Analyzing Linux Audit Logs for Intrusion When to Use - Investigating suspected unauthorized access or privilege escalation on Linux hosts - Hunting for evidence of exploitation, backdoor installation, or persistence mechanisms - Auditing compliance with security baselines (CIS, STIG, PCI-DSS) that require system call monitoring - Reconstructing a timeline of attacker actions during incident response - Detecting file tampering on critical system files such as , , or SSH keys Do not use for network-level intrusion detection; use Suricata or Zeek for network traffic analysis. Auditd operates at…