# OpenObserve Kunai - Msticpy - sigma rules conversion

## Description
This notebook helps to convert, review and transform sigma rules to openobserve queries and alerts.

It leverages python_openobserve, msticpy and sigma.

Known issue(s)
* Alert import currently not working because of backend issue

Last updated: 2025/06/01

### Installation

In [None]:
# Only run first time to install/upgrade msticpy to latest version
# %pip install --upgrade msticpy

### Setup

In [1]:
# Check we are running Python 3.6
import sys

MIN_REQ_PYTHON = (3, 6)
if sys.version_info < MIN_REQ_PYTHON:
    print("Check the Kernel->Change Kernel menu and ensure that Python 3.6")
    print("or later is selected as the active kernel.")
    sys.exit("Python %s.%s or later is required.\n" % MIN_REQ_PYTHON)

# imports
import pandas as pd
from datetime import datetime, timedelta

# data library imports
from msticpy.data.data_providers import QueryProvider

print("Imports Complete")

Imports Complete


In [2]:
# to create alerts
import json
from python_openobserve.openobserve import OpenObserve

In [3]:
import os

# Custom Certificate Authority?
os.environ["REQUESTS_CA_BUNDLE"] = os.environ["HOME"] + "/tmp/ca-bundle-internal.pem"

In [4]:
# use custom config file?
# os.environ['MSTICPYCONFIG'] = '/path/to/msticpyconfig.yaml'

In [ ]:
# FIXME! does not get MSTICPYCONFIG...
from msticpy.config import MpConfigFile, MpConfigEdit

mpconfig = MpConfigFile()
mpconfig.load_default()
mpconfig.view_settings()
# mpedit = MpConfigEdit()
# mpedit

VBox(children=(Textarea(value='{}', layout=Layout(height='300px', width='99%')), Button(description='Close vie…


## Instantiating a query provider

You can instantiate a data provider for OpenObserve by specifying the credentials in connect or in msticpy config file. 
<br> If the details are correct and authentication is successful, it will show connected.

In [ ]:
openobserve_prov = QueryProvider("OpenObserve")
# openobserve_prov.connect(connection_str=<url>, user=<user>, password=<password>)
# openobserve_prov.connect()
openobserve_prov.connect(
    connection_str="https://openobserve.example.com",
    user="root@example.com",
    password="root@example.com",
)

connected with user root@example.com


## Running test OpenObserve query

In [7]:
openobserve_query = """
SELECT log_file_name,count(*) FROM "default" GROUP BY log_file_name
"""
df = openobserve_prov.exec_query(openobserve_query, days=1, verbosity=1)
df.head()

INFO: from 2025-05-31 17:21:55.960345 to 2025-06-01 17:21:55.960345, TZ UTC
'Query Time start 1748712115960345 end 1748798515960345'
{'query': {'end_time': 1748798515960345,
           'sql': '\n'
                  'SELECT log_file_name,count(*) FROM "default" GROUP BY '
                  'log_file_name\n',
           'start_time': 1748712115960345}}
DEBUG: results shape (1, 2)


Unnamed: 0,count(*),log_file_name
0,5,history.log


In [8]:
openobserve_query = """SELECT body__systemd_unit, count(*) FROM "journald" group by body__systemd_unit order by count(*) desc"""
df = openobserve_prov.exec_query(
    openobserve_query,
    start_time=datetime.now() - timedelta(days=1),
    end_time=datetime.now() - timedelta(days=0),
)
df.head()

Unnamed: 0,body__systemd_unit,count(*)
0,ssh.service,30301
1,wpa_supplicant.service,7959
2,cron.service,5103
3,init.scope,3820
4,,1350


## Sigma settings

In [9]:
rulesdir = os.environ["HOME"] + "/tmp/sigma/rules/linux/network_connection"
pipeline_f = (
    os.environ["HOME"]
    + "/tmp/pySigma-backend-openobserve/sigma/pipelines/openobserve/kunai.yml"
)
table_name = "kunai"

## Sigma functions

In [10]:
import pathlib

from sigma.collection import SigmaCollection
from sigma.backends.openobserve import openobserve
from sigma.pipelines.sysmon import sysmon_pipeline
from sigma.pipelines.common import logsource_linux_process_creation
from sigma.pipelines.common import logsource_linux_file_create
from sigma.pipelines.common import logsource_linux_network_connection

from sigma.processing.resolver import ProcessingPipelineResolver

# Create the pipeline resolver
piperesolver = ProcessingPipelineResolver()
# Add pipelines
piperesolver.add_pipeline_class(sysmon_pipeline())  # Sysmon
# FIXME! AttributeError: 'LogsourceCondition' object has no attribute 'name'
# piperesolver.add_pipeline_class(logsource_linux_process_creation()) # Linux
# piperesolver.add_pipeline_class(logsource_linux_file_create()) # Linux
# piperesolver.add_pipeline_class(logsource_linux_network_connection()) # Linux
# Create a combined pipeline
combined_pipeline = piperesolver.resolve(piperesolver.pipelines)
# Instantiate backend using the combined pipeline
openobserve_backend = openobserve.openobserveBackend(combined_pipeline)

In [11]:
from subprocess import check_output
import sqlglot

In [12]:
# `sigma convert -t openobserve -p ../pySigma-backend-openobserve/sigma/pipelines/openobserve/kunai.yml ../sigma/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml`
# https://github.com/SigmaHQ/sigma-cli/blob/main/sigma/cli/convert.py#L8
from sigma.exceptions import (
    SigmaError,
    SigmaPipelineNotAllowedForBackendError,
    SigmaPipelineNotFoundError,
)
from sigma.plugins import InstalledSigmaPlugins

plugins = InstalledSigmaPlugins.autodiscover()
backends = plugins.backends
pipelines = plugins.pipelines
pipeline_resolver = plugins.get_pipeline_resolver()

In [13]:
pipelines

{'sysmon': <sigma.pipelines.base.Pipeline at 0x79bd4c050980>,
 'windows-logsources': <function sigma.pipelines.windows.windows.windows_logsource_pipeline() -> sigma.processing.pipeline.ProcessingPipeline>,
 'windows-audit': <function sigma.pipelines.windows.windows.windows_audit_pipeline() -> sigma.processing.pipeline.ProcessingPipeline>}

In [14]:
pipeline_resolver

ProcessingPipelineResolver(pipelines={'sysmon': <sigma.pipelines.base.Pipeline object at 0x79bd4c050980>, 'windows-logsources': <function windows_logsource_pipeline at 0x79bd4c0934c0>, 'windows-audit': <function windows_audit_pipeline at 0x79bd4c093560>})

In [None]:
# https://github.com/SigmaHQ/sigma-cli/blob/main/sigma/cli/convert.py#L225
try:
    processing_pipeline = pipeline_resolver.resolve(pipeline_f, None)
except SigmaPipelineNotFoundError as e:
    raise (f"The pipeline '{e}' was not found.\n")

In [15]:
# FIXME! field names not converted
for rule_f in pathlib.Path(rulesdir).iterdir():
    # print(f"Listed rule file {rule_f}")
    if not rule_f.is_file():  # or str(rule_f).endswith('.yml'):
        print(f"Skipping rule file {rule_f}")
        continue
    with open(rule_f, "r", encoding="utf-8") as f:
        # print(f"Reading rule file {rule_f}")
        rule_y = f.read()
    print(f"Processing rule file {rule_f}")
    rule = SigmaCollection.from_yaml(rule_y)
    rule_sql = openobserve_backend.convert(rule)[0]
    rule_sql = rule_sql.replace("<TABLE_NAME>", f'"{table_name}"')
    # verify sql
    try:
        sqlglot.transpile(rule_sql)
    except sqlglot.errors.ParseError as e:
        raise e
    print(f"```{rule_sql}```")

Processing rule file /home/user/tmp/sigma/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml
```SELECT * FROM "kunai" WHERE DestinationHostname='pool.minexmr.com' OR DestinationHostname='fr.minexmr.com' OR DestinationHostname='de.minexmr.com' OR DestinationHostname='sg.minexmr.com' OR DestinationHostname='ca.minexmr.com' OR DestinationHostname='us-west.minexmr.com' OR DestinationHostname='pool.supportxmr.com' OR DestinationHostname='mine.c3pool.com' OR DestinationHostname='xmr-eu1.nanopool.org' OR DestinationHostname='xmr-eu2.nanopool.org' OR DestinationHostname='xmr-us-east1.nanopool.org' OR DestinationHostname='xmr-us-west1.nanopool.org' OR DestinationHostname='xmr-asia1.nanopool.org' OR DestinationHostname='xmr-jp1.nanopool.org' OR DestinationHostname='xmr-au1.nanopool.org' OR DestinationHostname='xmr.2miners.com' OR DestinationHostname='xmr.hashcity.org' OR DestinationHostname='xmr.f2pool.com' OR DestinationHostname='xmrpool.eu' OR DestinationHostname='p

In [16]:
# `sigma convert -t openobserve -p ../pySigma-backend-openobserve/sigma/pipelines/openobserve/kunai.yml ../sigma/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml`
def convert_rulesdir(
    openobserve_prov,
    rulesdir,
    pipeline_f,
    table_name,
    stats=False,
    limit=5,
    verbosity=0,
):
    """
    Convert sigma rules from rulesdir with given pipeline and openobserve table, Run them
    Return results shape rules list, empty results rules lists, errors rules list
    """
    # rule_f => empty bool, errors true, lines returned
    df_results = pd.DataFrame(columns=["rule", "empty", "errors", "hits"])
    df_stats = pd.DataFrame()
    for rule_f in pathlib.Path(rulesdir).iterdir():
        rule_s = rule_f.name
        if not rule_f.is_file():
            print(f"Skipping rule file {rule_s}")
            continue

        cmd = f"sigma convert -t openobserve -p {pipeline_f} {rule_f}"
        print(f"=> Processing rule file {rule_s}:")
        rule_sql = check_output(
            ["sigma", "convert", "-t", "openobserve", "-p", pipeline_f, rule_f],
            encoding="UTF-8",
        )
        rule_sql = str(rule_sql).replace("<TABLE_NAME>", f'"{table_name}"')
        print(f"```{rule_sql}```")
        try:
            df = openobserve_prov.exec_query(
                rule_sql,
                days=1,
            )
        except:
            df_results.loc[len(df_results)] = [rule_s, False, True, 0]
            continue

        if df.empty:
            df_results.loc[len(df_results)] = [rule_s, True, False, 0]
        else:
            df_results.loc[len(df_results)] = [rule_s, False, False, df.shape[0]]
            if stats:
                try:
                    # print(f"Calculating stats for {rule_s}")
                    df_stats_tmp = rulestats_agg(
                        rule_s,
                        rule_sql,
                        openobserve_prov,
                        1,
                        limit=limit,
                        verbosity=verbosity,
                    )
                    df_stats = pd.concat([df_stats, df_stats_tmp])
                    # print(f"  -> {df_stats_tmp.shape}, {df_stats.shape}")
                except Exception as err:
                    print(f"stats exception: {err}")

    return (df_results, df_stats)

In [17]:
def rulestats_agg(rulename, rule_sql, openobserve_prov, days, limit=5, verbosity=0):
    """
    Make an aggregate count to identify Top results that are possibly noise
    https://sqlglot.com/sqlglot.html#examples
    """
    import sqlglot

    column_names = []

    for column in sqlglot.parse_one(rule_sql).find_all(sqlglot.exp.Column):
        # print(column.alias_or_name)
        column_names.append(column.alias_or_name)
    column_names.append("info_task_name")
    column_names.append("info_parent_task_name")
    column_names = list(set(column_names))
    # print(column_names)
    # Make aggregated query
    agg_sql = (
        rule_sql.replace(
            "SELECT * ", f"SELECT {",".join(column_names)},count(*) as count_ "
        )
        + f" GROUP BY {",".join(column_names)} ORDER BY count_ DESC LIMIT {limit}"
    )
    # only works if len(column_names)=1
    # agg_sql = f"SELECT string_agg({",".join(column_names)}, ', ') as topN FROM (" + test_sql.replace("SELECT * ", f"SELECT {",".join(column_names)},count(*) as count_ ") + f" GROUP BY {",".join(column_names)} ORDER BY count_ DESC LIMIT {topN}" + ')'
    # agg_sql = f"SELECT string_agg(data_exe_path, ', ') as topN FROM (" + test_sql.replace("SELECT * ", f"SELECT {",".join(column_names)},count(*) as count_ ") + f" GROUP BY {",".join(column_names)} ORDER BY count_ DESC LIMIT {topN}" + ')'
    # print(agg_sql)

    df_agg = openobserve_prov.exec_query(agg_sql, days=days, verbosity=verbosity)
    df_agg["rule"] = rulename
    return df_agg

In [18]:
def convert_rule2alert(
    openobserve, rule_f, pipeline_f, table_name, alertowner, alertdestination
):
    """
    Convert given sigma rule to openobserve alert and set it in live instance
    Return results shape rules list, empty results rules lists, errors rules list
    """
    cmd = f"sigma convert -t openobserve -f o2alert -p {pipeline_f} {rule_f}"
    print(f"=> Processing rule file {rule_f}:")
    rule_alert = check_output(
        [
            "sigma",
            "convert",
            "-t",
            "openobserve",
            "-f",
            "o2alert",
            "-p",
            pipeline_f,
            rule_f,
        ],
        encoding="UTF-8",
    )
    rule_alert = str(rule_alert).replace("<TABLE_NAME>", table_name)
    rule_alert = str(rule_alert).replace("<alert-owner-TBD>", alertowner)
    rule_alert = str(rule_alert).replace("<alert-destination-TBD>", alertdestination)
    print(f"```{rule_alert}```")

    openobserve.import_objects_split(
        "alerts",
        json.loads(rule_alert)[0],
        "",
        verbosity=5,
    )

## Functions tests

In [19]:
# test_sql = """SELECT * FROM "kunai" WHERE (data_path LIKE '/etc/cron.d/%' OR data_path LIKE '/etc/cron.daily/%' OR data_path LIKE '/etc/cron.hourly/%' OR data_path LIKE '/etc/cron.monthly/%' OR data_path LIKE '/etc/cron.weekly/%' OR data_path LIKE '/var/spool/cron/crontabs/%') OR (data_path LIKE '%/etc/cron.allow%' OR data_path LIKE '%/etc/cron.deny%' OR data_path LIKE '%/etc/crontab%')"""
# test_sql = """SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/bin/bash' AND (NOT (data_dst_ip='127.0.0.1' OR data_dst_ip='0.0.0.0'))"""
test_sql = """SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/file' AND regexp_like(data_command_line, '(.){200,}', 'i')) OR (data_exe_path LIKE '%/ls' AND data_command_line LIKE '%-R%') OR data_exe_path LIKE '%/find' OR data_exe_path LIKE '%/tree' OR data_exe_path LIKE '%/findmnt' OR data_exe_path LIKE '%/mlocate'"""

In [20]:
rulestats_agg("rulename", test_sql, openobserve_prov, 1)

Unnamed: 0,count_,data_command_line,data_exe_path,info_parent_task_name,info_task_name,rule
0,624,find /usr/lib/php -mindepth 1 -maxdepth 1 -reg...,/usr/bin/find,phpquery,find,rulename
1,576,find /var/log/zeek -type d -regex .*/[0-9][0-9...,/usr/bin/find,bash,find,rulename
2,575,find /var/log/zeek -type f -regex .*/[0-9][0-9...,/usr/bin/find,bash,find,rulename
3,528,find -O3 /var/lib/php/sessions/ -ignore_readdi...,/usr/bin/find,sessionclean,find,rulename
4,192,find /proc/231/fd -ignore_readdir_race -lname ...,/usr/bin/find,sessionclean,find,rulename


## Rules Conversion
Convert rules, check against live instance if returns results, errors or not.
Include or not statistics of TopN aggregated result for matching rule.

In [21]:
rulesdir = os.environ["HOME"] + "/tmp/sigma/rules/linux/network_connection"

In [22]:
(df_res, df_stats) = convert_rulesdir(
    openobserve_prov, rulesdir, pipeline_f, table_name, stats=True
)

=> Processing rule file net_connection_lnx_crypto_mining_indicators.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_dst_hostname='pool.minexmr.com' OR data_dst_hostname='fr.minexmr.com' OR data_dst_hostname='de.minexmr.com' OR data_dst_hostname='sg.minexmr.com' OR data_dst_hostname='ca.minexmr.com' OR data_dst_hostname='us-west.minexmr.com' OR data_dst_hostname='pool.supportxmr.com' OR data_dst_hostname='mine.c3pool.com' OR data_dst_hostname='xmr-eu1.nanopool.org' OR data_dst_hostname='xmr-eu2.nanopool.org' OR data_dst_hostname='xmr-us-east1.nanopool.org' OR data_dst_hostname='xmr-us-west1.nanopool.org' OR data_dst_hostname='xmr-asia1.nanopool.org' OR data_dst_hostname='xmr-jp1.nanopool.org' OR data_dst_hostname='xmr-au1.nanopool.org' OR data_dst_hostname='xmr.2miners.com' OR data_dst_hostname='xmr.hashcity.org' OR data_dst_hostname='xmr.f2pool.com' OR data_dst_hostname='xmrpool.eu' OR data_dst_hostname='pool.hashvault.pro' OR data_dst_hostname='moneroocean.stream' OR data_dst_hostname='monerocean.stream'
```
=> Processing rule file net_connection_lnx_back_connect

Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/bin/bash' AND (NOT (data_dst_ip='127.0.0.1' OR data_dst_ip='0.0.0.0'))
```
=> Processing rule file net_connection_lnx_domain_localtonet_tunnel.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_dst_hostname LIKE '%.localto.net' OR data_dst_hostname LIKE '%.localtonet.com') AND Initiated='true'
```
=> Processing rule file net_connection_lnx_susp_malware_callback_port.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (Initiated='true' AND (data_dst_port=888 OR data_dst_port=999 OR data_dst_port=2200 OR data_dst_port=2222 OR data_dst_port=4000 OR data_dst_port=4444 OR data_dst_port=6789 OR data_dst_port=8531 OR data_dst_port=50501 OR data_dst_port=51820)) AND (NOT (data_dst_ip LIKE '127.%' OR data_dst_ip LIKE '10.%' OR data_dst_ip LIKE '172.16.%' OR data_dst_ip LIKE '172.17.%' OR data_dst_ip LIKE '172.18.%' OR data_dst_ip LIKE '172.19.%' OR data_dst_ip LIKE '172.20.%' OR data_dst_ip LIKE '172.21.%' OR data_dst_ip LIKE '172.22.%' OR data_dst_ip LIKE '172.23.%' OR data_dst_ip LIKE '172.24.%' OR data_dst_ip LIKE '172.25.%' OR data_dst_ip LIKE '172.26.%' OR data_dst_ip LIKE '172.27.%' OR data_dst_ip LIKE '172.28.%' OR data_dst_ip LIKE '172.29.%' OR data_dst_ip LIKE '172.30.%' OR data_dst_ip LIKE '172.31.%' OR data_dst_ip LIKE '192.168.%' OR data_dst_ip LIKE '169.254.%' OR data_dst_ip='::1/128' OR data_dst_ip LIKE 'fe8%' OR data_dst_ip LIKE 'fe9%' OR data_dst_ip LIKE 'fea%'

Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_dst_hostname LIKE '%tunnel.us.ngrok.com%' OR data_dst_hostname LIKE '%tunnel.eu.ngrok.com%' OR data_dst_hostname LIKE '%tunnel.ap.ngrok.com%' OR data_dst_hostname LIKE '%tunnel.au.ngrok.com%' OR data_dst_hostname LIKE '%tunnel.sa.ngrok.com%' OR data_dst_hostname LIKE '%tunnel.jp.ngrok.com%' OR data_dst_hostname LIKE '%tunnel.in.ngrok.com%'
```


In [23]:
df_res

Unnamed: 0,rule,empty,errors,hits
0,net_connection_lnx_crypto_mining_indicators.yml,True,False,0
1,net_connection_lnx_back_connect_shell_dev.yml,True,False,0
2,net_connection_lnx_domain_localtonet_tunnel.yml,False,True,0
3,net_connection_lnx_susp_malware_callback_port.yml,False,True,0
4,net_connection_lnx_ngrok_tunnel.yml,True,False,0


In [24]:
df_stats

In [25]:
rulesdir = os.environ["HOME"] + "/tmp/sigma/rules/linux/file_event"
(df_res3, df_stats3) = convert_rulesdir(
    openobserve_prov, rulesdir, pipeline_f, table_name, stats=True
)

=> Processing rule file file_event_lnx_susp_shell_script_under_profile_directory.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_path LIKE '%/etc/profile.d/%' AND (data_path LIKE '%.csh' OR data_path LIKE '%.sh')
```
=> Processing rule file file_event_lnx_wget_download_file_in_tmp_dir.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/wget' AND (data_path LIKE '/tmp/%' OR data_path LIKE '/var/tmp/%')
```
=> Processing rule file file_event_lnx_triple_cross_rootkit_persistence.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_path LIKE '%ebpfbackdoor'
```
=> Processing rule file file_event_lnx_persistence_sudoers_files.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_path LIKE '/etc/sudoers.d/%'
```
=> Processing rule file file_event_lnx_doas_conf_creation.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_path LIKE '%/etc/doas.conf'
```
=> Processing rule file file_event_lnx_triple_cross_rootkit_lock_file.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_path='/tmp/rootlog'
```
=> Processing rule file file_event_lnx_persistence_cron_files.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_path LIKE '/etc/cron.d/%' OR data_path LIKE '/etc/cron.daily/%' OR data_path LIKE '/etc/cron.hourly/%' OR data_path LIKE '/etc/cron.monthly/%' OR data_path LIKE '/etc/cron.weekly/%' OR data_path LIKE '/var/spool/cron/crontabs/%') OR (data_path LIKE '%/etc/cron.allow%' OR data_path LIKE '%/etc/cron.deny%' OR data_path LIKE '%/etc/crontab%')
```


In [26]:
df_res3

Unnamed: 0,rule,empty,errors,hits
0,file_event_lnx_susp_shell_script_under_profile...,False,False,271
1,file_event_lnx_wget_download_file_in_tmp_dir.yml,True,False,0
2,file_event_lnx_triple_cross_rootkit_persistenc...,True,False,0
3,file_event_lnx_persistence_sudoers_files.yml,False,False,1000
4,file_event_lnx_doas_conf_creation.yml,True,False,0
5,file_event_lnx_triple_cross_rootkit_lock_file.yml,True,False,0
6,file_event_lnx_persistence_cron_files.yml,False,False,800


In [27]:
df_stats3

Unnamed: 0,count_,data_path,info_parent_task_name,info_task_name,rule
0,20,/etc/profile.d/bash_completion.sh,sshd,bash,file_event_lnx_susp_shell_script_under_profile...
1,19,/etc/profile.d/01-locale-fix.sh,sshd,bash,file_event_lnx_susp_shell_script_under_profile...
2,18,/etc/profile.d/gawk.sh,sshd,bash,file_event_lnx_susp_shell_script_under_profile...
3,17,/etc/profile.d/npm.sh,sshd,bash,file_event_lnx_susp_shell_script_under_profile...
4,17,/etc/profile.d/Z99-cloud-locale-test.sh,sshd,bash,file_event_lnx_susp_shell_script_under_profile...
0,2070,/etc/sudoers.d/README,sh,sudo,file_event_lnx_persistence_sudoers_files.yml
1,1620,/etc/sudoers.d/aide-unprivileged,sh,sudo,file_event_lnx_persistence_sudoers_files.yml
2,1620,/etc/sudoers.d/zfs,sh,sudo,file_event_lnx_persistence_sudoers_files.yml
3,1619,/etc/sudoers.d/backup_lab,sh,sudo,file_event_lnx_persistence_sudoers_files.yml
4,1619,/etc/sudoers.d/90-cloud-init-users,sh,sudo,file_event_lnx_persistence_sudoers_files.yml


In [28]:
rulesdir = os.environ["HOME"] + "/tmp/sigma/rules/linux/process_creation"
(df_res2, df_stats2) = convert_rulesdir(
    openobserve_prov, rulesdir, pipeline_f, table_name, stats=True
)

=> Processing rule file proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/grep' AND (data_command_line LIKE '%apached%' OR data_command_line LIKE '%frpc%' OR data_command_line LIKE '%sshd.sh%' OR data_command_line LIKE '%zone.arm%')
```
=> Processing rule file proc_creation_lnx_touch_susp.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/touch' AND data_command_line LIKE '% -t %' AND data_command_line LIKE '%.service'
```
=> Processing rule file proc_creation_lnx_file_and_directory_discovery.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/file' AND regexp_like(data_command_line, '(.){200,}', 'i')) OR (data_exe_path LIKE '%/ls' AND data_command_line LIKE '%-R%') OR data_exe_path LIKE '%/find' OR data_exe_path LIKE '%/tree' OR data_exe_path LIKE '%/findmnt' OR data_exe_path LIKE '%/mlocate'
```
=> Processing rule file proc_creation_lnx_ssm_agent_abuse.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/amazon-ssm-agent' AND (data_command_line LIKE '%-register %' AND data_command_line LIKE '%-code %' AND data_command_line LIKE '%-id %' AND data_command_line LIKE '%-region %')
```
=> Processing rule file proc_creation_lnx_base64_shebang_cli.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_command_line LIKE '%IyEvYmluL2Jhc2%' OR data_command_line LIKE '%IyEvYmluL2Rhc2%' OR data_command_line LIKE '%IyEvYmluL3pza%' OR data_command_line LIKE '%IyEvYmluL2Zpc2%' OR data_command_line LIKE '%IyEvYmluL3No%'
```
=> Processing rule file proc_creation_lnx_sudo_cve_2019_14287.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_command_line LIKE '% -u#%'
```
=> Processing rule file proc_creation_lnx_services_stop_and_disable.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/service' OR data_exe_path LIKE '%/systemctl' OR data_exe_path LIKE '%/chkconfig') AND (data_command_line LIKE '%stop%' OR data_command_line LIKE '%disable%')
```
=> Processing rule file proc_creation_lnx_disable_ufw.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_command_line LIKE '%-ufw-init%' AND data_command_line LIKE '%force-stop%') OR (data_command_line LIKE '%ufw%' AND data_command_line LIKE '%disable%')
```
=> Processing rule file proc_creation_lnx_nice_shell_execution.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/nice' AND (data_command_line LIKE '%/bin/bash' OR data_command_line LIKE '%/bin/dash' OR data_command_line LIKE '%/bin/fish' OR data_command_line LIKE '%/bin/sh' OR data_command_line LIKE '%/bin/zsh')
```
=> Processing rule file proc_creation_lnx_susp_chmod_directories.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/chmod' AND (data_command_line LIKE '%/tmp/%' OR data_command_line LIKE '%/.Library/%' OR data_command_line LIKE '%/etc/%' OR data_command_line LIKE '%/opt/%')
```
=> Processing rule file proc_creation_lnx_capa_discovery.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/getcap' AND (data_command_line LIKE '% -r %' OR data_command_line LIKE '% /r %' OR data_command_line LIKE '% –r %' OR data_command_line LIKE '% —r %' OR data_command_line LIKE '% ―r %')
```
=> Processing rule file proc_creation_lnx_install_root_certificate.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/update-ca-certificates' OR data_exe_path LIKE '%/update-ca-trust'
```
=> Processing rule file proc_creation_lnx_susp_execution_tmp_folder.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '/tmp/%'
```
=> Processing rule file proc_creation_lnx_schedule_task_job_cron.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%crontab' AND data_command_line LIKE '%/tmp/%'
```
=> Processing rule file proc_creation_lnx_susp_history_recon.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/cat' OR data_exe_path LIKE '%/head' OR data_exe_path LIKE '%/tail' OR data_exe_path LIKE '%/more') AND ((data_command_line LIKE '%/.bash_history%' OR data_command_line LIKE '%/.zsh_history%') OR (data_command_line LIKE '%_history' OR data_command_line LIKE '%.history' OR data_command_line LIKE '%zhistory'))
```
=> Processing rule file proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_ancestors LIKE '%/TeamViewer_Service' AND data_exe_path LIKE '%/TeamViewer_Desktop' AND data_command_line LIKE '%/TeamViewer_Desktop --IPCport 5939 --Module 1'
```
=> Processing rule file proc_creation_lnx_cat_sudoers.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/cat' OR data_exe_path LIKE '%grep' OR data_exe_path LIKE '%/head' OR data_exe_path LIKE '%/tail' OR data_exe_path LIKE '%/more') AND data_command_line LIKE '% /etc/sudoers%'
```
=> Processing rule file proc_creation_lnx_susp_history_delete.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/rm' OR data_exe_path LIKE '%/unlink' OR data_exe_path LIKE '%/shred') AND ((data_command_line LIKE '%/.bash_history%' OR data_command_line LIKE '%/.zsh_history%') OR (data_command_line LIKE '%_history' OR data_command_line LIKE '%.history' OR data_command_line LIKE '%zhistory'))
```
=> Processing rule file proc_creation_lnx_curl_usage.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/curl'
```
=> Processing rule file proc_creation_lnx_susp_hktl_execution.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/crackmapexec' OR data_exe_path LIKE '%/havoc' OR data_exe_path LIKE '%/merlin-agent' OR data_exe_path LIKE '%/merlinServer-Linux-x64' OR data_exe_path LIKE '%/msfconsole' OR data_exe_path LIKE '%/msfvenom' OR data_exe_path LIKE '%/ps-empire server' OR data_exe_path LIKE '%/ps-empire' OR data_exe_path LIKE '%/sliver-client' OR data_exe_path LIKE '%/sliver-server' OR data_exe_path LIKE '%/Villain.py') OR (data_exe_path LIKE '%/cobaltstrike%' OR data_exe_path LIKE '%/teamserver%') OR (data_exe_path LIKE '%/autorecon' OR data_exe_path LIKE '%/httpx' OR data_exe_path LIKE '%/legion' OR data_exe_path LIKE '%/naabu' OR data_exe_path LIKE '%/netdiscover' OR data_exe_path LIKE '%/nuclei' OR data_exe_path LIKE '%/recon-ng') OR data_exe_path LIKE '%/sniper%' OR (data_exe_path LIKE '%/dirb' OR data_exe_path LIKE '%/dirbuster' OR data_exe_path LIKE '%/eyewitness' OR data_exe_path LIKE '%/feroxbuster' OR data_exe_path LIKE '%/ffuf' OR data_exe_pa

Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/wget' AND (regexp_like(data_command_line, '\s-O\s', 'i') OR data_command_line LIKE '%--output-document%') AND data_command_line LIKE '%/tmp/%'
```
=> Processing rule file proc_creation_lnx_usermod_susp_group.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/usermod' AND (data_command_line LIKE '%-aG root%' OR data_command_line LIKE '%-aG sudoers%')
```
=> Processing rule file proc_creation_lnx_netcat_reverse_shell.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/nc' OR data_exe_path LIKE '%/ncat') AND (data_command_line LIKE '% -c %' OR data_command_line LIKE '% -e %') AND (data_command_line LIKE '% ash%' OR data_command_line LIKE '% bash%' OR data_command_line LIKE '% bsh%' OR data_command_line LIKE '% csh%' OR data_command_line LIKE '% ksh%' OR data_command_line LIKE '% pdksh%' OR data_command_line LIKE '% sh%' OR data_command_line LIKE '% tcsh%' OR data_command_line LIKE '%/bin/ash%' OR data_command_line LIKE '%/bin/bash%' OR data_command_line LIKE '%/bin/bsh%' OR data_command_line LIKE '%/bin/csh%' OR data_command_line LIKE '%/bin/ksh%' OR data_command_line LIKE '%/bin/pdksh%' OR data_command_line LIKE '%/bin/sh%' OR data_command_line LIKE '%/bin/tcsh%' OR data_command_line LIKE '%/bin/zsh%' OR data_command_line LIKE '%$IFSash%' OR data_command_line LIKE '%$IFSbash%' OR data_command_line LIKE '%$IFSbsh%' OR data_command_line LIKE '%$IFScsh%' OR data_command_line LIKE '%$IFSksh%' OR data

Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/dd' AND (data_command_line LIKE '%of=%' AND data_command_line LIKE '%/proc/%' AND data_command_line LIKE '%/mem%')
```
=> Processing rule file proc_creation_lnx_proxy_connection.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_command_line LIKE '%http_proxy=%' OR data_command_line LIKE '%https_proxy=%'
```
=> Processing rule file proc_creation_lnx_webshell_detection.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE ((data_ancestors LIKE '%/httpd' OR data_ancestors LIKE '%/lighttpd' OR data_ancestors LIKE '%/nginx' OR data_ancestors LIKE '%/apache2' OR data_ancestors LIKE '%/node' OR data_ancestors LIKE '%/caddy') OR (ParentCommandLine LIKE '%/bin/java%' AND ParentCommandLine LIKE '%tomcat%') OR (ParentCommandLine LIKE '%/bin/java%' AND ParentCommandLine LIKE '%websphere%')) AND (data_exe_path LIKE '%/whoami' OR data_exe_path LIKE '%/ifconfig' OR data_exe_path LIKE '%/ip' OR data_exe_path LIKE '%/bin/uname' OR data_exe_path LIKE '%/bin/cat' OR data_exe_path LIKE '%/bin/crontab' OR data_exe_path LIKE '%/hostname' OR data_exe_path LIKE '%/iptables' OR data_exe_path LIKE '%/netstat' OR data_exe_path LIKE '%/pwd' OR data_exe_path LIKE '%/route')
```
=> Processing rule file proc_creation_lnx_capsh_shell_invocation.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/capsh' AND data_command_line LIKE '% --'
```
=> Processing rule file proc_creation_lnx_xterm_reverse_shell.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%xterm%' AND data_command_line LIKE '%-display%' AND data_command_line LIKE '%:1'
```
=> Processing rule file proc_creation_lnx_esxcli_syslog_config_change.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/esxcli' AND (data_command_line LIKE '%system%' AND data_command_line LIKE '%syslog%' AND data_command_line LIKE '%config%') AND data_command_line LIKE '% set%'
```
=> Processing rule file proc_creation_lnx_gcc_shell_execution.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE ((data_exe_path LIKE '%/c89' OR data_exe_path LIKE '%/c99' OR data_exe_path LIKE '%/gcc') AND data_command_line LIKE '%-wrapper%') AND (data_command_line LIKE '%/bin/bash,-s%' OR data_command_line LIKE '%/bin/dash,-s%' OR data_command_line LIKE '%/bin/fish,-s%' OR data_command_line LIKE '%/bin/sh,-s%' OR data_command_line LIKE '%/bin/zsh,-s%')
```
=> Processing rule file proc_creation_lnx_ruby_reverse_shell.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%ruby%' AND (data_command_line LIKE '% -e%' AND data_command_line LIKE '%rsocket%' AND data_command_line LIKE '%TCPSocket%') AND (data_command_line LIKE '% ash%' OR data_command_line LIKE '% bash%' OR data_command_line LIKE '% bsh%' OR data_command_line LIKE '% csh%' OR data_command_line LIKE '% ksh%' OR data_command_line LIKE '% pdksh%' OR data_command_line LIKE '% sh%' OR data_command_line LIKE '% tcsh%')
```
=> Processing rule file proc_creation_lnx_clear_logs.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/rm' OR data_exe_path LIKE '%/shred' OR data_exe_path LIKE '%/unlink') AND (data_command_line LIKE '%/var/log%' OR data_command_line LIKE '%/var/spool/mail%')
```
=> Processing rule file proc_creation_lnx_python_pty_spawn.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE ((data_exe_path LIKE '%/python' OR data_exe_path LIKE '%/python2' OR data_exe_path LIKE '%/python3') OR (data_exe_path LIKE '%/python2.%' OR data_exe_path LIKE '%/python3.%')) AND (data_command_line LIKE '%import pty%' OR data_command_line LIKE '%from pty %') AND data_command_line LIKE '%spawn%'
```
=> Processing rule file proc_creation_lnx_esxcli_storage_discovery.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/esxcli' AND data_command_line LIKE '%storage%') AND (data_command_line LIKE '% get%' OR data_command_line LIKE '% list%')
```
=> Processing rule file proc_creation_lnx_install_suspicioua_packages.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (((data_exe_path LIKE '%/apt' OR data_exe_path LIKE '%/apt-get') AND data_command_line LIKE '%install%') OR (data_exe_path LIKE '%/yum' AND (data_command_line LIKE '%localinstall%' OR data_command_line LIKE '%install%')) OR (data_exe_path LIKE '%/rpm' AND data_command_line LIKE '%-i%') OR (data_exe_path LIKE '%/dpkg' AND (data_command_line LIKE '%--install%' OR data_command_line LIKE '%-i%'))) AND (data_command_line LIKE '%nmap%' OR data_command_line LIKE '% nc%' OR data_command_line LIKE '%netcat%' OR data_command_line LIKE '%wireshark%' OR data_command_line LIKE '%tshark%' OR data_command_line LIKE '%openconnect%' OR data_command_line LIKE '%proxychains%')
```
=> Processing rule file proc_creation_lnx_userdel.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/userdel'
```
=> Processing rule file proc_creation_lnx_rsync_shell_execution.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE ((data_exe_path LIKE '%/rsync' OR data_exe_path LIKE '%/rsyncd') AND data_command_line LIKE '% -e %') AND (data_command_line LIKE '%/ash %' OR data_command_line LIKE '%/bash %' OR data_command_line LIKE '%/dash %' OR data_command_line LIKE '%/csh %' OR data_command_line LIKE '%/sh %' OR data_command_line LIKE '%/zsh %' OR data_command_line LIKE '%/tcsh %' OR data_command_line LIKE '%/ksh %' OR data_command_line LIKE '%''ash %' OR data_command_line LIKE '%''bash %' OR data_command_line LIKE '%''dash %' OR data_command_line LIKE '%''csh %' OR data_command_line LIKE '%''sh %' OR data_command_line LIKE '%''zsh %' OR data_command_line LIKE '%''tcsh %' OR data_command_line LIKE '%''ksh %')
```
=> Processing rule file proc_creation_lnx_susp_inod_listing.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/ls' AND (data_command_line LIKE '% -%i%' AND data_command_line LIKE '% -%d%') AND data_command_line LIKE '% /'
```
=> Processing rule file proc_creation_lnx_python_shell_os_system.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE ((data_exe_path LIKE '%/python' OR data_exe_path LIKE '%/python2' OR data_exe_path LIKE '%/python3') OR (data_exe_path LIKE '%/python2.%' OR data_exe_path LIKE '%/python3.%')) AND ((data_command_line LIKE '% -c %' AND data_command_line LIKE '%os.system(%') AND (data_command_line LIKE '%/bin/bash%' OR data_command_line LIKE '%/bin/dash%' OR data_command_line LIKE '%/bin/fish%' OR data_command_line LIKE '%/bin/sh%' OR data_command_line LIKE '%/bin/zsh%'))
```
=> Processing rule file proc_creation_lnx_find_shell_execution.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/find' AND (data_command_line LIKE '% . %' AND data_command_line LIKE '%-exec%')) AND (data_command_line LIKE '%/bin/bash%' OR data_command_line LIKE '%/bin/dash%' OR data_command_line LIKE '%/bin/fish%' OR data_command_line LIKE '%/bin/sh%' OR data_command_line LIKE '%/bin/zsh%')
```
=> Processing rule file proc_creation_lnx_pnscan_binary_cli_pattern.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE regexp_like(data_command_line, '-(W|R)\s?(\s|"|')([0-9a-fA-F]{2}\s?){2,20}(\s|"|')', 'i')
```
=> Processing rule file proc_creation_lnx_dd_file_overwrite.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path='/bin/dd' OR data_exe_path='/usr/bin/dd') AND data_command_line LIKE '%of=%' AND (data_command_line LIKE '%if=/dev/zero%' OR data_command_line LIKE '%if=/dev/null%')
```
=> Processing rule file proc_creation_lnx_crypto_mining.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_command_line LIKE '% --cpu-priority=%' OR data_command_line LIKE '%--donate-level=0%' OR data_command_line LIKE '% -o pool.%' OR data_command_line LIKE '% --nicehash%' OR data_command_line LIKE '% --algo=rx/0 %' OR data_command_line LIKE '%stratum+tcp://%' OR data_command_line LIKE '%stratum+udp://%' OR data_command_line LIKE '%sh -c /sbin/modprobe msr allow_writes=on%' OR data_command_line LIKE '%LS1kb25hdGUtbGV2ZWw9%' OR data_command_line LIKE '%0tZG9uYXRlLWxldmVsP%' OR data_command_line LIKE '%tLWRvbmF0ZS1sZXZlbD%' OR data_command_line LIKE '%c3RyYXR1bSt0Y3A6Ly%' OR data_command_line LIKE '%N0cmF0dW0rdGNwOi8v%' OR data_command_line LIKE '%zdHJhdHVtK3RjcDovL%' OR data_command_line LIKE '%c3RyYXR1bSt1ZHA6Ly%' OR data_command_line LIKE '%N0cmF0dW0rdWRwOi8v%' OR data_command_line LIKE '%zdHJhdHVtK3VkcDovL%'
```
=> Processing rule file proc_creation_lnx_esxcli_user_account_creation.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/esxcli' AND (data_command_line LIKE '%system %' AND data_command_line LIKE '%account %' AND data_command_line LIKE '%add %')
```
=> Processing rule file proc_creation_lnx_clear_syslog.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_command_line LIKE '%rm /var/log/syslog%' OR data_command_line LIKE '%rm -r /var/log/syslog%' OR data_command_line LIKE '%rm -f /var/log/syslog%' OR data_command_line LIKE '%rm -rf /var/log/syslog%' OR data_command_line LIKE '%unlink /var/log/syslog%' OR data_command_line LIKE '%unlink -r /var/log/syslog%' OR data_command_line LIKE '%unlink -f /var/log/syslog%' OR data_command_line LIKE '%unlink -rf /var/log/syslog%' OR data_command_line LIKE '%mv /var/log/syslog%' OR data_command_line LIKE '% >/var/log/syslog%' OR data_command_line LIKE '% > /var/log/syslog%'
```
=> Processing rule file proc_creation_lnx_bash_interactive_shell.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/bash' AND data_command_line LIKE '% -i %'
```
=> Processing rule file proc_creation_lnx_vim_shell_execution.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE ((data_exe_path LIKE '%/rvim' OR data_exe_path LIKE '%/vim' OR data_exe_path LIKE '%/vimdiff') AND (data_command_line LIKE '% --cmd%' OR data_command_line LIKE '% -c %')) AND (data_command_line LIKE '%:!/%' OR data_command_line LIKE '%:lua %' OR data_command_line LIKE '%:py %' OR data_command_line LIKE '%/bin/bash%' OR data_command_line LIKE '%/bin/dash%' OR data_command_line LIKE '%/bin/fish%' OR data_command_line LIKE '%/bin/sh%' OR data_command_line LIKE '%/bin/zsh%')
```
=> Processing rule file proc_creation_lnx_file_deletion.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/rm' OR data_exe_path LIKE '%/shred' OR data_exe_path LIKE '%/unlink'
```
=> Processing rule file proc_creation_lnx_at_command.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/at' OR data_exe_path LIKE '%/atd'
```
=> Processing rule file proc_creation_lnx_groupdel.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/groupdel'
```
=> Processing rule file proc_creation_lnx_nohup.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/nohup'
```
=> Processing rule file proc_creation_lnx_grep_os_arch_discovery.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/grep' AND (data_command_line LIKE '%aarch64' OR data_command_line LIKE '%arm' OR data_command_line LIKE '%i386' OR data_command_line LIKE '%i686' OR data_command_line LIKE '%mips' OR data_command_line LIKE '%x86_64')
```
=> Processing rule file proc_creation_lnx_flock_shell_execution.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/flock' AND data_command_line LIKE '% -u %') AND (data_command_line LIKE '%/bin/bash%' OR data_command_line LIKE '%/bin/dash%' OR data_command_line LIKE '%/bin/fish%' OR data_command_line LIKE '%/bin/sh%' OR data_command_line LIKE '%/bin/zsh%')
```
=> Processing rule file proc_creation_lnx_esxcli_network_discovery.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/esxcli' AND data_command_line LIKE '%network%') AND (data_command_line LIKE '% get%' OR data_command_line LIKE '% list%')
```
=> Processing rule file proc_creation_lnx_susp_curl_fileupload.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/curl' AND ((data_command_line LIKE '% --form%' OR data_command_line LIKE '% --upload-file %' OR data_command_line LIKE '% --data %' OR data_command_line LIKE '% --data-%') OR regexp_like(data_command_line, '\s-[FTd]\s', 'i'))) AND (NOT (data_command_line LIKE '%://localhost%' OR data_command_line LIKE '%://127.0.0.1%'))
```
=> Processing rule file proc_creation_lnx_bpftrace_unsafe_option_usage.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%bpftrace' AND data_command_line LIKE '%--unsafe%'
```
=> Processing rule file proc_creation_lnx_susp_dockerenv_recon.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/cat' OR data_exe_path LIKE '%/dir' OR data_exe_path LIKE '%/find' OR data_exe_path LIKE '%/ls' OR data_exe_path LIKE '%/stat' OR data_exe_path LIKE '%/test' OR data_exe_path LIKE '%grep') AND data_command_line LIKE '%.dockerenv'
```
=> Processing rule file proc_creation_lnx_system_info_discovery.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/uname' OR data_exe_path LIKE '%/hostname' OR data_exe_path LIKE '%/uptime' OR data_exe_path LIKE '%/lspci' OR data_exe_path LIKE '%/dmidecode' OR data_exe_path LIKE '%/lscpu' OR data_exe_path LIKE '%/lsmod'
```
=> Processing rule file proc_creation_lnx_security_software_discovery.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/grep' OR data_exe_path LIKE '%/egrep') AND (data_command_line LIKE '%nessusd%' OR data_command_line LIKE '%td-agent%' OR data_command_line LIKE '%packetbeat%' OR data_command_line LIKE '%filebeat%' OR data_command_line LIKE '%auditbeat%' OR data_command_line LIKE '%osqueryd%' OR data_command_line LIKE '%cbagentd%' OR data_command_line LIKE '%falcond%')
```
=> Processing rule file proc_creation_lnx_mkfifo_named_pipe_creation.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/mkfifo'
```
=> Processing rule file proc_creation_lnx_python_reverse_shell.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%python%' AND (data_command_line LIKE '% -c %' AND data_command_line LIKE '%import%' AND data_command_line LIKE '%pty%' AND data_command_line LIKE '%socket%' AND data_command_line LIKE '%spawn%' AND data_command_line LIKE '%.connect%')
```
=> Processing rule file proc_creation_lnx_susp_container_residence_discovery.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%awk' OR data_exe_path LIKE '%/cat' OR data_exe_path LIKE '%grep' OR data_exe_path LIKE '%/head' OR data_exe_path LIKE '%/less' OR data_exe_path LIKE '%/more' OR data_exe_path LIKE '%/nl' OR data_exe_path LIKE '%/tail') AND (data_command_line LIKE '%/proc/2/%' OR (data_command_line LIKE '%/proc/%' AND (data_command_line LIKE '%/cgroup' OR data_command_line LIKE '%/sched')))
```
=> Processing rule file proc_creation_lnx_base64_execution.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_command_line LIKE '%base64 %' AND ((data_command_line LIKE '%| bash %' OR data_command_line LIKE '%| sh %' OR data_command_line LIKE '%|bash %' OR data_command_line LIKE '%|sh %') OR (data_command_line LIKE '% |sh' OR data_command_line LIKE '%| bash' OR data_command_line LIKE '%| sh' OR data_command_line LIKE '%|bash'))
```
=> Processing rule file proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/bash' OR data_exe_path LIKE '%/csh' OR data_exe_path LIKE '%/dash' OR data_exe_path LIKE '%/fish' OR data_exe_path LIKE '%/ksh' OR data_exe_path LIKE '%/sh' OR data_exe_path LIKE '%/zsh') AND data_command_line LIKE '% -c %' AND data_command_line LIKE '%/tmp/%'
```
=> Processing rule file proc_creation_lnx_bpf_kprob_tracing_enabled.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_command_line LIKE '%echo 1 >%' AND data_command_line LIKE '%/sys/kernel/debug/tracing/events/kprobes/%') AND (data_command_line LIKE '%/myprobe/enable%' OR data_command_line LIKE '%/myretprobe/enable%')
```
=> Processing rule file proc_creation_lnx_esxcli_system_discovery.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/esxcli' AND data_command_line LIKE '%system%') AND (data_command_line LIKE '% get%' OR data_command_line LIKE '% list%')
```
=> Processing rule file proc_creation_lnx_nohup_susp_execution.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/nohup' AND data_command_line LIKE '%/tmp/%'
```
=> Processing rule file proc_creation_lnx_system_network_discovery.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/firewall-cmd' OR data_exe_path LIKE '%/ufw' OR data_exe_path LIKE '%/iptables' OR data_exe_path LIKE '%/netstat' OR data_exe_path LIKE '%/ss' OR data_exe_path LIKE '%/ip' OR data_exe_path LIKE '%/ifconfig' OR data_exe_path LIKE '%/systemd-resolve' OR data_exe_path LIKE '%/route') OR data_command_line LIKE '%/etc/resolv.conf%'
```
=> Processing rule file proc_creation_lnx_base64_decode.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/base64' AND data_command_line LIKE '%-d%'
```
=> Processing rule file proc_creation_lnx_esxcli_vm_kill.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/esxcli' AND (data_command_line LIKE '%vm process%' AND data_command_line LIKE '%kill%')
```
=> Processing rule file proc_creation_lnx_env_shell_invocation.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/env' AND (data_command_line LIKE '%/bin/bash' OR data_command_line LIKE '%/bin/dash' OR data_command_line LIKE '%/bin/fish' OR data_command_line LIKE '%/bin/sh' OR data_command_line LIKE '%/bin/zsh')
```
=> Processing rule file proc_creation_lnx_perl_reverse_shell.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/perl' AND data_command_line LIKE '% -e %') AND ((data_command_line LIKE '%fdopen(%' AND data_command_line LIKE '%::Socket::INET%') OR (data_command_line LIKE '%Socket%' AND data_command_line LIKE '%connect%' AND data_command_line LIKE '%open%' AND data_command_line LIKE '%exec%'))
```
=> Processing rule file proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/sudo' AND data_command_line LIKE '%execve_hijack%'
```
=> Processing rule file proc_creation_lnx_apt_shell_execution.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/apt' OR data_exe_path LIKE '%/apt-get') AND data_command_line LIKE '%APT::Update::Pre-Invoke::=%'
```
=> Processing rule file proc_creation_lnx_esxcli_permission_change_admin.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/esxcli' AND data_command_line LIKE '%system%' AND (data_command_line LIKE '% permission %' AND data_command_line LIKE '% set%' AND data_command_line LIKE '%Admin%')
```
=> Processing rule file proc_creation_lnx_crontab_enumeration.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/crontab' AND data_command_line LIKE '% -l%'
```
=> Processing rule file proc_creation_lnx_setgid_setuid.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_command_line LIKE '%chown root%' AND (data_command_line LIKE '% chmod u+s%' OR data_command_line LIKE '% chmod g+s%')
```
=> Processing rule file proc_creation_lnx_susp_git_clone.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/git' AND data_command_line LIKE '% clone %') AND (data_command_line LIKE '%exploit%' OR data_command_line LIKE '%Vulns%' OR data_command_line LIKE '%vulnerability%' OR data_command_line LIKE '%RCE%' OR data_command_line LIKE '%RemoteCodeExecution%' OR data_command_line LIKE '%Invoke-%' OR data_command_line LIKE '%CVE-%' OR data_command_line LIKE '%poc-%' OR data_command_line LIKE '%ProofOfConcept%' OR data_command_line LIKE '%proxyshell%' OR data_command_line LIKE '%log4shell%' OR data_command_line LIKE '%eternalblue%' OR data_command_line LIKE '%eternal-blue%' OR data_command_line LIKE '%MS17-%')
```
=> Processing rule file proc_creation_lnx_awk_shell_spawn.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE ((data_exe_path LIKE '%/awk' OR data_exe_path LIKE '%/gawk' OR data_exe_path LIKE '%/mawk' OR data_exe_path LIKE '%/nawk') AND data_command_line LIKE '%BEGIN {system%') AND (data_command_line LIKE '%/bin/bash%' OR data_command_line LIKE '%/bin/dash%' OR data_command_line LIKE '%/bin/fish%' OR data_command_line LIKE '%/bin/sh%' OR data_command_line LIKE '%/bin/zsh%')
```
=> Processing rule file proc_creation_lnx_susp_interactive_bash.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE ParentCommandLine='bash -i' AND ((data_command_line LIKE '%-c import %' OR data_command_line LIKE '%base64%' OR data_command_line LIKE '%pty.spawn%') OR (data_exe_path LIKE '%whoami' OR data_exe_path LIKE '%iptables' OR data_exe_path LIKE '%/ncat' OR data_exe_path LIKE '%/nc' OR data_exe_path LIKE '%/netcat'))
```
=> Processing rule file proc_creation_lnx_susp_pipe_shell.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_command_line LIKE 'sh -c %' OR data_command_line LIKE 'bash -c %') AND ((data_command_line LIKE '%| bash %' OR data_command_line LIKE '%| sh %' OR data_command_line LIKE '%|bash %' OR data_command_line LIKE '%|sh %') OR (data_command_line LIKE '%| bash' OR data_command_line LIKE '%| sh' OR data_command_line LIKE '%|bash' OR data_command_line LIKE '% |sh'))
```
=> Processing rule file proc_creation_lnx_ssh_shell_execution.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/ssh' AND (data_command_line LIKE '%ProxyCommand=;%' OR data_command_line LIKE '%permitlocalcommand=yes%' OR data_command_line LIKE '%localhost%')) AND (data_command_line LIKE '%/bin/bash%' OR data_command_line LIKE '%/bin/dash%' OR data_command_line LIKE '%/bin/fish%' OR data_command_line LIKE '%/bin/sh%' OR data_command_line LIKE '%/bin/zsh%' OR data_command_line LIKE '%sh 0<&2 1>&2%' OR data_command_line LIKE '%sh 1>&2 0<&2%')
```
=> Processing rule file proc_creation_lnx_susp_find_execution.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/find' AND (data_command_line LIKE '%-perm -4000%' OR data_command_line LIKE '%-perm -2000%' OR data_command_line LIKE '%-perm 0777%' OR data_command_line LIKE '%-perm -222%' OR data_command_line LIKE '%-perm -o w%' OR data_command_line LIKE '%-perm -o x%' OR data_command_line LIKE '%-perm -u=s%' OR data_command_line LIKE '%-perm -g=s%')
```
=> Processing rule file proc_creation_lnx_iptables_flush_ufw.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/iptables' OR data_exe_path LIKE '%/xtables-legacy-multi' OR data_exe_path LIKE '%/iptables-legacy-multi' OR data_exe_path LIKE '%/ip6tables' OR data_exe_path LIKE '%/ip6tables-legacy-multi') AND (data_command_line LIKE '%-F%' OR data_command_line LIKE '%-Z%' OR data_command_line LIKE '%-X%') AND (data_command_line LIKE '%ufw-logging-deny%' OR data_command_line LIKE '%ufw-logging-allow%' OR data_command_line LIKE '%ufw6-logging-deny%' OR data_command_line LIKE '%ufw6-logging-allow%')
```
=> Processing rule file proc_creation_lnx_susp_curl_useragent.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/curl' AND (data_command_line LIKE '% -A %' OR data_command_line LIKE '% --user-agent %')
```
=> Processing rule file proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/mkfifo' AND data_command_line LIKE '% /tmp/%'
```
=> Processing rule file proc_creation_lnx_mount_hidepid.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/mount' AND (data_command_line LIKE '%hidepid=2%' AND data_command_line LIKE '% -o %')
```
=> Processing rule file proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_ancestors LIKE '/opt/atlassian/confluence/%' AND data_ancestors LIKE '%/java' AND (data_command_line LIKE '%/bin/sh%' OR data_command_line LIKE '%bash%' OR data_command_line LIKE '%dash%' OR data_command_line LIKE '%ksh%' OR data_command_line LIKE '%zsh%' OR data_command_line LIKE '%csh%' OR data_command_line LIKE '%fish%' OR data_command_line LIKE '%curl%' OR data_command_line LIKE '%wget%' OR data_command_line LIKE '%python%')
```
=> Processing rule file proc_creation_lnx_susp_sensitive_file_access.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (((data_exe_path LIKE '%/cat' OR data_exe_path LIKE '%/echo' OR data_exe_path LIKE '%/grep' OR data_exe_path LIKE '%/head' OR data_exe_path LIKE '%/more' OR data_exe_path LIKE '%/tail') AND data_command_line LIKE '%>%') OR (data_exe_path LIKE '%/emacs' OR data_exe_path LIKE '%/nano' OR data_exe_path LIKE '%/sed' OR data_exe_path LIKE '%/vi' OR data_exe_path LIKE '%/vim')) AND (data_command_line LIKE '%/bin/login%' OR data_command_line LIKE '%/bin/passwd%' OR data_command_line LIKE '%/boot/%' OR data_command_line LIKE '%/etc/%.conf%' OR data_command_line LIKE '%/etc/cron.%' OR data_command_line LIKE '%/etc/crontab%' OR data_command_line LIKE '%/etc/hosts%' OR data_command_line LIKE '%/etc/init.d%' OR data_command_line LIKE '%/etc/sudoers%' OR data_command_line LIKE '%/opt/bin/%' OR data_command_line LIKE '%/sbin%' OR data_command_line LIKE '%/usr/bin/%' OR data_command_line LIKE '%/usr/local/bin/%')
```
=> Processing rule file proc_creation_lnx_esxcli_vm_d

Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/esxcli' AND data_command_line LIKE '%vm process%' AND data_command_line LIKE '% list'
```
=> Processing rule file proc_creation_lnx_susp_recon_indicators.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_command_line LIKE '% -name .htpasswd%' OR data_command_line LIKE '% -perm -4000 %'
```
=> Processing rule file proc_creation_lnx_git_shell_execution.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_ancestors LIKE '%/git' AND (ParentCommandLine LIKE '% -p %' AND ParentCommandLine LIKE '%help%') AND (data_command_line LIKE '%bash 0<&1%' OR data_command_line LIKE '%dash 0<&1%' OR data_command_line LIKE '%sh 0<&1%')
```
=> Processing rule file proc_creation_lnx_cp_passwd_or_shadow_tmp.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/cp' AND data_command_line LIKE '%/tmp/%' AND (data_command_line LIKE '%passwd%' OR data_command_line LIKE '%shadow%')
```
=> Processing rule file proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_ancestors LIKE '/tmp/%' AND (data_exe_path LIKE '%/bash' OR data_exe_path LIKE '%/csh' OR data_exe_path LIKE '%/dash' OR data_exe_path LIKE '%/fish' OR data_exe_path LIKE '%/ksh' OR data_exe_path LIKE '%/sh' OR data_exe_path LIKE '%/zsh')
```
=> Processing rule file proc_creation_lnx_susp_network_utilities_execution.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE ((data_exe_path LIKE '%/nc' OR data_exe_path LIKE '%/ncat' OR data_exe_path LIKE '%/netcat' OR data_exe_path LIKE '%/socat') AND (NOT (data_command_line LIKE '% --listen %' OR data_command_line LIKE '% -l %'))) OR (data_exe_path LIKE '%/autorecon' OR data_exe_path LIKE '%/hping' OR data_exe_path LIKE '%/hping2' OR data_exe_path LIKE '%/hping3' OR data_exe_path LIKE '%/naabu' OR data_exe_path LIKE '%/nmap' OR data_exe_path LIKE '%/nping' OR data_exe_path LIKE '%/telnet' OR data_exe_path LIKE '%/zenmap')
```
=> Processing rule file proc_creation_lnx_doas_execution.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/doas'
```
=> Processing rule file proc_creation_lnx_system_network_connections_discovery.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/who' OR data_exe_path LIKE '%/w' OR data_exe_path LIKE '%/last' OR data_exe_path LIKE '%/lsof' OR data_exe_path LIKE '%/netstat') AND (NOT (ParentCommandLine LIKE '%/usr/bin/landscape-sysinfo%' AND data_exe_path LIKE '%/who'))
```
=> Processing rule file proc_creation_lnx_omigod_scx_runasprovider_executescript.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE info_task_user='root' AND info_task_uid=0 AND CurrentDirectory='/var/opt/microsoft/scx/tmp' AND data_command_line LIKE '%/etc/opt/microsoft/scx/conf/tmpdir/scx%'
```
=> Processing rule file proc_creation_lnx_triple_cross_rootkit_install.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/sudo' AND (data_command_line LIKE '% tc %' AND data_command_line LIKE '% enp0s3 %') AND (data_command_line LIKE '% qdisc %' OR data_command_line LIKE '% filter %')
```
=> Processing rule file proc_creation_lnx_local_account.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/lastlog' OR data_command_line LIKE '%''x:0:''%' OR ((data_exe_path LIKE '%/cat' OR data_exe_path LIKE '%/ed' OR data_exe_path LIKE '%/head' OR data_exe_path LIKE '%/more' OR data_exe_path LIKE '%/nano' OR data_exe_path LIKE '%/tail' OR data_exe_path LIKE '%/vi' OR data_exe_path LIKE '%/vim' OR data_exe_path LIKE '%/less' OR data_exe_path LIKE '%/emacs' OR data_exe_path LIKE '%/sqlite3' OR data_exe_path LIKE '%/makemap') AND (data_command_line LIKE '%/etc/passwd%' OR data_command_line LIKE '%/etc/shadow%' OR data_command_line LIKE '%/etc/sudoers%' OR data_command_line LIKE '%/etc/spwd.db%' OR data_command_line LIKE '%/etc/pwd.db%' OR data_command_line LIKE '%/etc/master.passwd%')) OR data_exe_path LIKE '%/id' OR (data_exe_path LIKE '%/lsof' AND data_command_line LIKE '%-u%')
```
=> Processing rule file proc_creation_lnx_susp_java_children.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_ancestors LIKE '%/java' AND (data_command_line LIKE '%/bin/sh%' OR data_command_line LIKE '%bash%' OR data_command_line LIKE '%dash%' OR data_command_line LIKE '%ksh%' OR data_command_line LIKE '%zsh%' OR data_command_line LIKE '%csh%' OR data_command_line LIKE '%fish%' OR data_command_line LIKE '%curl%' OR data_command_line LIKE '%wget%' OR data_command_line LIKE '%python%')
```
=> Processing rule file proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_ancestors LIKE '%\bash' AND (data_command_line LIKE '%id -Gn `%' OR data_command_line LIKE '%id -Gn ''%')
```
=> Processing rule file proc_creation_lnx_chattr_immutable_removal.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/chattr' AND data_command_line LIKE '% -i %'
```
=> Processing rule file proc_creation_lnx_remote_system_discovery.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/arp' AND data_command_line LIKE '%-a%') OR (data_exe_path LIKE '%/ping' AND (data_command_line LIKE '% 10.%' OR data_command_line LIKE '% 192.168.%' OR data_command_line LIKE '% 172.16.%' OR data_command_line LIKE '% 172.17.%' OR data_command_line LIKE '% 172.18.%' OR data_command_line LIKE '% 172.19.%' OR data_command_line LIKE '% 172.20.%' OR data_command_line LIKE '% 172.21.%' OR data_command_line LIKE '% 172.22.%' OR data_command_line LIKE '% 172.23.%' OR data_command_line LIKE '% 172.24.%' OR data_command_line LIKE '% 172.25.%' OR data_command_line LIKE '% 172.26.%' OR data_command_line LIKE '% 172.27.%' OR data_command_line LIKE '% 172.28.%' OR data_command_line LIKE '% 172.29.%' OR data_command_line LIKE '% 172.30.%' OR data_command_line LIKE '% 172.31.%' OR data_command_line LIKE '% 127.%' OR data_command_line LIKE '% 169.254.%'))
```
=> Processing rule file proc_creation_lnx_rsync_shell_spawn.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE ((data_ancestors LIKE '%/rsync' OR data_ancestors LIKE '%/rsyncd') AND (data_exe_path LIKE '%/ash' OR data_exe_path LIKE '%/bash' OR data_exe_path LIKE '%/csh' OR data_exe_path LIKE '%/dash' OR data_exe_path LIKE '%/ksh' OR data_exe_path LIKE '%/sh' OR data_exe_path LIKE '%/tcsh' OR data_exe_path LIKE '%/zsh')) AND (NOT data_command_line LIKE '% -e %')
```
=> Processing rule file proc_creation_lnx_php_reverse_shell.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/php%' AND (data_command_line LIKE '% -r %' AND data_command_line LIKE '%fsockopen%') AND (data_command_line LIKE '%ash%' OR data_command_line LIKE '%bash%' OR data_command_line LIKE '%bsh%' OR data_command_line LIKE '%csh%' OR data_command_line LIKE '%ksh%' OR data_command_line LIKE '%pdksh%' OR data_command_line LIKE '%sh%' OR data_command_line LIKE '%tcsh%' OR data_command_line LIKE '%zsh%')
```
=> Processing rule file proc_creation_lnx_local_groups.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/groups' OR ((data_exe_path LIKE '%/cat' OR data_exe_path LIKE '%/head' OR data_exe_path LIKE '%/tail' OR data_exe_path LIKE '%/more') AND data_command_line LIKE '%/etc/group%')
```
=> Processing rule file proc_creation_lnx_security_tools_disabling.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/service' AND (data_command_line LIKE '%iptables%' AND data_command_line LIKE '%stop%')) OR (data_exe_path LIKE '%/service' AND (data_command_line LIKE '%ip6tables%' AND data_command_line LIKE '%stop%')) OR (data_exe_path LIKE '%/chkconfig' AND (data_command_line LIKE '%iptables%' AND data_command_line LIKE '%stop%')) OR (data_exe_path LIKE '%/chkconfig' AND (data_command_line LIKE '%ip6tables%' AND data_command_line LIKE '%stop%')) OR (data_exe_path LIKE '%/systemctl' AND (data_command_line LIKE '%firewalld%' AND data_command_line LIKE '%stop%')) OR (data_exe_path LIKE '%/systemctl' AND (data_command_line LIKE '%firewalld%' AND data_command_line LIKE '%disable%')) OR (data_exe_path LIKE '%/service' AND (data_command_line LIKE '%cbdaemon%' AND data_command_line LIKE '%stop%')) OR (data_exe_path LIKE '%/chkconfig' AND (data_command_line LIKE '%cbdaemon%' AND data_command_line LIKE '%off%')) OR (data_exe_path LIKE '%/systemctl' AND (da

Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%crontab' AND data_command_line LIKE '% -r%'
```
=> Processing rule file proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE info_task_user='root' AND info_task_uid=0 AND CurrentDirectory='/var/opt/microsoft/scx/tmp' AND data_command_line LIKE '%/bin/sh%'
```
=> Processing rule file proc_creation_lnx_esxcli_vsan_discovery.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/esxcli' AND data_command_line LIKE '%vsan%') AND (data_command_line LIKE '% get%' OR data_command_line LIKE '% list%')
```
=> Processing rule file proc_creation_lnx_remove_package.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE (data_exe_path LIKE '%/yum' AND (data_command_line LIKE '%erase%' OR data_command_line LIKE '%remove%')) OR ((data_exe_path LIKE '%/apt' OR data_exe_path LIKE '%/apt-get') AND (data_command_line LIKE '%remove%' OR data_command_line LIKE '%purge%')) OR (data_exe_path LIKE '%/dpkg' AND (data_command_line LIKE '%--remove %' OR data_command_line LIKE '% -r %')) OR (data_exe_path LIKE '%/rpm' AND data_command_line LIKE '% -e %')
```
=> Processing rule file proc_creation_lnx_clipboard_collection.yml:


Parsing Sigma rules


```SELECT * FROM "kunai" WHERE data_exe_path LIKE '%xclip%' AND (data_command_line LIKE '%-sel%' AND data_command_line LIKE '%clip%' AND data_command_line LIKE '%-o%')
```


In [29]:
df_res2

Unnamed: 0,rule,empty,errors,hits
0,proc_creation_lnx_malware_gobrat_grep_payload_...,True,False,0
1,proc_creation_lnx_touch_susp.yml,True,False,0
2,proc_creation_lnx_file_and_directory_discovery...,False,False,1000
3,proc_creation_lnx_ssm_agent_abuse.yml,True,False,0
4,proc_creation_lnx_base64_shebang_cli.yml,True,False,0
...,...,...,...,...
108,proc_creation_lnx_crontab_removal.yml,True,False,0
109,proc_creation_lnx_omigod_scx_runasprovider_exe...,False,True,0
110,proc_creation_lnx_esxcli_vsan_discovery.yml,True,False,0
111,proc_creation_lnx_remove_package.yml,False,False,101


In [30]:
df_stats2

Unnamed: 0,count_,data_command_line,data_exe_path,info_parent_task_name,info_task_name,rule
0,624,find /usr/lib/php -mindepth 1 -maxdepth 1 -reg...,/usr/bin/find,phpquery,find,proc_creation_lnx_file_and_directory_discovery...
1,576,find /var/log/zeek -type d -regex .*/[0-9][0-9...,/usr/bin/find,bash,find,proc_creation_lnx_file_and_directory_discovery...
2,575,find /var/log/zeek -type f -regex .*/[0-9][0-9...,/usr/bin/find,bash,find,proc_creation_lnx_file_and_directory_discovery...
3,528,find -O3 /var/lib/php/sessions/ -ignore_readdi...,/usr/bin/find,sessionclean,find,proc_creation_lnx_file_and_directory_discovery...
4,192,find /proc/231/fd -ignore_readdir_race -lname ...,/usr/bin/find,sessionclean,find,proc_creation_lnx_file_and_directory_discovery...
...,...,...,...,...,...,...
4,27,id -u,/usr/bin/id,update-motd-fsc,id,proc_creation_lnx_local_account.yml
0,2,chattr -R -i /lib /etc/init.d /boot,/usr/bin/chattr,sh,chattr,proc_creation_lnx_chattr_immutable_removal.yml
0,45,apt remove libssl1.0.0,/usr/bin/apt,bash,apt,proc_creation_lnx_remove_package.yml
1,42,apt remove libssl1.1,/usr/bin/apt,bash,apt,proc_creation_lnx_remove_package.yml


## Sigma rule to alerts

In [None]:
# for all rules with no results on given timeperiod, let's put alert
# `sigma convert -t openobserve -f o2alert -p ../pySigma-backend-openobserve/sigma/pipelines/openobserve/kunai.yml ../sigma/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml`
# replace <TABLE_NAME>, '<alert-owner-TBD>

In [None]:
# SELECT * FROM "kunai" WHERE data_exe_path LIKE '%/doas'
res_to_alerts = [
    "/home/user/tmp/sigma/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml"
]
# res_to_alerts = ['/home/user/tmp/sigma/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml']

In [None]:
# FIXME! backend issue on alert importing
#   'Return 400. Text: Json deserialize error: Failed to decode at <EOF>
for rule_f in res_to_alerts:
    convert_rule2alert(
        OO, rule_f, pipeline_f, "kunai", "root@example.com", "alert-destination-email"
    )

## References

- [OpenObserve REST API](https://openobserve.ai/docs/api/)
- [Unofficial python-openobserve module](https://github.com/JustinGuese/python-openobserve) with some customizations and enhancements (>=0.2)
- Openobserve github discussions: https://github.com/openobserve/openobserve/discussions/