That will depends on the information (logs) that are collected by the agents on the devices (computers, servers or mobile devices) and the defined detection rules.
There is a plenty of FOSS that can help for the systems monitoring (e.g. auditd, OSSEC, WAZUH, osquery, Zeek (Bro), AIDE, suricata, snort, etc.). For SIEM softwares, the ELK stack, AlienVault or SecurityOnion have a free version.
For the information that will be collected by the SIEM agents, it will depends on many factors (e.g. the threat model, the storage where the logs will be stored, including the logs retention if needed, the policy that is already applied - within the organisation -).
The whole systems can be monitored but that can be overwhelming. Thus, Threat Modeling can help to define what are the logs that needs to be monitored depending on their importance or criticality.
Here is some logs that could be considered :
- The startup programs (used for persistence by malware)
- Added/deleted/disabled softwares (in case the AV is disabled)
- Users management (added/deleted user or privileges changing)
- The processes that does not have an executable file (loaded only on memory)
- Privileged processes
- Outgoing connections
- Incoming connections from an unusual port
- Logs deleted
- Files integrity
- High memory usage
- Firewall mode (in case is disabled)
Once you have all the logs, alerts rules could be created on the SIEM (e.g. connection to TOR network, the SIEM agents disabled, AV disabled, etc.).
In case that exfiltration is the critical threat, a Network Intrusion Detection System (NIDS) should be also a solution to be considered.
