@timestamp >= “2023-01-01” | Timestamp |
| (X AND Y) OR Z |
fu~~y | fuzzy operator |
“server error”~4 | “slop value” → server and error up to 4 positions apart |
Event_Type: /.*/ Description: /(s|m).*/
file where host.os.type == "linux" and
event.action in ("rename", "creation") and
file.path in (
"/etc/crontab",
"/etc/cron.allow",
"/etc/cron.deny"
)
client.ip user.agent http.request.method url.path http.response.status_code