| auditd:SYSCALL |
firmware_update, kexec_load |
| AWS:CloudMetrics |
Autoscaling, memory/cpu alarms, or instance unhealthiness |
| AWS:CloudWatch |
Sustained spike in CPU usage on EC2 instance with web service role |
| AWS:CloudWatch |
StatusCheckFailed or StatusCheckFailed_System for burstable instances (t2/t3) |
| AWS:CloudWatch |
Sustained EC2 CPU usage above normal baseline |
| AWS:CloudWatch |
NetworkOut spike beyond baseline |
| AWS:CloudWatch |
Sudden spike in network output without a corresponding inbound request ratio |
| AWS:CloudWatch |
Unusual CPU burst or metric anomalies |
| esxi:hostd |
Powering off or restarting host |
| journald:boot |
Secure Boot failure, firmware version change |
| kubernetes:events |
CrashLoopBackOff, OOMKilled, container restart count exceeds threshold |
| linux:procfs |
Sustained high /proc/[pid]/stat usage |
| linux:syslog |
Out of memory killer invoked or kernel panic entries |
| linux:syslog |
Service stop or disable messages for security tools not reflected in SIEM alerts |
| linux:syslog |
system is powering down |
| macos:osquery |
interface_details |
| macos:syslog |
Hardware UUID or device list drift |
| macos:unifiedlog |
Web service process (e.g., httpd) entering crash loop or consuming excessive CPU |
| macos:unifiedlog |
Spike in CPU or memory use from non-user-initiated processes |
| macos:unifiedlog |
Termination or disabling of XProtect, Gatekeeper, or third-party AV daemons |
| macos:unifiedlog |
network stack resource exhaustion, tcp_accept queue overflow, repeated resets |
| macos:unifiedlog |
EFI firmware integrity check failed |
| macos:unifiedlog |
System Integrity Protection (SIP) state reported as disabled |
| macos:unifiedlog |
System shutdown or reboot requested |
| networkdevice:syslog |
System reboot scheduled or performed |
| NSM:Flow |
TCP: possible SYN flood or backlog limit exceeded |
| prometheus:metrics |
Container CPU/Memory usage exceeding threshold |
| sar:network |
Outbound network saturation with minimal process activity |
| Sensor Health |
None |
| Windows:perfmon |
Sustained CPU/memory exhaustion by service process (e.g., w3wp.exe) |
| Windows:perfmon |
High sustained CPU usage by a single process |
| Windows:perfmon |
Sudden spike in outbound throughput without corresponding inbound traffic |
| Windows:perfmon |
Sudden spikes in CPU/Memory usage linked to specific application processes |
| WinEventLog:Microsoft-Windows-TCPIP |
Connection queue overflow or failure to allocate TCP state object |
| WinEventLog:Security |
EventCode=1166, 7045 |
| WinEventLog:Security |
EventCode=1074 |
| WinEventLog:Security |
EventCode=6006 |
| WinEventLog:Sysmon |
EventCode=16 |
| WinEventLog:System |
System shutdowns due to bugcheck (Event ID 1001) or watchdog timer expirations |