Integration Name

System [system]

Dataset Name

system.auth

Integration Version

2.12.4

Agent Version

9.3.1

Agent Output Type

elasticsearch

Elasticsearch Version

9.3.1

OS Version and Architecture

any

Software/API Version

No response

Error Message

No response

Event Original

No response

What did you do?

Creating a user containing the word fail in the username, homedir or shell,
results in event.outcome being wrongfully set to failure. This bypasses
at-least two SIEM rules, which are based on event.outcome equal success to
determined if the rule should be triggered.

This also affects people searching for users newly created, and if they lack
the knowledge of Linux, they might assumes that the creation has failed, while
in fact the os has created the user.

This is because the if statement in system.auth ingest pipeline, checks if the
message string contains the word fail ctx.message.contains("fail"), in any
place of the message.

What did you see?

What did you expect to see?

The event.outcome field should not get set to failure, but rather to success.

Anything else?

No response