Scribd
Upload
120 views5 pages

IT Security Event Summary

Uploaded by

indramulyadi27
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
120 views5 pages

IT Security Event Summary

Uploaded by

indramulyadi27
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Integrity Monitoring Report

Time Filter: January 6, 2025 00:00 - January 13, 2025 11:00 Generated By: kksi.2024

Computer Filter: All Computers Generated On: January 13, 2025 10:25

Tag Filter: All

Integrity Monitoring Event History

Low Severity Medium Severity High Severity Critical Severity

Integrity Monitoring Event Statistics


25 Most Common Integrity Monitoring Rule Events
# of Events Rule

536,340 (72.8%) 1002781 - Microsoft Windows - Attributes of services modified (ATT&CK T1036.004, T1543.003)
This rule is intended to alert when attributes of certain services are modified. For additional information,
see the Details tab.

Note: The rule also provides configuration options to ignore monitoring services.
162,302 (22%) 1006076 - Microsoft Windows - Task scheduler entries modified (ATT&CK T1053.005)
An adversary may use job scheduling to execute programs at system startup or on a scheduled basis for
persistence, to conduct execution as part of lateral movement, to gain root privileges, or to run a process
under the context of a specific account. For additional information, see the Details tab.
29,049 (3.9%) 1002778 - Microsoft Windows - System .dll or .exe files modified (ATT&CK T1036.003, T1222.001)
This rule alerts when there is a change in .dll or .exe files under %WINDIR%\system32 path. For
additional information, see the Details tab.

Note: This rule provides configuration option to ignore files for monitoring and to select the file attributes
to monitor.
8,824 (1.2%) 1003019 - Application - Trend Micro Deep Security Agent / Relay
This rule alert indicates that the files / registry keys / services created by Deep Security Agent / Relay
were modified. This could indicate that the software was updated or installed / uninstalled.

On windows, the rule look into any change made to installedSoftware, files, directories, registry and
services.

On Unix, it monitors installedSoftware, files, directories and process changes.

Page 1
The rule also provides interface to configure installation file path.

Note: onChange feature will not work for the DirectorySet entity set in this rule.
269 (0%) 1003063 - Application - Microsoft Exchange
This alert indicates that the files / registry keys / services created by Microsoft Exchange Server were
modified. This could indicate that the software was updated or installed / uninstalled.
84 (0%) 1002910 - Application - Microsoft IIS
This alert indicates that the files / registry keys / services created by IIS were modified. This could
indicate that the software was updated or installed / uninstalled.
73 (0%) 1002780 - Microsoft Windows - Installed software attributes modified (ATT&CK T1195.002, T1554)
This rule alerts when there is any change in attributes of installed software or program attributes. Also it
alerts when a program is installed or uninstalled on windows host. For additional information, see the
Details tab.

Note: Also the rule provides configuration options to ignore monitoring software and to select the
InstalledSoftware and RegistryKey attributes to monitor.
16 (0%) 1002853 - Application - Apache Tomcat
This alert indicates that the files / registry keys / services created by Tomcat were modified. This could
indicate that the software was updated or installed / uninstalled.

Note: This rule should be applied on windows systems only.


12 (0%) 1002999 - Application - Microsoft SQL Server
This alert indicates that the files / registry keys / services created by Microsoft SQL Server were modified.
This could indicate that the software was updated or installed / uninstalled.
6 (0%) 1002851 - Application - Apache HTTP Server
This alert indicates that the files / registry keys / services created by Apache were modified. This could
indicate that the software was updated or installed / uninstalled.
5 (0%) 1003517 - Microsoft Windows - System driver files modified
This rule alerts when there is a change in file attributes Created, LastModified, Permissions, Owner,
Group, Size and Contents of .sys files under %WINDIR%\system32\drivers path.

Also the rule provides configuration option to ignore files for monitoring and to select the file attributes to
monitor.
4 (0%) 1002779 - Microsoft Windows - System File Modified
This rule alerts when there is change in attributes of system files like boot.ini, ntldr, autorun.inf, files with
com, exe, bat, ocx, pif, sys extension located under %SystemDrive% (e.g. C:) directory. By default we
ignore monitoring pagefile.sys and hiberfil.sys files.

Also the rule provides configuration option to ignore files for monitoring and to select the file attributes to
monitor.
2 (0%) 1003020 - Application - Trend Micro Deep Security Manager
This alert indicates that the files / registry keys / services created by Deep Security Manager were
modified. This could indicate that the software was updated or installed / uninstalled.

Top 25 Computers Ranked by Number of Integrity Monitoring Events


# of Events Computer
10.230.114.207 (BGRDCO-PROCWB7)
168,258 (22.8%) Last Update: January 12, 2025 12:09
(10.230.114.207)
Policy: OJK Server - Primary (No RDP 20240715)

8,578 (1.2%) 10.242.70.55 (S1PI-CAMWS1) (10.242.70.55) Last Update: January 12, 2025 12:11

Policy: OJK Server - Primary (No RDP 20240715)


10.225.111.235 (JKTTIP-SIPPAPP2)
8,199 (1.1%) Last Update: January 12, 2025 12:08
(10.225.111.235)
Policy: OJK Server - Primary (No RDP 20240715)

Page 2
10.224.127.8 (BGRDCO-RDKWEB01)
8,026 (1.1%) Last Update: January 13, 2025 10:20
(10.242.70.72)
Policy: OJK Server - Primary (No RDP 20240715)
10.224.115.72 (BGRDCO-SIPMWEB1)
7,412 (1%) Last Update: January 12, 2025 12:04
(10.224.115.72)
Policy: OJK Server - Primary (No RDP 20240715)
10.230.115.201 (B1PT-MAFLOW2)
6,794 (0.9%) Last Update: January 12, 2025 12:03
(10.230.115.201)
Policy: OJK Server - Primary (No RDP 20240715)
10.225.90.19 (BGRDCO-BLDSVR77)
5,792 (0.8%) Last Update: January 12, 2025 12:14
(10.225.90.19)
Policy: OJK Server - Primary
10.242.78.124 (SBYDRC-BLDSV09)
4,217 (0.6%) Last Update: January 12, 2025 12:09
(10.242.78.124)
Policy: OJK Server - Primary (No RDP 20240715)
10.242.78.127 (SBYDRC-BLDSV12)
4,204 (0.6%) Last Update: January 12, 2025 12:15
(10.242.78.127)
Policy: OJK Server - Primary (No RDP 20240715)
10.242.78.126 (SBYDRC-BLDSV11)
4,203 (0.6%) Last Update: January 12, 2025 12:07
(10.242.78.126)
Policy: OJK Server - Primary (No RDP 20240715)
10.242.78.130 (SBYDRC-BLDSV15)
4,203 (0.6%) Last Update: January 12, 2025 12:14
(10.242.78.130)
Policy: OJK Server - Primary (No RDP 20240715)
10.242.78.125 (SBYDRC-BLDSV10)
4,199 (0.6%) Last Update: January 12, 2025 12:15
(10.242.78.125)
Policy: OJK Server - Primary (No RDP 20240715)
10.242.78.131 (SBYDRC-BLDSV16)
4,196 (0.6%) Last Update: January 12, 2025 12:07
(10.242.78.131)
Policy: OJK Server - Primary (No RDP 20240715)
10.242.78.129 (SBYDRC-BLDSV14)
4,195 (0.6%) Last Update: January 12, 2025 12:05
(10.242.78.129)
Policy: OJK Server - Primary (No RDP 20240715)

4,043 (0.5%) 10.224.50.8 (BGRDCO-SAKDV) (10.224.50.8) Last Update: January 12, 2025 12:03

Policy: OJK Server - Primary (No RDP 20240715)


10.225.91.101 (BGRDRC-RCK01)
3,377 (0.5%) Last Update: January 12, 2025 12:06
(10.225.91.101)
Policy: OJK Server - Primary
10.243.72.25 (SBYDRC-EXCSVR06)
3,325 (0.5%) Last Update: January 12, 2025 12:15
(10.243.72.25)
Policy: OJK Server - Primary (No RDP 20240715)
10.243.72.26 (SBYDRC-EXCSVR07)
3,301 (0.4%) Last Update: January 12, 2025 12:15
(10.243.72.26)
Policy: OJK Server - Primary (No RDP 20240715)
10.230.111.19 (BGRDCO-APLWEB02)
2,939 (0.4%) Last Update: January 12, 2025 12:01
(10.230.111.19)
Policy: OJK Server - Primary (No RDP 20240715)

2,685 (0.4%) 10.230.72.10 (B1PT-APIW1) (10.230.72.10) Last Update: January 8, 2025 12:03

Policy: OJK Server - Primary (No RDP 20240715)

Page 3
10.231.112.40 (BGRDCO-AWASAPI1)
2,412 (0.3%) Last Update: January 12, 2025 12:15
(10.231.112.40)
Policy: OJK Server - Primary (No RDP 20240715)
10.225.111.237 (JKTTIP-HPVINT49)
2,128 (0.3%) Last Update: January 12, 2025 12:12
(10.225.111.237)
Policy: OJK Server - Primary (No RDP 20240715)

2,079 (0.3%) 10.225.70.10 (B1PI-SIPNGA1) (10.225.70.10) Last Update: January 12, 2025 12:14

Policy: OJK Server - Primary (No RDP 20240715)

2,063 (0.3%) 10.224.70.11 (B1PI-SIPNGW4) (10.224.70.11) Last Update: January 12, 2025 12:11

Policy: OJK Server - Primary (No RDP 20240715)

2,048 (0.3%) 10.224.70.10 (B1PI-SIPNGW3) (10.224.70.10) Last Update: January 12, 2025 12:08

Policy: OJK Server - Primary (No RDP 20240715)

Top 25 Keys for Integrity Monitoring Events


# of Events Key

245,026 (33.2%) smphost

167,593 (22.7%) N/A

54,550 (7.4%) c:\windows\system32\tasks\microsoft\windows\windows error reporting\queuereporting

54,081 (7.3%) c:\windows\system32\tasks\microsoft\windows\softwareprotectionplatform\svcrestarttask

33,564 (4.6%) gupdate

29,044 (3.9%) c:\windows\system32\hpauditlog.dll

16,262 (2.2%) c:\windows\system32\tasks\microsoft\windows\windowsupdate\scheduled start

14,647 (2%) SPTimerV4

14,099 (1.9%) WinHttpAutoProxySvc

11,653 (1.6%) UsoSvc

8,372 (1.1%) c:\windows\tasks\dcagentupdater.job

7,929 (1.1%) OJK eMail Service

7,661 (1%) SplunkForwarder

5,505 (0.7%) c:\windows\system32\tasks\microsoft\windows\flighting\onesettings\refreshcache

5,097 (0.7%) Rubrik Backup Service

4,310 (0.6%) c:\windows\system32\tasks\microsoft\windows\pla\:0v1ieca3feahez0jawxjjk5urh:$data

2,904 (0.4%) CloudEndpointService

2,611 (0.4%) VSS

2,362 (0.3%) c:\windows\system32\tasks\microsoft\windows\updateorchestrator\resume on boot

2,115 (0.3%) Trend Micro Web Service Communicator

2,083 (0.3%) GoogleUpdaterInternalService132.0.6833.0

Page 4
2,039 (0.3%) GoogleUpdaterService132.0.6833.0

1,953 (0.3%) RemoteRegistry

1,785 (0.2%) GoogleUpdaterService126.0.6462.0

1,784 (0.2%) GoogleUpdaterInternalService126.0.6462.0

Page 5

You might also like