Hopefully I convinced you why you should monitor your system activity so the next question becomes, what should I monitor?
Here are a couple common areas to monitor regardless of system function. From webservers to desktops, this list can get you started:
- What a user did on your system. If you have a system that have multiple users on it, they will likely fall into some sort of typical usage pattern. If it goes beyond that, then you might want to investigate the activity some more.
- Identifying new files on your system. If you weren’t the one that created those files, then who did? Are those new files malicious at all?
- Checking for indicators of compromise. Attackers use exploit toolkits and they typically have signatures that you can scan for to identify if you have already been hacked.