All commands run on any attacker controlled machine should be timestamped and logged, then shipped off to elastic. Timestamps should be uniform and avoid using system local time as much as possible. This can be done via normalizing all timestamps to UTC or storing timestamps in datetime+timezone format. Either way, all commands (and their entire command line arguments) should be timestamped and logged.
All commands run on any attacker controlled machine should be timestamped and logged, then shipped off to elastic. Timestamps should be uniform and avoid using system local time as much as possible. This can be done via normalizing all timestamps to UTC or storing timestamps in datetime+timezone format. Either way, all commands (and their entire command line arguments) should be timestamped and logged.