rule linux_user_account_created {
meta:
author = "ABC"
description = "User created"
severity = "Low"
priority = "Low"
events:
$e.metadata.vendor_name = "Linux"
$e.metadata.product_name = "AuditD"
$e.metadata.description = /new user/ nocase
$e.principal.user.userid = $user
$e.principal.hostname = $srcHost
match:
$user over 1m
outcome:
$risk_score = max(20)
$alertDescription = array_distinct(strings.concat("'A new user '", $user , "' was created on the linux server with the hostname'", $srcHost))
condition:
$e
}
So I have this field called,
metadata.event_timestamp"2024-10-05T10:15:18Z"
I want to convert this timestamp into IST (preferably in DD/MM/YYYY h
s format) and use it in the alertDescription variable. How am I supposed to do it?
So I have this field called,
metadata.event_timestamp"2024-10-05T10:15:18Z"
I want to convert this timestamp into IST (preferably in DD/MM/YYYY h
s format) and use it in the alertDescription variable. How am I supposed to do it?