SIEM

File Modification Use Cases

Grouped by Detection Method

Aggregate Count

Blacklist Alert

• Changes to hosts file
• Changes by an unexpected user to any file under c:\ root
• Changes by an unexpected user to any file under c:\program files\
• Changes by an unexpected user to any file under c:\program files (x86)\
• Changes by an unexpected user to any file under c:\windows\
• Changes to files in another user’s home directory
• Changes to files in folder path containing ‘inetpub’ or ‘wwwroot’
• Changes to c:\windows\system32\drivers\etc\hosts

Whitelist Alert

Levenshtein Score Alert

Rolling Whitelist Alert

Shannon Entropy Score Alert

Threshold Alert

Log Source Examples

• Cloud Bucket Logs

Possible False Positives

This site is open source. Improve this page.