Linux
The JSA Linux content extension adds new custom event properties for Linux.
JSA Linux Content Extensions
JSA Linux Content Extension V1.0.1 Entire Pack
The following table shows all of the content that is included in JSA Linux Content Extension V1.0.1.
Table 1: Overview Of Custom Properties InJSA Linux Content Extension V1.0.1
Name | Addition or modification notes |
|---|---|
Application | Introduced in V1.0.0. |
Command | Introduced in V1.0.0. |
Computer Name | Introduced in V1.0.0. Updated in V1.0.1. |
Effective Group ID | Introduced in V1.0.0. |
Effective User ID | Introduced in V1.0.0. |
File Directory | Introduced in V1.0.0. Updated in V1.0.1. |
Filename | Introduced in V1.0.0. Updated in V1.0.1. |
Group ID | Introduced in V1.0.0. Updated in V1.0.1. |
Group Name | Introduced in V1.0.0. |
Home Directory | Introduced in V1.0.0. |
Process CommandLine | Introduced in V1.0.1. |
Process Direction | Introduced in V1.0.0. |
Process ID | Introduced in V1.0.0. Updated in V1.0.1. |
Process Name | Introduced in V1.0.0. Updated in V1.0.1. |
Process Path | Introduced in V1.0.1. |
Shell | Introduced in V1.0.0. |
User ID | Introduced in V1.0.0. Updated in V1.0.1. |
(Back to top)The JSA Linux content extension adds new custom event properties for Linux.
Custom Properties in Linux V1.0.1 Content Extension
The following table shows the custom properties in the JSA Linux V1.0.1 content extension.
Table 2: Custom Properties in Linux V1.0.1 Content Extension
Name | Optimized | Capture Group | Regex |
|---|---|---|---|
Computer Name | No | 1 | \bnode=([^\s]+) |
File Directory | Yes | 1 | exe=\"([\/\w]+)(?=\/) PWD=([\/\w]+)(?=\/) script=([\/\w]+)(?=\/) item=\d+ name="([^\"]*)\/[^\\]+?" |
Filename | Yes | 1 | exe=\".*?\/([^\/]*?)\" PWD=.*\/([^\/]*?); script=.*\/([^,]*),\saccount item=\d+ name="[^\"]+\/([^\"]+)" |
GroupID | Yes | 1 | (?i)gid=(\d+) uid\/euid\/gid\/egid\s=\s\d+\/\d+\/(\d+) |
Process CommandLine | Yes | 1 | ocomm="([^\"]+) |
Process Id | No | 1 | \bpid=(\d+) |
Process Name | No | 1 | exe=".*\/([^"]+)" START\:\s([^\s]+) EXIT\:\s([^\s]+) exe=\"[^\"]+\/([^"]+) |
Process Path | No | 1 | exe="([^"]+)" |
User ID | Yes | 1 | (?i)uid=(\d+) |
(Back to top)The JSA Linux content extension adds new custom event properties for Linux.
Custom Properties in Linux V1.0.0 Content Extension
The following table shows the custom properties in the JSA Linux V1.0.0 content extension.
Table 3: Custom Properties in Linux V1.0.0 Content Extension
Name | Optimized | Capture Group | Regex |
|---|---|---|---|
Application | No | 1 | (\w+)\[\d+\]\:\s |
Command | No | 1 | COMMAND=([^\s]+) running\s([^\s]+)\scommand |
Computer Name | No | 1 | node=([^\s]+) |
Effective Group ID | No | 1 | uid\/euid\/gid\/egid\s=\s\d+\/\d+\/\d+\/(\d+) |
Effective User ID | No | 1 | euid=(\d+) uid\/euid\/gid\/egid\s=\s\d+\/(\d+) |
File Directory | Yes Yes | 1 1 | exe=\"([\/\w]+)(?=\/) PWD=([\/\w]+)(?=\/) script=([\/\w]+)(?=\/) |
Filename | Yes Yes | 1 1 | exe=\".*?\/([^\/]*?)\" PWD=.*\/([^\/]*?); script=.*\/([^,]*),\saccount |
Group Name | No | 1 | group=([^,]+) |
GroupID | No | 1 | gid=(\d+) uid\/euid\/gid\/egid\s=\s\d+\/\d+\/(\d+) |
Home Directory | No | 1 | home=([^,]+) |
Process Direction | No | 1 | direction=([^\s]+) |
Process Id | No | 1 | pid=(\d+) \[(\d+)\]\:\s |
Process Name | No | 1 | exe=".*\/([^"]+)" START\:\s([^\s]+) EXIT\:\s([^\s]+) |
Shell | No | 1 | shell=([^,]+) |
User ID | No | 1 | uid\/euid\/gid\/egid\s=\s(\d+)\/ uid=(\d+) |
(Back to top)The JSA Linux content extension adds new custom event properties for Linux.