Ideas for your SIEM or Logging-System - Monitoring of critical commands, files and folders


Your are searching for some use cases for your SIEM or your logging/audit/log-alerting system?

How about monitoring some possibly critical commands, files and folders? Here are some examples, which could be helpful. You can use those ideas and adjust them to your environment:
  1. vi /etc/passwd
    or anything that interacts with /etc/passwd

  2. john
    When john the ripper is used

  3. msfconsole
    When metalspoit console is called

  4. rm –rf /
    If someone/something wants to delete "too much"

  5. passwd root
    Changing the password of the root user might be interesting to monitor

  6. /etc/init.d/apache2 stop
    Stopping, Restarting (with changed cfg/libs/files?) of important services might be something to investigate

  7. vi /etc/postfix/ssl.conf
    Editing or looking at your SSL/TLS configuration of your mailserver could be fishy

  8. /var/opt/researchdevelopmentdata or /var/opt/paymenttransactiondata
    Folders with critical business, payment, personal, research-and-development or other data could be interesting to watch

  9. /etc/payment-system/configuration.conf
    Folders with configuration files of applications with with critical business, payment, personal, research-and-development data should be closly monitored

  10. Windows: useradd Administrator
    Also Windows systems of course have lots of critical commands or folders and files, which should be monitored, e.g. when an administrator user is added

  11. Windows Domain Controller: vssadmin create shadow /for=C: (or on which partition NTDS.dit is stored)
    Intensivly Monitor NTDS.dit (Active Directory database) and possible attemps to copy/modify it (e.g. using vssadmin)

Of course there are many more critical commands, files and folders and not all eleven examples fit for everybody. Adjusting them to your needs is key for additional security.

Cribl - Change values to lowerCase

Some logs (e.g. Microsoft Azure) sometimes are not fully normalized to all lowercase characters. You can use Cribl to adjust those values by...