Correlate unauthorized or anomalous file modifications, deletions, or metadata changes with suspicious process execution or API calls. Detect abnormal changes to structured data (e.g., database files, logs, financial records) outside expected business process activity.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| File Modification (DC0061) | WinEventLog:Sysmon | EventCode=2 |
| File Metadata (DC0059) | WinEventLog:Sysmon | EventCode=15 |
| File Access (DC0055) | WinEventLog:Security | EventCode=4656,4663 |
| Field | Description |
|---|---|
| MonitoredFilePaths | List of critical data directories or files; environment-specific tuning required. |
| TimeWindow | Threshold for correlating process execution with rapid data changes. |
| AuthorizedProcesses | Expected processes permitted to modify business-critical data. |
Detect unauthorized manipulation of log files, database entries, or system configuration files through auditd and syslog. Correlate shell commands that alter HISTFILE or data-related processes with abnormal file access patterns.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | open, unlink, rename: Suspicious file access, deletion, or modification of sensitive paths |
| Network Traffic Content (DC0085) | linux:syslog | Unexpected SQL or application log entries showing tampered or malformed data |
| Field | Description |
|---|---|
| WatchedDirectories | Specific log or data directories critical to integrity; tune per organization. |
| CommandExclusions | Legitimate scripts/tools excluded from data manipulation monitoring. |
Detect manipulation of system or application files in /Library, /System, or user data directories using FSEvents and Unified Logs. Identify anomalous process execution modifying plist files, structured data, or logs outside expected update cycles.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | macos:unifiedlog | Anomalous plist modifications or sensitive file overwrites by non-standard processes |
| OS API Execution (DC0021) | macos:osquery | open, execve: Unexpected processes accessing or modifying critical files |
| Field | Description |
|---|---|
| AllowedPlistEditors | Whitelisted processes authorized to modify plist or configuration files. |
| FileIntegrityBaseline | Baseline hash values for key files to support integrity validation. |