SIEM × Platform · Elastic · Linux auditd

Elastic detections for Linux auditd

Sigma rule outputs from CloudSigma rendered into Elastic queries against the Linux auditd schema. Every rule is mapped to MITRE ATT&CK and validated against its dialect.

01 Coverage at a glance
3
Production rules
3
ATT&CK techniques
3
ATT&CK tactics
Elastic
Output dialect
02 Rule index
Technique Rule Severity Log source
T1059 Command and Scripting Interpreter on Linux auditd medium Linux auditd
T1078 Valid Accounts on Linux auditd medium Linux auditd
T1098 Account Manipulation on Linux auditd medium Linux auditd
03 Example rule

Linux Privileged User or Group Membership Change via auditd, generated by CloudSigma and validated against the Elastic dialect.

L1 · experimental, tune before deploy verified 2026-04-24 · sha256:358d1fb35a8e86f2 manifest → Verify in CloudSigma →

This rule is currently experimental. CloudSigma generated it from upstream threat intelligence; before enabling in production, tune the falsepositives section in your SIEM against your environment's known automation, service accounts and IP allowlist.

Sigma rule · CloudSigma Elastic · Linux auditd · 2026-04-24 
title: Linux Privileged User or Group Membership Change via auditd
id: 9cc851b0-a4f7-427a-9266-f14a4d184b3c
status: experimental
description: >
    Detects user account creation, deletion, group-membership changes
    and authentication-token resets on Linux hosts via auditd USER_*
    and GRP_* record types. Adversaries use these to add backdoor
    accounts, grant themselves wheel/sudo, or rotate credentials on a
    host they have already compromised. The rule is intentionally
    narrow on record type (no syscall numbers, no exe filters) so it
    fires on every privileged change including changes made by root —
    which is precisely when this matters most.
author: CloudSigma
date: 2026-04-24
references:
    - https://attack.mitre.org/techniques/T1098/
    - https://access.redhat.com/articles/4409591
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1098
logsource:
    product: linux
    service: auditd
detection:
    selection_user_lifecycle:
        type:
            - ADD_USER
            - DEL_USER
            - USER_MGMT
            - USER_CHAUTHTOK
            - ACCT_LOCK
            - ACCT_UNLOCK
    selection_group_lifecycle:
        type:
            - ADD_GROUP
            - DEL_GROUP
            - GRP_MGMT
    selection_success:
        res: success
    condition: (selection_user_lifecycle or selection_group_lifecycle) and selection_success
falsepositives:
    - Configuration-management runs (Ansible, Puppet, Chef, cloud-init) provisioning new user accounts during host bootstrap
    - Identity-management agents (FreeIPA, SSSD, JumpCloud) reconciling directory state
    - Operator-driven user lifecycle from a known jump host
fields:
    - acct
    - uid
    - auid
    - exe
    - hostname
    - res
level: medium
← Back to Sigma library
Sources
  • Sigma project, https://github.com/SigmaHQ/sigma
  • Elastic documentation, https://docs.elastic.com/
Last verified: 2026-04-24