Monitor for anomalies in transmitted data streams, including mismatched file integrity checks, API interception, or man-in-the-middle modifications. Detect unexpected use of APIs that handle network I/O where transmitted data integrity could be manipulated.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| File Metadata (DC0059) | WinEventLog:Sysmon | EventCode=15 |
| Field | Description |
|---|---|
| IntegrityBaseline | Hash baselines or digital signature references to validate transmitted data. |
| MonitoredPorts | List of ports/services where data integrity validation is enforced. |
Detect alterations of transmitted data via monitoring syscalls (send, recv, write) or middleware interception. Identify mismatched file hashes when compared at origin vs. destination. Watch for anomalous activity from processes interacting with secure transmission services (e.g., OpenSSL, scp).
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | auditd:SYSCALL | send, recv, write: Abnormal interception or alteration of transmitted data |
| Network Traffic Content (DC0085) | linux:syslog | Integrity mismatch warnings or malformed packets detected |
| Field | Description |
|---|---|
| WatchedProcesses | List of processes authorized to handle transmitted data (e.g., sshd, nginx). |
| HashCheckInterval | Frequency of out-of-band integrity verification checks. |
Monitor system APIs such as CFNetwork and SecureTransport for anomalies in transmitted data streams. Detect mismatches in file hashes or SSL/TLS downgrade attempts that enable manipulation of transmitted data.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | macos:unifiedlog | Suspicious anomalies in transmitted data integrity during application network operations |
| OS API Execution (DC0021) | macos:osquery | CALCULATE: Integrity validation of transmitted data via hash checks |
| Field | Description |
|---|---|
| TLSValidationRules | Custom rules for enforcing HTTPS/TLS integrity checks to prevent downgrade manipulation. |
| AllowedApps | Whitelisted macOS apps permitted to transmit critical data. |