Difference between (event.module: system - event.action: user_login) AND (event.module: auditd - event.action: logged-in)

I have set on a host both packetbeat and auditbeat. I wanted to set a rule about login events but it confuses me a bit the separation between event.module: system and event.module: auditd.

At the SIEM overview there is not a very good explanation and categorization of which beat does a event.module belong and what about event.datasets.

Also my question came up when i say that there were two login events! First is event.action: user_login and the second is event.action: logged-in .

As someone that tries to catch and set a rule about login events that seems a bit confusing at least as of now that i haven't understand the relationship and the differences!

Thanks in advance

Hi @panagiss thanks for your post.

Yes, it can be hard to remember which beats have modules, and which modules you've enabled.
If you look at the agent.type field in the event, it will contain the name of the beat that produced the event, such as in this example, where we can clearly see that it was filebeat's system module that produced this event.

However, one of the biggest advantages of using Elastic Common Schema (which all beats do), is that you don't necessarily need to track which beat or which module captured the login event, and you don't have to worry about which values of event.action are used. Instead, use the ECS categorization fields, event.category and event.outcome in your rule, to find desired authentication events.

For example in the rule creation dialog below we use event.category:authentication AND event.outcome:success to find all successful logins. The preview histogram shows events that would be detected by the rule.

Please let us know if this helps.

3 Likes

Yeah thanks a lot. ECS fixes my problem.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.