Identify unauthorized creation, deletion, or modification of business-critical stored data such as Office documents, database files, and log archives. Detect anomalous processes modifying stored data outside of expected workflows (e.g., non-database processes modifying database files).
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| File Deletion (DC0040) | WinEventLog:Sysmon | EventCode=23 |
| File Metadata (DC0059) | WinEventLog:Sysmon | EventCode=15 |
| File Modification (DC0061) | WinEventLog:Security | EventCode=4656,4663 |
| Field | Description |
|---|---|
| MonitoredDirectories | Paths to sensitive stored data files such as database directories or email archives. |
| AuthorizedProcesses | List of legitimate processes expected to create, delete, or modify stored data. |
| TimeWindow | Threshold for correlating multiple suspicious file operations within a short period. |
Detect suspicious file creation, modification, or deletion in stored data directories (e.g., /var/lib/mysql/, /var/log/, mail spools). Identify shell commands interacting directly with structured data files instead of legitimate database utilities.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | auditd:SYSCALL | open, unlink, rename: File creation or deletion involving critical stored data |
| File Modification (DC0061) | auditd:SYSCALL | write: Modification of structured stored data by suspicious processes |
| Field | Description |
|---|---|
| WatchedPaths | Environment-specific paths where business-critical stored data resides. |
| CommandExclusions | Legitimate scripts/utilities excluded to minimize false positives. |
Monitor sensitive data files such as plist-based storage, mail archives, or Office files for unexpected modifications. Detect anomalous processes modifying stored data outside expected update cycles using FSEvents and Unified Logs.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | macos:unifiedlog | Unexpected creation or modification of stored data files in protected directories |
| File Deletion (DC0040) | macos:osquery | CREATE, DELETE, WRITE: Stored data manipulation attempts by unauthorized processes |
| Field | Description |
|---|---|
| FileIntegrityBaseline | Baseline hash values or metadata for stored data files to detect manipulation. |
| AllowedEditors | Whitelisted applications permitted to update stored data (e.g., Outlook, MySQL). |