How to represent linux group data in UDM?

Kalia-66 · 09-03-2023 05:40 AM

Hi! We’d like to ingest some UDM data about group creation events (specifically linux groups created on a host via a cmdline process or other similar means), and we were wondering if you guys have any recommendations for how best to represent this kind of group in the UDM? I initially wanted to use the Group entity ( link ), but upon closer inspection of the fields, it seems like that entity is more intended for organizational groups (eg. LDAP groups)? So, we were wondering if anyone has any suggestions for a good way to represent linux group data in UDM?

Ion_Todd

We’ve manually written groups onto user objects using the groups repeated field, but haven’t stumbled into this. I’d be interested in your use case.

Some good advice that helped pull me out of a “map everything” rabbit hole was “Consider how you want to search the data once its ingested”. My brain wants to project my understanding of technical concepts into UDM, but this doesn’t always facilitate the SIEM/searching use case well.

So, the short answer is there isn’t a current UDM field that maps nicely to linux groups. But having that field might not help your search use case. What question are you hoping to answer and how would you search for it? Is it just historical groups created on a machine?

I also believe that you can add groups outside of the groupadd command, so perhaps setting up auditing on /etc/group would give you better coverage.

Kalia-66

Thank you Ion!! I will get back to you.

Webinar May 14th: Gemini's generative AI within Google SecOpsWebinar May 29th: Log Ingestion: Bindplane + Google SecOps

How to represent linux group data in UDM?

Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps