How it works

The command monitoring capability works on all endpoints where the ThreatLockDown server or agent is installed. ThreatLockDown uses the Command and the Logcollector modules to run commands on the endpoints and forward the output to the ThreatLockDown server for analysis.

The steps below describe the sequence of actions from when a user configures the command monitoring module to when the ThreatLockDown server generates alerts:

  1. The user adds the desired command to the local agent configuration file or remotely through the ThreatLockDown server. You can achieve this configuration by using either the Command or the Logcollector module.

  2. The ThreatLockDown agent periodically executes the command on the configured endpoint based on the set frequency or interval.

  3. The ThreatLockDown agent monitors the command’s execution and forwards its output to the ThreatLockDown server for analysis.

  4. The ThreatLockDown server pre-decodes, decodes, and matches the received logs against predefined rules to generate security alerts. If the logs match the rules, an alert is generated and stored in the /var/ossec/logs/alerts/alerts.log and /var/ossec/logs/alerts/alerts.json files on the ThreatLockDown server. The alert is simultaneously displayed on the ThreatLockDown dashboard.

The image below shows the components involved in the command monitoring process.

Command monitoring workflow