Operating Systems
Overview
Implementing use cases for Windows, Linux, and macOS operating system logs to detect malware, monitor user activity, and identify unauthorized system changes.
Sample products
- Windows Event Viewer (Windows)
- syslog-ng (Linux)
- macOS Console (macOS)
Use Case Categories
| Category | Description |
|---|---|
| Malicious Activity Detection | Implements proactive measures to identify and mitigate malicious software. Monitors operating system logs for suspicious activities, file modifications, and anomalous network connections to detect and respond to potential malware threats. |
| User Activity Monitoring | Focuses on tracking and analyzing user behavior within the operating system environment. Monitors user logins, file accesses, application usage, and privilege changes to ensure compliance, detect anomalies, and identify potential security incidents related to user activities. |
| Unauthorized System Changes | Monitors the operating system logs for any unauthorized modifications or alterations. Detects and alerts on changes to critical system files, configurations, or registry settings, providing real-time insights into potential security incidents or unauthorized access attempts. |
| Endpoint Compliance Monitoring | Focuses on ensuring endpoint devices comply with security policies and configurations. Alerts triggered for deviations from predefined compliance standards, unauthorized changes, or non-compliant configurations. |
Core Use Cases
| Alert Name | Description |
|---|---|
| Malicious Command Execution | Monitors operating system logs for the presence of malicious commands execution . Alerts triggered for suspicious command executions, abnormal usage, or attempts to hide processes associated with malware. |
| Audit Log Tampering | Focuses on identifying malicious activity through audit log tampering in the operating system logs. Alerts triggered for attempts to clear traces after compromising a machine |
| Rapid File Modifications | Monitors endpoint logs for rapid and widespread file modifications. Alerts triggered for unusual rates of file changes, indicative of ransomware attempting to encrypt files rapidly. |
| Network Anomaly Detection | Monitors network-related logs to detect anomalous communication patterns indicative of malware. Alerts triggered for unusual network connections, abnormal data transfer, or attempts to establish covert channels by malware. |
| Anomalous Account Activity Detection | Monitors user activity in the operating system logs to detect anomalies in account behavior. Alerts triggered for unusual login times, multiple failed login attempts, or suspicious access to sensitive files or directories. |
| Privilege Escalation Monitoring | Focuses on detecting unauthorized privilege escalations within the operating system logs. Alerts triggered for sudden changes in user privileges, suspicious role modifications, or attempts to exploit vulnerabilities for privilege escalation. |
| Insider Threat Detection | Monitors user behavior for potential insider threats. Alerts triggered for abnormal data access patterns, unauthorized data transfers, or attempts to exfiltrate sensitive information. |
| Endpoint Security Anomaly Detection | Analyzes endpoint security logs to detect anomalies. Alerts triggered for unexpected changes in security configurations, deviations from baseline behavior, or suspicious interactions with security tools. |
| Configuration File Integrity Monitoring | Monitors changes to critical configuration files in the operating system logs. Alerts triggered for unauthorized modifications, additions, or deletions to key system configuration files. |
| Registry Changes Monitoring | Focuses on detecting unauthorized changes to the system registry. Alerts triggered for suspicious modifications, additions, or deletions in the registry, indicating potential unauthorized system changes. |
| System File Integrity Monitoring | Monitors changes to critical system files for integrity. Alerts triggered for unauthorized modifications or additions to system files, ensuring the integrity of essential operating system components. |
| Account Privilege Changes Monitoring | Monitors changes to account privileges within the operating system logs. Alerts triggered for unauthorized modifications to user privileges, role assignments, or attempts to escalate privileges. |
| Unauthorized System Changes | Monitors endpoint logs for unauthorized system changes. Alerts triggered for alterations to critical system files, configurations, or settings without proper authorization. |
| Non-Compliant Software Installations | Analyzes endpoint logs for non-compliant software installations. Alerts triggered for the installation of unauthorized or non-compliant software on endpoint devices. |
| Security Policy Violation | Focuses on detecting violations of security policies on endpoint devices. Alerts triggered for actions or configurations that deviate from established security policies. |
MITRE ATT&CK
T1055, T1064, T1497, T1562, T1070, T1107, T1222, T1486, T1083, T1048, T1024, T1570, T1087, T1100, T1552, T1548, T1134, T1078, T1056, T1020, T1489, T1542, T1089, T1144, T1059, T1112, T1115, T1553, T1082, T1003, T1556, T1069, T1202, T1485, T1132, T1085