Kunai is a Linux-based security monitoring and threat hunting tool written in Rust. This artifact parses the Kunai log file.
name: Exchange.Linux.Kunai
author: Wes Lambert -- @therealwlambert, @weslambert@infosec.exchange
description: |
Kunai is a Linux-based security monitoring and threat hunting tool written in Rust. This artifact parses the Kunai log file.
reference:
- https://github.com/0xrawsec/kunai
parameters:
- name: LogFile
default: kunai.log
description: Path of Kunai log file
sources:
- precondition:
SELECT OS From info() where OS = 'linux'
query: |
SELECT
info.utc_time AS Timestamp,
info.host.hostname AS Hostname,
info.host.container AS _Container,
info.event.id AS EventID,
info.event.name AS EventName,
info.event.uuid AS EventUUID,
data.command_line AS CommandLine,
data.exe AS Exe,
data.path AS Path,
info.event.batch AS _EventBatch,
info.task AS Task,
info.parent_task AS ParentTask
FROM parse_jsonl(filename=LogFile)