Logging, messaging, and other artifacts that highlight the health and operational state of host-based security sensors, such as Endpoint Detection and Response (EDR) agents, antivirus software, logging services, and system monitoring tools. Monitoring sensor health is essential for detecting misconfigurations, sensor failures, tampering, or deliberate security control evasion by adversaries.
Data Collection Measures:
/var/log/syslog, /var/log/auth.log, /var/log/kern.log| Name | Channel |
|---|---|
| auditd:SYSCALL | firmware_update, kexec_load |
| AWS:CloudWatch | Sustained spike in CPU usage on EC2 instance with web service role |
| AWS:CloudWatch | StatusCheckFailed or StatusCheckFailed_System for burstable instances (t2/t3) |
| AWS:CloudWatch | Sudden spike in network output without a corresponding inbound request ratio |
| AWS:CloudWatch | Unusual CPU burst or metric anomalies |
| CloudMetrics:InstanceHealth | Autoscaling, memory/cpu alarms, or instance unhealthiness |
| CloudWatch:InstanceMetrics | NetworkOut spike beyond baseline |
| CloudWatch:Metrics | Sustained EC2 CPU usage above normal baseline |
| esxi:hostd | Powering off or restarting host |
| journald:boot | Secure Boot failure, firmware version change |
| kubernetes:events | CrashLoopBackOff, OOMKilled, container restart count exceeds threshold |
| linux:procfs | Sustained high /proc/[pid]/stat usage |
| linux:syslog | Out of memory killer invoked or kernel panic entries |
| linux:syslog | Service stop or disable messages for security tools not reflected in SIEM alerts |
| linux:syslog | system is powering down |
| macos:osquery | interface_details |
| macos:syslog | Hardware UUID or device list drift |
| macos:unifiedlog | Web service process (e.g., httpd) entering crash loop or consuming excessive CPU |
| macos:unifiedlog | Spike in CPU or memory use from non-user-initiated processes |
| macos:unifiedlog | Termination or disabling of XProtect, Gatekeeper, or third-party AV daemons |
| macos:unifiedlog | network stack resource exhaustion, tcp_accept queue overflow, repeated resets |
| macos:unifiedlog | EFI firmware integrity check failed |
| macos:unifiedlog | System Integrity Protection (SIP) state reported as disabled |
| macos:unifiedlog | System shutdown or reboot requested |
| networkdevice:syslog | System reboot scheduled or performed |
| NSM:Flow | TCP: possible SYN flood or backlog limit exceeded |
| prometheus:metrics | Container CPU/Memory usage exceeding threshold |
| sar:network | Outbound network saturation with minimal process activity |
| Sensor Health | None |
| Windows:perfmon | Sustained CPU/memory exhaustion by service process (e.g., w3wp.exe) |
| Windows:perfmon | High sustained CPU usage by a single process |
| Windows:perfmon | Sudden spike in outbound throughput without corresponding inbound traffic |
| Windows:perfmon | Sudden spikes in CPU/Memory usage linked to specific application processes |
| WinEventLog:Microsoft-Windows-TCPIP | Connection queue overflow or failure to allocate TCP state object |
| WinEventLog:Security | EventCode=1166, 7045 |
| WinEventLog:Security | EventCode=1074 |
| WinEventLog:Security | EventCode=6006 |
| WinEventLog:Sysmon | EventCode=16 |
| WinEventLog:System | System shutdowns due to bugcheck (Event ID 1001) or watchdog timer expirations |