SIEM

Service Modification Use Cases

Grouped by Detection Method

MITRE ATT&CK Framework: Modify Existing Service (T1031)

• Service modification can be used by an adversary to achieve persistence.

Aggregate Count

Blacklist Alert

Whitelist Alert

Levenshtein Score Alert

Rolling Whitelist Alert

• Newly observed Source User

Shannon Entropy Score Alert

Threshold Alert

Log Source Examples

• AWS Cloudtrail
• Azure
• GCP

Possible False Positives

This site is open source. Improve this page.