Linux detection engineering with Auditd

Overview

In this article, I explore how to effectively use Auditd and Auditd Manager for detection engineering. I’ll demonstrate Auditd's powerful features, guide you through the setup process, and show you how to create and modify rules to capture specific behaviors. You'll also learn how to interpret the logs and discover how Auditd Manager, an Elastic integration, enhances Auditd's utility by streamlining its management.

Are you interested in this research? The full paper is available at Elastic Security Labs!