Compliance Report SOC 2 (CC6/CC7)
File Integrity Monitoring (FIM)
12
≡ 7
Anomalies Detected
8
Active Agents
34
Users
187
Processes
42,891
Files
284,617
≡ 31,211
File Change Logs
18,432
Create
9,217
Attrib
198,341
Modify
43,892
Write
8,614
Move
6,121
Delete
AI Security Analysis
SOC 2 (CC6/CC7) Compliance
- Risk Profile — HIGH: Monitoring across 8 active agents produced 284,617 file events with 12 anomaly events detected across 7 suspicious workloads. Two CRITICAL signals involve unauthorized modifications to
/etc/shadowand SSHauthorized_keysinjection, requiring immediate investigation. - Signals: 2 CRITICAL signals flagged — direct
/etc/shadowmodification by non-root processcurl(CC6.1 violation) and SSH authorized_keys backdoor injection viascpfrom external IP. 3 HIGH signals: cron persistence via/etc/cron.d/write, kernel module config change, and interactivevimedit of/etc/sudoers. 2 MEDIUM signals: package installation outside maintenance window and web-facing user file write. - Verdict: The observed file activity presents active SOC 2 (CC6/CC7) audit exposure. The unauthorized credential file modification and SSH backdoor injection represent immediate threats to logical access controls. Recommend incident response activation for the 2 CRITICAL findings. The cron persistence and sudoers modification suggest lateral movement preparation. Maintenance window enforcement should be tightened to reduce MEDIUM-severity noise.
Security Anomalies & Exceptions
Attention Required: Events matching High Risk or Critical Risk patterns.
TIMELINE (24H)
Top Anomalies
| Host | User | Process | File | Device | Events | Timestamps | Logs | Risk Assessment |
|---|---|---|---|---|---|---|---|---|
| ehr-prod-03 | www-data | curl | /etc/shadow | /dev/sda1 | MOD,WR | 03:14 | x 1 | CRITICAL_FILE |
| ehr-prod-03 | www-data | scp | /root/.ssh/authorized_keys | /dev/sda1 | CR,WR | 03:14 | x 1 | BACKDOOR |
| ehr-prod-03 | www-data | bash | /etc/cron.d/system-update | /dev/sda1 | CR,WR | 03:15 | x 1 | CRON_MOD |
| db-replica-01 | root | insmod | /etc/modprobe.d/custom.conf | /dev/nvme0n1p2 | CR,WR | 07:42 | x 1 | KERNEL_MOD |
| ehr-prod-01 | admin | vim | /etc/sudoers | /dev/sda1 | MOD,WR | 14:23 | x 1 | PERM_CHANGE |
| api-gateway-02 | root | apt | /usr/lib/python3/dist-packages/* | /dev/sda1 | CR,MOD | 11:30-11:34 | x 6 | PKG_MOD |
| ehr-prod-02 | www-data | php-fpm | /tmp/.cache/session_handler.so | /dev/sda1 | CR,WR | 19:07 | x 1 | WEB_ANOMALY |
7 Suspicious Workloads (12 Anomalies) in 284,617 Total Logs
Operational Profile
Baseline of non-anomalous high-volume system activity
Top Workloads
| Host | User | Process | File | Device | Events | Timestamps | Logs |
|---|---|---|---|---|---|---|---|
| ehr-prod-01 | systemd-timesync | systemd-timesyncd | /var/lib/systemd/timesync/clock | /dev/mmcblk0p2 | ATT | 00:00-23:59 | x 1,263 |
| ehr-prod-01 | root | rsyslogd/in:imjournal | /var/lib/rsyslog/imjournal.state | /dev/sda2 | CR,MOD,WR,MV | 23:59-1-23:58 | x 1,230 |
| ehr-prod-01 | root | sshd | /var/log/btmp | /dev/sda2 | MOD,WR | 23:59-1-23:57 | x 1,020 |
| ehr-prod-01 | root | systemd | /proc/1/task/1/attr/fscreate | proc:/proc | MOD,WR | 00:03-23:54 | x 416 |
| ehr-prod-01 | root | systemd | /run/systemd/units/invocation:gce-workload-cert-refresh.service | tmpfs:/run | MV,DEL | 00:03-23:54 | x 276 |
| ehr-prod-01 | root | systemd | /sys/fs/cgroup/system.slice/gce-workload-cert-refresh.service/memory.low | cgroup2:/sys/fs/cgroup | MOD,WR | 00:03-23:54 | x 138 |
| ehr-prod-01 | root | systemd | /sys/fs/cgroup/system.slice/gce-workload-cert-refresh.service/memory.swap.max | cgroup2:/sys/fs/cgroup | MOD,WR | 00:03-23:54 | x 138 |
| ehr-prod-01 | root | systemd | /sys/fs/cgroup/system.slice/gce-workload-cert-refresh.service/pids.max | cgroup2:/sys/fs/cgroup | MOD,WR | 00:03-23:54 | x 138 |
| ehr-prod-01 | root | systemd | /sys/fs/cgroup/system.slice/gce-workload-cert-refresh.service/cgroup.subtree_control | cgroup2:/sys/fs/cgroup | MOD,WR | 00:03-23:54 | x 138 |
| ehr-prod-01 | root | systemd | /sys/fs/cgroup/system.slice/gce-workload-cert-refresh.service/memory.high | cgroup2:/sys/fs/cgroup | MOD,WR | 00:03-23:54 | x 138 |
| ehr-prod-01 | root | systemd/(_refresh) | /sys/fs/cgroup/system.slice/gce-workload-cert-refresh.service/cgroup.procs | cgroup2:/sys/fs/cgroup | MOD,WR | 00:03-23:54 | x 138 |
| ehr-prod-01 | root | systemd | /sys/fs/cgroup/system.slice/gce-workload-cert-refresh.service/memory.oom.group | cgroup2:/sys/fs/cgroup | MOD,WR | 00:03-23:54 | x 138 |
| ehr-prod-01 | root | systemd | /sys/fs/cgroup/system.slice/gce-workload-cert-refresh.service/memory.min | cgroup2:/sys/fs/cgroup | MOD,WR | 00:03-23:54 | x 138 |
| ehr-prod-01 | root | systemd | /sys/fs/cgroup/system.slice/gce-workload-cert-refresh.service/cgroup.procs | cgroup2:/sys/fs/cgroup | MOD,WR | 00:03-23:54 | x 138 |
| ehr-prod-01 | root | systemd | /sys/fs/cgroup/system.slice/gce-workload-cert-refresh.service/memory.max | cgroup2:/sys/fs/cgroup | MOD,WR | 00:03-23:54 | x 138 |
| ehr-prod-01 | root | systemd | /run/systemd/units/invocation:NetworkManager-dispatcher.service | tmpfs:/run | MV,DEL | 00:12-23:42 | x 96 |
| ehr-prod-01 | root | systemd/(spatcher) | /sys/fs/cgroup/system.slice/NetworkManager-dispatcher.service/cgroup.procs | cgroup2:/sys/fs/cgroup | MOD,WR | 00:12-23:42 | x 48 |
| ehr-prod-01 | root | systemd | /sys/fs/cgroup/system.slice/NetworkManager-dispatcher.service/cgroup.procs | cgroup2:/sys/fs/cgroup | MOD,WR | 00:12-23:42 | x 48 |
| ehr-prod-01 | root | systemd | /sys/fs/cgroup/system.slice/NetworkManager-dispatcher.service/memory.low | cgroup2:/sys/fs/cgroup | MOD,WR | 00:12-23:42 | x 48 |
| ehr-prod-01 | root | NetworkManager | /run/NetworkManager/devices/2 | tmpfs:/run | MV | 00:12-23:42 | x 48 |
Top 20 of 31,204 Regular Workloads in 284,617 Total Logs
Top Hosts
| Host | Logs |
|---|---|
| ehr-prod-01 | x 52,341 |
| ehr-prod-02 | x 48,923 |
| ehr-prod-03 | x 41,207 |
| api-gateway-02 | x 38,614 |
| db-replica-01 | x 34,891 |
Top 5 of 8 Hosts
Top Users
| User | Logs |
|---|---|
| root | x 11,763 |
| systemd-timesync | x 1,303 |
| man | x 181 |
| chrony | x 42 |
| acme-saas | x 35 |
Top 5 of 34 Users
Top Processes
| Process | Logs |
|---|---|
| sshd | x 5,399 |
| systemd | x 3,048 |
| systemd-timesyncd | x 1,303 |
| rsyslogd/in:imjournal | x 1,230 |
| systemd-journald | x 694 |
| python3.9/dnf | x 474 |
| NetworkManager | x 208 |
| mandb | x 181 |
| systemd/(_refresh) | x 138 |
| cron | x 52 |
Top 10 of 187 Processes
Top Files
| File | Logs |
|---|---|
| /var/lib/systemd/timesync/clock | x 1,263 |
| /var/lib/rsyslog/imjournal.state | x 1,230 |
| /var/log/btmp | x 1,020 |
| /proc/1/task/1/attr/fscreate | x 416 |
| /run/systemd/units/invocation:gce-workload-cert-refresh.service | x 276 |
| /sys/fs/cgroup/system.slice/gce-workload-cert-refresh.service/cgroup.procs | x 276 |
| /sys/fs/cgroup/system.slice/gce-workload-cert-refresh.service/memory.swap.max | x 138 |
| /sys/fs/cgroup/system.slice/gce-workload-cert-refresh.service/pids.max | x 138 |
| /sys/fs/cgroup/system.slice/gce-workload-cert-refresh.service/memory.max | x 138 |
| /sys/fs/cgroup/system.slice/gce-workload-cert-refresh.service/cgroup.subtree_control | x 138 |
Top 10 of 42,891 Files