Servers
Overview
Monitoring and securing server logs to ensure the availability, integrity, and confidentiality of data, and to detect and respond to potential security incidents.
Sample products
- Microsoft Windows Server
- Red Hat Enterprise Linux
- Ubuntu Server
Use Case Categories
| Category | Description |
|---|---|
| Unauthorized Access Detection | Analyze server logs to identify signs of unauthorized access attempts. This includes monitoring for unusual login patterns, multiple failed login attempts, or access from unfamiliar IP addresses, enabling early detection and response to potential security breaches. |
| Data Exfiltration Detection | Utilize server logs for any anomalous data transfer patterns that might indicate unauthorized data exfiltration. Detect unusual data access or large file transfers, allowing the security team to respond promptly to prevent sensitive information leakage. |
| Server Vulnerability Exploitation Detection | Monitor server logs for signs of potential vulnerabilities being exploited. Identify unexpected system behavior, repeated exploit attempts, or unauthorized access to sensitive areas, facilitating the proactive mitigation of security risks. |
| Unusual Application Activity | Analyze server logs to detect any abnormal behavior within applications. This includes identifying unexpected API calls, unusual data access patterns, or unauthorized application access, helping to uncover potential security threats or compromised application integrity. |
| Server Performance Monitoring | Utilize server logs for comprehensive performance monitoring. Track system resource usage, application response times, and network activity to ensure optimal server performance. Detect anomalies that may indicate performance issues, allowing for proactive maintenance and prevention of potential service disruptions. |
Core Use Cases
| Alert Name | Description |
|---|---|
| User Authentication Anomalies | Monitor server logs for anomalies in user authentication patterns. Look for unusual login times, multiple failed login attempts, or logins from unrecognized IP addresses. |
| Privileged User Activity Monitoring | Scrutinize server logs for activities related to privileged users. Track actions such as account modifications, elevated permission usage, or access to sensitive areas. |
| Unusual Protocol or Port Usage | Analyze server logs to detect unexpected protocol or port usage. Identify instances where users or systems are accessing the server using non-standard protocols or unusual ports. |
| File and Directory Access Anomalies | Analyze server logs for unusual patterns in file and directory access. Monitor for unexpected file read, write, or deletion operations, especially in sensitive areas of the file system. |
| Unusual Outbound Traffic Patterns | Monitor server logs for anomalies in outbound data traffic, focusing on unexpected volume or frequency. |
| Large-scale File Access and Modification | Monitor server logs for unusual activities involving the access and modification of large volumes of files. |
| Unauthorized Data Access by Users | Monitor server logs for unauthorized access to sensitive data, focusing on user accounts accessing data beyond their usual permissions. |
| Unusual Protocol or Port Usage in Outbound Traffic | Analyze server logs to detect abnormal usage of protocols or ports in outbound traffic, which may indicate attempts to conceal data exfiltration. |
| Unusual Application Activity | Monitor server logs for abnormal patterns in application behavior, indicating potential exploitation of vulnerabilities. |
| Detection of Common Attack Signatures | Monitor server logs for known attack signatures or patterns associated with server vulnerabilities. |
| Anomalous System Commands or Executables | Analyze server logs for unusual system commands or executables that may indicate an attempt to exploit vulnerabilities. |
| Abnormal User Privilege Escalation | Monitor server logs for suspicious activities indicating unauthorized escalation of user privileges. |
| Unusual API Calls | Monitor server logs for abnormal patterns in API calls, indicating potential unusual application behavior. |
| Unauthorized Application Access | Analyze server logs for instances where applications access data or resources beyond their normal permissions. |
| Suspicious Data Access Patterns | Analyze server logs for unusual patterns in data access by applications, such as accessing large volumes or sensitive data. |
| Unusual Application Executables | Monitor server logs for unusual or unauthorized application executables being run on the system. |
| CPU and Memory Utilization | Monitor server logs for CPU and memory utilization trends, identifying potential performance bottlenecks or resource exhaustion. |
| Disk I/O Performance | Utilize server logs for patterns indicating unusual or degraded disk I/O performance, which may impact overall system responsiveness. |
| Network Traffic Analysis | Analyze server logs for abnormal patterns in network traffic, identifying potential network-related performance issues or anomalies. |
| Application Response Time | Monitor server logs for variations in application response times, helping identify potential slowdowns or issues affecting user experience. |
MITRE ATT&CK
T1110, T1110.001, T1110.002, T1056, T1552.001, T1059, T1043, T1043.001, T1043.002, T1003, T1003.001, T1003.002, T1048 , T1002, T1114, T1020, T1047, T1064, T1068, T1106, T1074, T1055, T1488, T1040, T1518