ElasticSearch - CheatSheet

Auditd

Filtering when someone create a local user

host.hostname: "<hostname>" and auditd.log.record_type: "EXECVE" and process.executable.text: "/sbin/useradd"
host.hostname: "<hostname>" and auditd.log.record_type: "EXECVE" and process.executable.text: "/bin/passwd"
host.hostname: "<hostname>" and auditd.log.record_type: "EXECVE" and process.executable.text: "/usr/bin/perl" and process.args: "/usr/sbin/adduser"
host.hostname: "<hostname>" and auditd.log.name: "/usr/sbin/adduser"

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search