I have been tasked with writing Queries for the following and I am not sure how to go about it:
Detection / Event Name | Event Description |
Master Password Use | The master password used to access the backend vault was used |
Backend Vault Built in Admin Use | The built-in admin account on the backend vault was used |
Sssd.conf modified on linux server | The sssd.conf file was modified on a linux server |
This is completely specific to data you are collecting.
The master password used to access the backend vault was used - you need to identify correct events from the vault access logs. may be you can get help from the SME who is managing vault in your firm. same with other queries as well.
you can simulate and see how events are created for those actions specified by you.