Detecting Suspicious Linux Commands In Sumo Logic VS Splunk

Having the ability to detect suspicious Linux commands in your environment effectively is essential to a SIEM solution. The difference in comparing two different SIEM solutions, like Sumo Logic vs. Splunk, may be difficult at face value because they are both industry leaders. This article will provide you with several ways to better detect malicious Linux activity and search queries, using both Sumo Logic and Splunk to identify this suspicious Linux commands.

Features in sumo Logic supporting Linux activity

Although both platforms are industry-leading, Sumo Logic has the upper hand when targeting suspicious Linux commands. Sumo Logic can seamlessly integrate additional information into its Cloud security enterprise solution to aggregate and enrich your events. These advanced features are the critical difference between searching for essential Linux activity and searching for malicious Linux activity. Here are some of the vital elements when comparing Sumo Logic vs. Splunk.

Enrichments

Sumo Logic can direct supporting information to an enrichments tab within a given signal for each data source. The enrichment tab allows users to tie in details like threat data, asset inventory, or vulnerability scan results, supplementing the overall event. When performing an investigation on a signal, an analyst can quickly reference this tab to get a birds-eye view of the current security stance of any particular entity.

Actions

Actions in Sumo Logic give users the ability to add automation and customized alerting to their SIEM. Whether it be a simple email alert or a Slackbot post, the actions tab has endless options. Below are some of the built-in options:

• AWS Simple Notification Service
• Demisto
• Email
• HTTP POST (v1 & v2)
• HipChat
• IBM resilient
• Microsoft teams
• PagerDuty
• Recorded Future
• Sensor COmmands
• Slack / Slack Webhook

Context Actions

Context Actions differ slightly from actions, as these are additional actions that would help provide a context to a signal within the Sumo Logic platform. The idea is to ideally link an external service to provide further information to a signal surrounding the following types:

• Domain
• IP Address
• Hash
• Mac Address
• URL
• Record Property

Based on these six types, you can link sources that may help provide context to the results, including IP address lookup resources, threat intelligence lookups, Virus Total, and even just performing a simple Google search.

Artifacts

Artifacts are best used to add data to your support logs events to help standardize a standard set of fields. For example, adding a list of usernames to correlate to their perspective hostnames is a great way to provide context. Also, uploading a list of hostnames to the assigned IP address is a massive help if you don't have a way to decipher internal IP addresses within a data source itself.

A Search query for Splunk Linux commands

This is the base search query structured for Splunk. Over time, add this search based on particular activity as it occurs in your environment:

(type="EXECVE" ((a0="chmod" a1="777") OR (a0="chmod" a1="u+s") OR (a0="cp" a1="/bin/ksh") OR (a0="cp" a1="/bin/sh")))

A search query for Sumo Logic Linux commands

For Sumo Logic customers, implementing this search as a signal titled "Suspicious Linux Commands" paired with the above features is currently the best option for quick detection, triage, and investigation within the platform.

((_index=LINUX AND ("EXECVE") AND (((("chmod") AND ("777")) OR (("chmod") AND ("u+s")) OR (("cp") AND ("/bin/ksh")) OR (("cp") AND ("/bin/sh"))))))

Conclusion

Whether you decide to use Sumo Logic or Splunk, either choice requires knowledge and experience to detect and isolate suspicious Linux commands on your network. The above search queries are only starting points for setting up proper Linux detections.