Detect ftp commands in ELK

Hi all, I'm working on a school lab on the following scenario:
a "hacker" got access to my ubuntu server (22.04), installed vsftpd and downloaded some files.
I can see the ftp authentication and the traffic on port 21 but I would like to know if it is possible to see what files have been dowloaded.
my server has packetbeat, auditbeat, filebeat installed.
My goal is to create a detection rule that will detect this behaviour in the future. I think that monitoring port 21 or process name vsftpd is a little bit too simple as a different port and another application can be used.
I've spent the last days googling it without success, any help would be much appreciated.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.