Logging, messaging, and other artifacts that highlight the health and operational state of host-based security sensors, such as Endpoint Detection and Response (EDR) agents, antivirus software, logging services, and system monitoring tools. Monitoring sensor health is essential for detecting misconfigurations, sensor failures, tampering, or deliberate security control evasion by adversaries.
Data Collection Measures:
/var/log/syslog, /var/log/auth.log, /var/log/kern.log| Name | Channel |
|---|---|
| android:appops | ACCESS_FINE_LOCATION|NEARBY_DEVICES|BLUETOOTH_SCAN used in close proximity to network-context queries |
| AndroidAttestation:SafetyNet | SafetyNet attestation with CTSProfileMatch=false or BasicIntegrity=false |
| AndroidAttestation:VerifiedBoot | Verified Boot or dm-verity reports partition hash mismatch, non-green boot state, or integrity failure |
| AndroidLogs:Crash | Crash or abnormal restart of privileged system services (for example, system_server, mediaserver, installd) followed shortly by new privileged process activity or binder connections from a single app UID |
| AndroidLogs:Crash | Application or system process crash/restart patterns temporally associated with remote service communications |
| auditd:SYSCALL | firmware_update, kexec_load |
| AWS:CloudMetrics | Autoscaling, memory/cpu alarms, or instance unhealthiness |
| AWS:CloudWatch | Sustained spike in CPU usage on EC2 instance with web service role |
| AWS:CloudWatch | StatusCheckFailed or StatusCheckFailed_System for burstable instances (t2/t3) |
| AWS:CloudWatch | Sustained EC2 CPU usage above normal baseline |
| AWS:CloudWatch | NetworkOut spike beyond baseline |
| AWS:CloudWatch | Sudden spike in network output without a corresponding inbound request ratio |
| AWS:CloudWatch | Unusual CPU burst or metric anomalies |
| esxi:hostd | Powering off or restarting host |
| iOS:MDMLog | Device risk, compliance, or security posture changes after trusted host pairing or developer-state transition |
| iOS:unifiedlog | code signature validation failure / exec of invalidly-signed payload from sandboxed app |
| iOS:unifiedlog | Application crash logs, watchdog terminations, or abnormal execution events associated with service communication |
| journald:boot | Secure Boot failure, firmware version change |
| kubernetes:events | CrashLoopBackOff, OOMKilled, container restart count exceeds threshold |
| linux:procfs | Sustained high /proc/[pid]/stat usage |
| linux:syslog | Out of memory killer invoked or kernel panic entries |
| linux:syslog | Service stop or disable messages for security tools not reflected in SIEM alerts |
| linux:syslog | system is powering down |
| macos:osquery | interface_details |
| macos:syslog | Hardware UUID or device list drift |
| macos:unifiedlog | Web service process (e.g., httpd) entering crash loop or consuming excessive CPU |
| macos:unifiedlog | Spike in CPU or memory use from non-user-initiated processes |
| macos:unifiedlog | Termination or disabling of XProtect, Gatekeeper, or third-party AV daemons |
| macos:unifiedlog | network stack resource exhaustion, tcp_accept queue overflow, repeated resets |
| macos:unifiedlog | EFI firmware integrity check failed |
| macos:unifiedlog | System Integrity Protection (SIP) state reported as disabled |
| macos:unifiedlog | System shutdown or reboot requested |
| MDM:DeviceIntegrity | jailbreak/root compromise indicators or integrity attestation failures enabling process visibility |
| networkdevice:syslog | no logging host, no aaa new-model, no snmp-server, commit |
| networkdevice:syslog | System reboot scheduled or performed |
| NSM:Flow | TCP: possible SYN flood or backlog limit exceeded |
| OEMAttestation:Knox | Samsung Knox attestation shows attestation_state=COMPROMISED or warranty bit set |
| prometheus:metrics | Container CPU/Memory usage exceeding threshold |
| sar:network | Outbound network saturation with minimal process activity |
| Sensor Health | None |
| Windows:perfmon | Sustained CPU/memory exhaustion by service process (e.g., w3wp.exe) |
| Windows:perfmon | High sustained CPU usage by a single process |
| Windows:perfmon | Sudden spike in outbound throughput without corresponding inbound traffic |
| Windows:perfmon | Sudden spikes in CPU/Memory usage linked to specific application processes |
| WinEventLog:Microsoft-Windows-TCPIP | Connection queue overflow or failure to allocate TCP state object |
| WinEventLog:Security | EventCode=1166, 7045 |
| WinEventLog:Security | EventCode=1074 |
| WinEventLog:Security | EventCode=6006 |
| WinEventLog:Sysmon | EventCode=16 |
| WinEventLog:System | System shutdowns due to bugcheck (Event ID 1001) or watchdog timer expirations |