Repeated invocation of high-resource application endpoints or GUI components causing CPU and memory spikes, logged as elevated request volumes, prolonged handle locks, or frequent crash recoveries.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | WinEventLog:Application | High-frequency errors or hangs from resource-intensive application components (e.g., .NET, IIS, Office Suite) |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Host Status (DC0018) | Windows:perfmon | Sudden spikes in CPU/Memory usage linked to specific application processes |
| Field | Description |
|---|---|
| CPUThreshold | Define what percentage of CPU usage indicates abnormal behavior. |
| MemoryConsumptionWindow | Window (e.g., 5 mins) during which sustained memory usage may be abnormal. |
| AppCrashFrequency | Threshold for frequency of application faults within a specific interval. |
Automated scripts or repeated CLI/API requests that trigger application backends to consume high CPU or memory (e.g., Apache/PHP, MySQL, mail servers), resulting in syslog errors and excessive process spawning.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Application Log Content (DC0038) | linux:syslog | Error/warning logs from services indicating load spike or worker exhaustion |
| Network Traffic Content (DC0085) | NSM:Flow | Sustained abnormal inbound request rate targeting application ports (e.g., 80/443/25) |
| Field | Description |
|---|---|
| SyslogErrorRate | Defines number of critical errors in logs within time window. |
| PortRequestSpikeThreshold | Spike rate on monitored service port triggering alert. |
| ProcessSpawnRate | Rate of process creation that may overwhelm the system. |
Repetitive triggering of GUI or backend application workflows that cause increased CPU/memory usage, logged in unified logs as spin reports or crash dumps.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | macos:unifiedlog | Application errors or resource contention from excessive frontend or script invocation |
| Process Creation (DC0032) | macos:osquery | Rapid spawning of resource-heavy applications (e.g., Preview, Safari, Office) |
| Field | Description |
|---|---|
| SpinReportCount | Threshold for number of system spin/crash reports in a defined window. |
| HeavyAppReopenRate | Frequency of user or script reopening GUI-heavy apps. |
Automated abuse of cloud-hosted applications (e.g., web apps, REST endpoints, internal APIs) causing compute exhaustion, high 5xx error rates, or frequent autoscaling triggers logged in app insights or cloudwatch.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | AWS:CloudWatch | Elevated 5xx response rates in application logs or gateway layer |
| Cloud Service Metadata (DC0070) | CloudTrail:InvokeFunction | InvokeFunction |
| Host Status (DC0018) | CloudMetrics:InstanceHealth | Autoscaling, memory/cpu alarms, or instance unhealthiness |
| Field | Description |
|---|---|
| HTTP5xxRateThreshold | Ratio of 5xx error codes over requests indicating resource exhaustion. |
| FunctionInvocationRate | Spike in lambda/API gateway executions indicating scripted behavior. |
| AutoscaleEventCount | Triggers linked to app DoS where legitimate scaling is mimicked. |