- rule: Log Established Connections Privileged
  desc: Log process name, user, egress IP for established connections by privileged processes
  condition: >
    evt.type=connect and evt.dir=< and check_privileged
  output: >
    {"event_type": "privileged_connection", "process_name": "%proc.name", "user_name": "%user.name", "egress_ip": "%fd.sip"}
  priority: INFO
  tags: [network, process]

- rule: Log Established Connections Non-Privileged
  desc: Log process name, user, egress IP for established connections by non-privileged processes
  condition: >
    evt.type=connect and evt.dir=< and not check_privileged
  output: >
    {"event_type": "non_privileged_connection", "process_name": "%proc.name", "user_name": "%user.name", "egress_ip": "%fd.sip"}
  priority: INFO
  tags: [network, process]

- macro: check_privileged
  condition: (user.uid=0 or user.name=root)