |
| Program Executed x32 | Sub Rule | Program Executed | Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type |
|---|---|---|
| N/A | <severity> | Text/String |
| type | <vmid> | Text/String |
| arch | <version> | Number/String |
| syscall | <command> | Number |
| success | <result>, <tag2> | Text/String |
| exit | <subject> | Number |
| ppid | <parentprocessid> | Number |
| pid | <processid> | Number |
| auid | <login> | Number |
| uid | <account> | Number |
| gid | <group> | Number |
| ses | <session> | Number |
| comm | <process> | Text/String |
| exe | <object> | Text/String |
| key | <objectname> | Number/Text |