application_execution
  reporter is 'sudo' AND body contains 'COMMAND='
  data_type is 'selinux:line' AND audit_type is 'EXECVE'
  data_type is 'syslog:cron:task_run' OR data_type is 'bash:history:command' OR data_type is 'shell:zsh:history' OR data_type is 'docker:json:layer'

login
  reporter is 'login' AND (body contains 'session opened' OR body contains 'logged in' OR body contains 'ROOT LOGIN')
  reporter is 'sshd' AND (body contains 'Starting session' OR body contains 'session opened')
  data_type is 'selinux:line' AND audit_type is 'LOGIN'
  data_type is 'linux:utmp:event' AND type == 7

login_failed
  data_type is 'syslog:line' AND body contains 'pam_tally2'
  reporter is 'sshd' AND body contains 'uthentication failure'
  data_type is 'selinux:line' AND audit_type is 'USER_LOGIN' AND body contains 'res=failed'
  data_type is 'selinux:line' AND audit_type is 'ANOM_LOGIN_FAILURES'
  reporter is 'xscreensaver' AND body contains 'FAILED LOGIN'

logout
  reporter is 'login' AND body contains 'session closed'
  reporter is 'sshd' AND (body contains 'session closed' OR body contains 'Close session')
  reporter is 'systemd-logind' AND body contains 'logged out'
  # This will also flag dead gettys that init kills during shutdown/reboot (at least with SysV init)
  data_type is 'linux:utmp:event' AND type == 8 AND terminal != '' AND pid != 0

session_start
  reporter is 'systemd-logind' and body contains 'New session'

session_stop
  reporter is 'systemd-logind' and body contains 'Removed session'

boot
  data_type is 'linux:utmp:event' AND terminal is 'system boot' AND username is 'reboot' AND type == 2

shutdown
  data_type is 'linux:utmp:event' AND (terminal is '~~' OR terminal is 'system boot') and type == 1 and username is 'shutdown'

runlevel
  data_type is 'linux:utmp:event' AND type == 1 AND username is 'runlevel'

device_connection
  reporter is 'kernel' AND body contains 'New USB device found'

device_disconnection
  reporter is 'kernel' AND body contains 'USB disconnect'

application_install
  data_type is 'dpkg:line' AND body contains 'status installed'

service_start
  data_type is 'selinux:line' AND audit_type is 'SERVICE_START'

service_stop
  data_type is 'selinux:line' AND audit_type is 'SERVICE_STOP'

promiscuous
  data_type is 'selinux:line' AND audit_type is 'ANOM_PROMISCUOUS'
  reporter is 'kernel' AND body contains 'promiscuous mode'

crash
  data_type is 'selinux:line' AND audit_type is 'ANOM_ABEND'
  reporter is 'kernel' AND body contains 'segfault'
