Integrity Monitoring Report

Time Filter: January 6, 2025 00:00 - January 13, 2025 11:00 Generated By: kksi.2024

Computer Filter: All Computers Generated On: January 13, 2025 10:25

Tag Filter: All

Integrity Monitoring Event History

Low Severity Medium Severity High Severity Critical Severity

Integrity Monitoring Event Statistics

25 Most Common Integrity Monitoring Rule Events
# of Events Rule

536,340 (72.8%) 1002781 - Microsoft Windows - Attributes of services modified (ATT&CK T1036.004, T1543.003)
This rule is intended to alert when attributes of certain services are modified. For additional information,
see the Details tab.

Note: The rule also provides configuration options to ignore monitoring services.
162,302 (22%) 1006076 - Microsoft Windows - Task scheduler entries modified (ATT&CK T1053.005)
An adversary may use job scheduling to execute programs at system startup or on a scheduled basis for
persistence, to conduct execution as part of lateral movement, to gain root privileges, or to run a process
under the context of a specific account. For additional information, see the Details tab.
29,049 (3.9%) 1002778 - Microsoft Windows - System .dll or .exe files modified (ATT&CK T1036.003, T1222.001)
This rule alerts when there is a change in .dll or .exe files under %WINDIR%\system32 path. For
additional information, see the Details tab.

Note: This rule provides configuration option to ignore files for monitoring and to select the file attributes
to monitor.
8,824 (1.2%) 1003019 - Application - Trend Micro Deep Security Agent / Relay
This rule alert indicates that the files / registry keys / services created by Deep Security Agent / Relay
were modified. This could indicate that the software was updated or installed / uninstalled.

On windows, the rule look into any change made to installedSoftware, files, directories, registry and
services.

On Unix, it monitors installedSoftware, files, directories and process changes.

Page 1
 The rule also provides interface to configure installation file path.

Note: onChange feature will not work for the DirectorySet entity set in this rule.
269 (0%) 1003063 - Application - Microsoft Exchange
This alert indicates that the files / registry keys / services created by Microsoft Exchange Server were
modified. This could indicate that the software was updated or installed / uninstalled.
84 (0%) 1002910 - Application - Microsoft IIS
This alert indicates that the files / registry keys / services created by IIS were modified. This could
indicate that the software was updated or installed / uninstalled.
73 (0%) 1002780 - Microsoft Windows - Installed software attributes modified (ATT&CK T1195.002, T1554)
This rule alerts when there is any change in attributes of installed software or program attributes. Also it
alerts when a program is installed or uninstalled on windows host. For additional information, see the
Details tab.

Note: Also the rule provides configuration options to ignore monitoring software and to select the
InstalledSoftware and RegistryKey attributes to monitor.
16 (0%) 1002853 - Application - Apache Tomcat
This alert indicates that the files / registry keys / services created by Tomcat were modified. This could
indicate that the software was updated or installed / uninstalled.

Note: This rule should be applied on windows systems only.

12 (0%) 1002999 - Application - Microsoft SQL Server
This alert indicates that the files / registry keys / services created by Microsoft SQL Server were modified.
This could indicate that the software was updated or installed / uninstalled.
6 (0%) 1002851 - Application - Apache HTTP Server
This alert indicates that the files / registry keys / services created by Apache were modified. This could
indicate that the software was updated or installed / uninstalled.
5 (0%) 1003517 - Microsoft Windows - System driver files modified
This rule alerts when there is a change in file attributes Created, LastModified, Permissions, Owner,
Group, Size and Contents of .sys files under %WINDIR%\system32\drivers path.

Also the rule provides configuration option to ignore files for monitoring and to select the file attributes to
monitor.
4 (0%) 1002779 - Microsoft Windows - System File Modified
This rule alerts when there is change in attributes of system files like boot.ini, ntldr, autorun.inf, files with
com, exe, bat, ocx, pif, sys extension located under %SystemDrive% (e.g. C:) directory. By default we
ignore monitoring pagefile.sys and hiberfil.sys files.

Also the rule provides configuration option to ignore files for monitoring and to select the file attributes to
monitor.
2 (0%) 1003020 - Application - Trend Micro Deep Security Manager
This alert indicates that the files / registry keys / services created by Deep Security Manager were
modified. This could indicate that the software was updated or installed / uninstalled.

Top 25 Computers Ranked by Number of Integrity Monitoring Events

# of Events Computer
10.230.114.207 (BGRDCO-PROCWB7)
168,258 (22.8%) Last Update: January 12, 2025 12:09
(10.230.114.207)
Policy: OJK Server - Primary (No RDP 20240715)

8,578 (1.2%) 10.242.70.55 (S1PI-CAMWS1) (10.242.70.55) Last Update: January 12, 2025 12:11

Policy: OJK Server - Primary (No RDP 20240715)

10.225.111.235 (JKTTIP-SIPPAPP2)
8,199 (1.1%) Last Update: January 12, 2025 12:08
(10.225.111.235)
Policy: OJK Server - Primary (No RDP 20240715)

Page 2
 10.224.127.8 (BGRDCO-RDKWEB01)
8,026 (1.1%) Last Update: January 13, 2025 10:20
(10.242.70.72)
Policy: OJK Server - Primary (No RDP 20240715)
10.224.115.72 (BGRDCO-SIPMWEB1)
7,412 (1%) Last Update: January 12, 2025 12:04
(10.224.115.72)
Policy: OJK Server - Primary (No RDP 20240715)
10.230.115.201 (B1PT-MAFLOW2)
6,794 (0.9%) Last Update: January 12, 2025 12:03
(10.230.115.201)
Policy: OJK Server - Primary (No RDP 20240715)
10.225.90.19 (BGRDCO-BLDSVR77)
5,792 (0.8%) Last Update: January 12, 2025 12:14
(10.225.90.19)
Policy: OJK Server - Primary
10.242.78.124 (SBYDRC-BLDSV09)
4,217 (0.6%) Last Update: January 12, 2025 12:09
(10.242.78.124)
Policy: OJK Server - Primary (No RDP 20240715)
10.242.78.127 (SBYDRC-BLDSV12)
4,204 (0.6%) Last Update: January 12, 2025 12:15
(10.242.78.127)
Policy: OJK Server - Primary (No RDP 20240715)
10.242.78.126 (SBYDRC-BLDSV11)
4,203 (0.6%) Last Update: January 12, 2025 12:07
(10.242.78.126)
Policy: OJK Server - Primary (No RDP 20240715)
10.242.78.130 (SBYDRC-BLDSV15)
4,203 (0.6%) Last Update: January 12, 2025 12:14
(10.242.78.130)
Policy: OJK Server - Primary (No RDP 20240715)
10.242.78.125 (SBYDRC-BLDSV10)
4,199 (0.6%) Last Update: January 12, 2025 12:15
(10.242.78.125)
Policy: OJK Server - Primary (No RDP 20240715)
10.242.78.131 (SBYDRC-BLDSV16)
4,196 (0.6%) Last Update: January 12, 2025 12:07
(10.242.78.131)
Policy: OJK Server - Primary (No RDP 20240715)
10.242.78.129 (SBYDRC-BLDSV14)
4,195 (0.6%) Last Update: January 12, 2025 12:05
(10.242.78.129)
Policy: OJK Server - Primary (No RDP 20240715)

4,043 (0.5%) 10.224.50.8 (BGRDCO-SAKDV) (10.224.50.8) Last Update: January 12, 2025 12:03

Policy: OJK Server - Primary (No RDP 20240715)

10.225.91.101 (BGRDRC-RCK01)
3,377 (0.5%) Last Update: January 12, 2025 12:06
(10.225.91.101)
Policy: OJK Server - Primary
10.243.72.25 (SBYDRC-EXCSVR06)
3,325 (0.5%) Last Update: January 12, 2025 12:15
(10.243.72.25)
Policy: OJK Server - Primary (No RDP 20240715)
10.243.72.26 (SBYDRC-EXCSVR07)
3,301 (0.4%) Last Update: January 12, 2025 12:15
(10.243.72.26)
Policy: OJK Server - Primary (No RDP 20240715)
10.230.111.19 (BGRDCO-APLWEB02)
2,939 (0.4%) Last Update: January 12, 2025 12:01
(10.230.111.19)
Policy: OJK Server - Primary (No RDP 20240715)

2,685 (0.4%) 10.230.72.10 (B1PT-APIW1) (10.230.72.10) Last Update: January 8, 2025 12:03

Policy: OJK Server - Primary (No RDP 20240715)

Page 3
 10.231.112.40 (BGRDCO-AWASAPI1)
2,412 (0.3%) Last Update: January 12, 2025 12:15
(10.231.112.40)
Policy: OJK Server - Primary (No RDP 20240715)
10.225.111.237 (JKTTIP-HPVINT49)
2,128 (0.3%) Last Update: January 12, 2025 12:12
(10.225.111.237)
Policy: OJK Server - Primary (No RDP 20240715)

2,079 (0.3%) 10.225.70.10 (B1PI-SIPNGA1) (10.225.70.10) Last Update: January 12, 2025 12:14

Policy: OJK Server - Primary (No RDP 20240715)

2,063 (0.3%) 10.224.70.11 (B1PI-SIPNGW4) (10.224.70.11) Last Update: January 12, 2025 12:11

Policy: OJK Server - Primary (No RDP 20240715)

2,048 (0.3%) 10.224.70.10 (B1PI-SIPNGW3) (10.224.70.10) Last Update: January 12, 2025 12:08

Policy: OJK Server - Primary (No RDP 20240715)

Top 25 Keys for Integrity Monitoring Events

# of Events Key

245,026 (33.2%) smphost

167,593 (22.7%) N/A

54,550 (7.4%) c:\windows\system32\tasks\microsoft\windows\windows error reporting\queuereporting

54,081 (7.3%) c:\windows\system32\tasks\microsoft\windows\softwareprotectionplatform\svcrestarttask

33,564 (4.6%) gupdate

29,044 (3.9%) c:\windows\system32\hpauditlog.dll

16,262 (2.2%) c:\windows\system32\tasks\microsoft\windows\windowsupdate\scheduled start

14,647 (2%) SPTimerV4

14,099 (1.9%) WinHttpAutoProxySvc

11,653 (1.6%) UsoSvc

8,372 (1.1%) c:\windows\tasks\dcagentupdater.job

7,929 (1.1%) OJK eMail Service

7,661 (1%) SplunkForwarder

5,505 (0.7%) c:\windows\system32\tasks\microsoft\windows\flighting\onesettings\refreshcache

5,097 (0.7%) Rubrik Backup Service

4,310 (0.6%) c:\windows\system32\tasks\microsoft\windows\pla\:0v1ieca3feahez0jawxjjk5urh:$data

2,904 (0.4%) CloudEndpointService

2,611 (0.4%) VSS

2,362 (0.3%) c:\windows\system32\tasks\microsoft\windows\updateorchestrator\resume on boot

2,115 (0.3%) Trend Micro Web Service Communicator

2,083 (0.3%) GoogleUpdaterInternalService132.0.6833.0

Page 4
2,039 (0.3%) GoogleUpdaterService132.0.6833.0

1,953 (0.3%) RemoteRegistry

1,785 (0.2%) GoogleUpdaterService126.0.6462.0

1,784 (0.2%) GoogleUpdaterInternalService126.0.6462.0

Page 5