We need to monitor and potentially alert on items, including the following: OS changes (e.g., in production, in our build infrastructure) Security group changes Changes to configurations (e.g., OSSEC, Puppet, Chef, Tripwire) Cloud infrastructure changes (e.g., VPC, security groups, users and privileges) XSS attempts (i.e., “cross-site scripting attacks”) SQLi attempts (i.e., “SQL injection attacks”) Web server errors (e.g., 4XX and 5XX errors) We also want to confirm that we’ve correctly configured our logging so that all telemetry is being sent to the right place.
