Shared accounts – An investigation is initiated to review network outages and finds multiple instances where an administrator account logged into critical servers before failure. Shared accounts make it very difficult to trace fault to one individual—it is impossible to determine from the logs on that system which person was logged into the user account that made the error. Therefore, to aid in investigations, usage must be tied to an individual user ID and unique password with correct time. Systems also should be configured to detect any and all use of generic IDs, such as an administrator or root account, and trace them to unique identities.

User account changes – A malicious user finds an un-patched flaw in an environment that allows elevation of privileges. That user then uses system-level privileges to create a new bogus user object from which to launch further attacks. A user object could be, for example, a Microsoft Widows Domain or local user account. User object logs can be used to figure out when a name was changed or an account added. This assists in detection of actions without authorization or users trying to hide attacks.

Unauthorized software – Malware or a new virtual machine instance in the vCloud can be found in system object logs. A system must track system objects that are added, removed, or modified. This can be very helpful during installation to monitor system changes caused by software.