Your are searching for some use cases for your SIEM or your logging/audit/log-alerting system?
How about monitoring some possibly critical commands, files and folders? Here are some examples, which could be helpful. You can use those ideas and adjust them to your environment:
- vi /etc/passwd
or anything that interacts with /etc/passwd - john
When john the ripper is used - msfconsole
When metalspoit console is called - rm –rf /
If someone/something wants to delete "too much" - passwd root
Changing the password of the root user might be interesting to monitor - /etc/init.d/apache2 stop
Stopping, Restarting (with changed cfg/libs/files?) of important services might be something to investigate - vi /etc/postfix/ssl.conf
Editing or looking at your SSL/TLS configuration of your mailserver could be fishy - /var/opt/researchdevelopmentdata or /var/opt/paymenttransactiondata
Folders with critical business, payment, personal, research-and-development or other data could be interesting to watch - /etc/payment-system/configuration.conf
Folders with configuration files of applications with with critical business, payment, personal, research-and-development data should be closly monitored - Windows: useradd Administrator
Also Windows systems of course have lots of critical commands or folders and files, which should be monitored, e.g. when an administrator user is added - Windows Domain Controller: vssadmin create shadow /for=C: (or on which partition NTDS.dit is stored)
Intensivly Monitor NTDS.dit (Active Directory database) and possible attemps to copy/modify it (e.g. using vssadmin)