- Attackers like to remove evidence from logs associated with attacker’s gaining access, elevating privileges,and installing RootKits and backdoors Login records
- Stopped and restarted services
- File access/update times
- Security-related events such as failed login attempts or failed access to files
- System events such as inability in starting a system service
- Application events related to applications such as databases or web servers