1{ 2 "anomaly_threshold": 75, 3 "author": [ 4 "Elastic" 5 ], 6 "description": "Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.", 7 "false_positives": [ 8 "Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." 9 ], 10 "from": "now-45m", 11 "interval": "15m", 12 "license": "Elastic License v2", 13 "machine_learning_job_id": "linux_rare_sudo_user", 14 "name": "Unusual Sudo Activity", 15 "risk_score": 21, 16 "rule_id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0", 17 "severity": "low", 18 "tags": [ 19 "Elastic", 20 "Host", 21 "Linux", 22 "Threat Detection", 23 "ML" 24 ], 25 "threat": [ 26 { 27 "framework": "MITRE ATT&CK", 28 "tactic": { 29 "id": "TA0005", 30 "name": "Defense Evasion", 31 "reference": "https://attack.mitre.org/tactics/TA0005/" 32 }, 33 "technique": [ 34 { 35 "id": "T1548", 36 "name": "Abuse Elevation Control Mechanism", 37 "reference": "https://attack.mitre.org/techniques/T1548/" 38 } 39 ] 40 }, 41 { 42 "framework": "MITRE ATT&CK", 43 "tactic": { 44 "id": "TA0004", 45 "name": "Privilege Escalation", 46 "reference": "https://attack.mitre.org/tactics/TA0004/" 47 }, 48 "technique": [ 49 { 50 "id": "T1548", 51 "name": "Abuse Elevation Control Mechanism", 52 "reference": "https://attack.mitre.org/techniques/T1548/" 53 } 54 ] 55 } 56 ], 57 "type": "machine_learning", 58 "version": 2 59} 60