diff --git a/docs/integrations/cloud-security-monitoring-analytics/windows.md b/docs/integrations/cloud-security-monitoring-analytics/windows.md index eb43123c35d..d0d70f4ae7c 100644 --- a/docs/integrations/cloud-security-monitoring-analytics/windows.md +++ b/docs/integrations/cloud-security-monitoring-analytics/windows.md @@ -99,7 +99,7 @@ import FilterDashboards from '../../reuse/filter-dashboards.md'; ### Inventory -The **Windows - Security Monitoring - Inventory** dashboard helps you to quickly assess system inventory and recent system reboots/restarts in order to understand device activity within your environment. +The **Windows (Classic) - Security Monitoring - Inventory** dashboard helps you to quickly assess system inventory and recent system reboots/restarts in order to understand device activity within your environment. **Use case:** System inventory and system boots are leading indicators of potential security threats to be aware of, and that may require further attention. @@ -107,7 +107,7 @@ The **Windows - Security Monitoring - Inventory** dashboard helps you to quickly ### Critical Events -The **Windows - Security Monitoring - Critical Events** dashboard helps you when the audit logs are tampered, services are stopped, and ingestion delays go above ten seconds, these are all good indicators that there are action items to be taken to resolve issues within your Windows machines. +The **Windows (Classic) - Security Monitoring - Critical Events** dashboard helps you when the audit logs are tampered, services are stopped, and ingestion delays go above ten seconds, these are all good indicators that there are action items to be taken to resolve issues within your Windows machines. **Use case:** Evaluating unexpected critical events within Windows infrastructure allows for teams to stay on top of any necessary remedial steps. @@ -115,7 +115,7 @@ The **Windows - Security Monitoring - Critical Events** dashboard helps you when ### Windows Updates -The **Windows - Security Analytics - Windows Updates** dashboard provides rich visualizations to indicate the ongoing flow of Windows updates within your organization, so that engineering teams are made aware of red flags or update schedules that require updating. +The **Windows (Classic) - Security Analytics - Windows Updates** dashboard provides rich visualizations to indicate the ongoing flow of Windows updates within your organization, so that engineering teams are made aware of red flags or update schedules that require updating. **Use case:** Assess overall trend lines via the dashboard, and dive into specific events and event types to understand specific update failures. @@ -123,7 +123,7 @@ The **Windows - Security Analytics - Windows Updates** dashboard provides rich v ### Windows Firewall -The **Windows - Security Analytics - Windows Firewall** dashboard allows you to view Windows Firewall activity including Firewall Service Events, MPSSVC Rule Level Policy Changes, and Filtering Platform Policy Changes. +The **Windows (Classic) - Security Analytics - Windows Firewall** dashboard allows you to view Windows Firewall activity including Firewall Service Events, MPSSVC Rule Level Policy Changes, and Filtering Platform Policy Changes. **Use case:** Filter by EventID or specific device to analyze traffic patterns within your Windows environments @@ -131,7 +131,7 @@ The **Windows - Security Analytics - Windows Firewall** dashboard allows you to ### Windows Defender -The **Windows - Security Analytics - Windows Defender** dashboard is designed to offer visibility into Defender Service Events and Defender Threat Events at the Computer and Trend level. +The **Windows (Classic) - Security Analytics - Windows Defender** dashboard is designed to offer visibility into Defender Service Events and Defender Threat Events at the Computer and Trend level. **Use case:** Understand cross-sections of service events and threat events, filtered down by specific devices to stay ahead of changing attack surfaces. @@ -139,7 +139,7 @@ The **Windows - Security Analytics - Windows Defender** dashboard is designed to ### User Group Updates -The **Windows - Security Analytics - User Group Updates** dashboard provides User Group Updates that are generally a good litmus test for a summarized trend of how successfully Windows groups are being updated and on a correct cadence depending on policy requirements. +The **Windows (Classic) - Security Analytics - User Group Updates** dashboard provides User Group Updates that are generally a good litmus test for a summarized trend of how successfully Windows groups are being updated and on a correct cadence depending on policy requirements. **Use case:** Aligning group update schedules to existing policies within your organization, and informing future policy changes as well based on triangulation against security events tied to update changes. @@ -147,7 +147,7 @@ The **Windows - Security Analytics - User Group Updates** dashboard provides Use ### User Authentication -The **Windows - Security Analytics - User Authentication** dashboard points to snapshots of trends for successful logins as well as unsuccessful logins. +The **Windows (Classic) - Security Analytics - User Authentication** dashboard points to snapshots of trends for successful logins as well as unsuccessful logins. **Use case:** Unsuccessful logins in particular will indicate potential threats including brute-force attempts. @@ -155,7 +155,7 @@ The **Windows - Security Analytics - User Authentication** dashboard points to s ### User Account Changes -The **Windows - Security Analytics - User Account Changes** dashboard shows user accounts created, deleted, locked out, as well as password changes for a given account. +The **Windows (Classic) - Security Analytics - User Account Changes** dashboard shows user accounts created, deleted, locked out, as well as password changes for a given account. **Use case:** Begin with the summarized visuals in the left columns, and navigate to the right column details to understand specific computers and subjects involved in the given activity. @@ -163,7 +163,7 @@ The **Windows - Security Analytics - User Account Changes** dashboard shows user ### TLS Certificates and Secure Channels -The **Windows - Security Analytics - TLS Certificates and Secure Channels** dashboard indicates TLS Certificate and Secure Channel activity and associated computers, trends, and latest events. +The **Windows (Classic) - Security Analytics - TLS Certificates and Secure Channels** dashboard indicates TLS Certificate and Secure Channel activity and associated computers, trends, and latest events. **Use case:** By mapping changes in certificates and associated trends, teams can identify areas of improvement for current TLS Certificate deployments. @@ -171,12 +171,31 @@ The **Windows - Security Analytics - TLS Certificates and Secure Channels** dash ### Default Accounts Usage -The **Windows - Security Analytics - Default Accounts Usage** dashboard allows you to filter Default Accounts Usage by EventID, Computer, SubjectUserName, and TargetUserName. +The **Windows (Classic) - Security Analytics - Default Accounts Usage** dashboard allows you to filter Default Accounts Usage by EventID, Computer, SubjectUserName, and TargetUserName. **Use case:** Honeycomb visuals also point to potential hotspots, or in other words specific computers that may require further attention relative to typical expected behavior within your organization. Windows cloud Security Analytics dashboards +## Create monitors for the Windows Cloud Security app + +import CreateMonitors from '../../reuse/apps/create-monitors.md'; + + + +### Windows Cloud Security Monitoring and Analytics alerts + +| Name | Description | Alert Condition | Recover Condition | +|:--|:--|:--|:--| +| `Windows (Classic) - Security Analytics - Excessive Failed Logins` | This alert is triggered when a single user has more than 10 failed login attempts within 5 minutes. This may indicate a brute-force attack or credential stuffing attempt against the user's account. | Count > 0 | Count <= 0 | +| `Windows (Classic) - Security Analytics - User Account Locked Out` | This alert is triggered when a user account is locked out (EventID 4740). This may indicate a brute-force attack has triggered the account lockout policy, or a misconfigured service is repeatedly attempting authentication with stale credentials. | Count > 0 | Count <= 0 | +| `Windows (Classic) - Security Analytics - User Added to Administrative Group` | This alert is triggered when a user is added to a privileged administrative group such as Administrators, Domain Admins, Schema Admins, or Enterprise Admins. This may indicate privilege escalation or unauthorized access. | Count > 0 | Count <= 0 | +| `Windows (Classic) - Security Analytics - Audit Log Cleared` | This alert is triggered when the Windows Security or System audit log is cleared (EventIDs 104, 517, 1102). This is a high-severity indicator as attackers often clear audit logs to cover their tracks after compromising a system. | Count > 0 | Count <= 0 | +| `Windows (Classic) - Security Analytics - Windows Defender Malware Detected` | This alert is triggered when Windows Defender detects malware or other potentially unwanted software (EventIDs 1006, 1007, 1008, 1015, 1116, 1117, 1118, 1119). Immediate investigation is required to determine the scope of infection. | Count > 0 | Count <= 0 | +| `Windows (Classic) - Security Analytics - Windows Defender Real-Time Protection Disabled` | This alert is triggered when Windows Defender Real-Time Protection is disabled (EventID 5001). Disabling real-time protection leaves the system vulnerable to malware and may indicate an attacker attempting to evade detection. | Count > 0 | Count <= 0 | +| `Windows (Classic) - Security Analytics - Windows Firewall Disabled` | This alert is triggered when the Windows Firewall Service is stopped (EventID 5025). A disabled firewall significantly increases the attack surface and may indicate an attacker attempting to open network access. | Count > 0 | Count <= 0 | +| `Windows (Classic) - Security Analytics - Default Account Activity` | This alert is triggered when activity is detected from default or built-in accounts (Administrator, Guest, Root). These accounts should not be used in a properly configured environment and activity may indicate unauthorized access or policy violation. | Count > 0 | Count <= 0 | + ## Upgrade/Downgrade the Windows Cloud Security app (Optional) import AppUpdate from '../../reuse/apps/app-update.md'; diff --git a/docs/integrations/hosts-operating-systems/host-process-metrics.md b/docs/integrations/hosts-operating-systems/host-process-metrics.md index 6bf456cf347..2bd7496cf81 100644 --- a/docs/integrations/hosts-operating-systems/host-process-metrics.md +++ b/docs/integrations/hosts-operating-systems/host-process-metrics.md @@ -158,103 +158,18 @@ Example: For defining multiple patterns for multiple processes you can use the p ## Sample queries -**CPU Utilization by Host** panel in **Host Metrics - CPU** Dashboard +**CPU Utilization by Host** panel in **Host and Process Metrics - CPU** Dashboard ```sql host.name=* cpu=cpu-total metric=(host_cpu_usage_user OR host_cpu_usage_system OR host_cpu_usage_iowait OR host_cpu_usage_steal OR host_cpu_usage_softirq OR host_cpu_usage_irq OR host_cpu_usage_nice) | sum by host.name ``` -**CPU Usage** panel in **Process Metrics Details** Dashboard +**CPU Usage** panel in **Host and Process Metrics - Process Details** Dashboard ```sql metric=procstat_cpu_usage host.name=* process.executable.name=* | avg by host.name, process.executable.name | outlier ``` -## Installing the Alerts - -The next few sections provide instructions for installing the Sumo app and Alerts for hosts and processes. These instructions assume you have already set up a collection as described in Collecting Metrics for Host and Processes. - -Sumo Logic has provided out-of-the-box alerts available through [Sumo Logic monitors](/docs/alerts/monitors) to help you monitor your hosts and processes. These alerts are built based on metrics and logs datasets and include preset thresholds based on industry best practices and recommendations. - -For details on the individual alerts, see [last section](#host-and-process-metrics-alerts). - -* To install these alerts, you need to have the Manage Monitors role capability. -* Alerts can be installed by either importing them a JSON or a Terraform script. - -There are limits to how many alerts can be enabled - please see the [Alerts FAQ](/docs/alerts/monitors/monitor-faq.md) for details. - - -### Method A: Importing a JSON file - -1. Download the [JSON file](https://github.com/SumoLogic/terraform-sumologic-sumo-logic-monitor/blob/main/monitor_packages/host_process_metrics/host_process_metrics.json) describing all the monitors.
The JSON contains the alerts that are based on Sumo Logic searches that do not have any scope filters and therefore will be applicable to all hosts, the data for which has been collected via the instructions in the previous sections. However, if you would like to restrict these alerts to specific hosts or environments, update the JSON file by replacing the text `$$hostmetrics_data_source` with ``. SourceCategory examples: - * For alerts applicable only to a specific cluster of hosts, your custom filter could be: `'_sourceCategory=yourclustername/metrics'`. - * For alerts applicable to all hosts that start with ec2hosts-prod, your custom filter could be: `'_sourceCategory=ec2hosts-prod*/metrics'`. - * For alerts applicable to a specific cluster within a production environment, your custom filter could be: `'_sourceCategory=prod/yourclustername/metrics'` -2. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Monitoring > Monitors**. You can also click the **Go To...** menu at the top of the screen and select **Monitors**.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Monitoring > Monitors**. -3. Click **Add**. -4. Click **Import** to import monitors from the JSON above. - -The monitors are disabled by default. Once you have installed the alerts using this method, navigate to the Host and Process Metrics folder under Monitors to configure them. See [this](/docs/alerts/monitors/settings) document to enable monitors, to configure each monitor, to send notifications to teams or connections, see the instructions detailed in [Create a Monitor](/docs/alerts/monitors/create-monitor). - - -### Method B: Using a Terraform script - -1. **Generate a Sumo Logic access key and ID**. Generate an access key and access ID for a user that has the Manage Monitors role capability in Sumo Logic using instructions in [Access Keys](/docs/manage/security/access-keys). Please identify which deployment your Sumo Logic account is in, using [this link](/docs/api/about-apis/getting-started#sumo-logic-endpoints-by-deployment-and-firewall-security). -1. [Download and install Terraform 0.13](https://www.terraform.io/downloads.html) or later. -1. **Download the Sumo Logic Terraform package for Host and Process alerts**. The alerts package is available in the Sumo Logic GitHub [repository](https://github.com/SumoLogic/terraform-sumologic-sumo-logic-monitor/tree/main/monitor_packages/postgresql). You can either download it through the “git clone” command or as a zip file. -1. **Alert Configuration**. After the package has been extracted, navigate to the package directory `terraform-sumologic-sumo-logic-monitor/monitor_packages/host_process_metrics/`. Edit the `host_and_processes.auto.tfvars` file and add the Sumo Logic Access Key, Access Id, and Deployment from Step 1. - ```bash - access_id = "" - access_key = "" - environment = "" - ``` - Update the variable `host_and_processes_data_source` with your source category. SourceCategory examples: - * For alerts applicable only to a specific cluster of hosts, your custom filter could be: `_sourceCategory=yourclustername/metrics`. - * For alerts applicable to all hosts that start with ec2hosts-prod, your custom filter could be:`_sourceCategory=ec2hosts-prod*/metrics`. - * For alerts applicable to a specific cluster within a production environment, your custom filter could be: `_sourceCategory=prod/yourclustername/metrics`. -1. All monitors are disabled by default on installation. If you would like to enable all the monitors, set the parameter `monitors_disabled` to false in this file. -1. By default, the monitors are configured in a monitor folder called “Host and “Process Metrics”, if you would like to change the name of the folder, update the monitor folder name in this file. -1. **Email and Connection Notification Configuration Examples**. If you would like the alerts to send email or connection notifications, configure these in the file `host_process_metrics_notifications.auto.tfvars`. - * To configure notifications, modify the file `host_process_metrics_notifications.auto.tfvars` file and fill in the `connection_notifications` and `email_notifications` sections. See the examples for PagerDuty and email notifications below. See this [document](/docs/alerts/webhook-connections/set-up-webhook-connections) for creating payloads with other connection types. Replace `` with the connection id of the webhook connection. The webhook connection id can be retrieved by calling the [Monitors API](https://api.sumologic.com/docs/#operation/listConnections). - ```sql title="Pagerduty Connection Example:" - connection_notifications = [ - { - connection_type = "PagerDuty", - connection_id = "", - payload_override = "{\"service_key\": \"your_pagerduty_api_integration_key\",\"event_type\": \"trigger\",\"description\": \"Alert: Triggered {{TriggerType}} for Monitor {{Name}}\",\"client\": \"Sumo Logic\",\"client_url\": \"{{QueryUrl}}\"}", - run_for_trigger_types = ["Critical", "ResolvedCritical"] - }, - { - connection_type = "Webhook", - connection_id = "", - payload_override = "", - run_for_trigger_types = ["Critical", "ResolvedCritical"] - } - ] - ``` - - ```sql title="Email Notifications Example" - email_notifications = [ - { - connection_type = "Email", - recipients = ["abc@example.com"], - subject = "Monitor Alert: {{TriggerType}} on {{Name}}", - time_zone = "PST", - message_body = "Triggered {{TriggerType}} Alert on {{Name}}: {{QueryURL}}", - run_for_trigger_types = ["Critical", "ResolvedCritical"] - } - ] - ``` -1. Install the Alerts. - 1. Navigate to the package directory `terraform-sumologic-sumo-logic-monitor/monitor_packages/host_process_metrics/` and run `terraform init`. This will initialize Terraform and will download the required components. - 2. Run `terraform plan` to view the monitors which will be created/modified by Terraform. - 3. Run `terraform apply`. - - -#### Post Installation - -If you haven’t enabled alerts or configured notifications through the Terraform procedure outlined above, we highly recommend enabling alerts of interest and configuring each enabled alert to send notifications to other people or services. This is detailed in Step 4 of [this document](/docs/alerts/monitors/create-monitor). - ## Installing the Host and Process Metrics app import AppInstall2 from '../../reuse/apps/app-install-v2.md'; @@ -269,144 +184,148 @@ import ViewDashboards from '../../reuse/apps/view-dashboards.md'; ### Overview -The **Host Metrics - Overview** dashboard gives you an at-a-glance view of the key metrics like CPU, memory, disk, network, and TCP connections of all your hosts. You can drill down from this dashboard to the Host Metrics - CPU/Disk/Memory/Network/TCP dashboard by using the honeycombs or line charts in all the panels. +The **Host and Process Metrics - Overview** dashboard gives you an at-a-glance view of the key metrics like CPU, memory, disk, network, and TCP connections of all your hosts. You can drill down from this dashboard to the Host and Process Metrics - CPU/Disk/Memory/Network/TCP dashboard by using the honeycombs or line charts in all the panels. Use this dashboard to: * Identify hosts with high CPU, disk, memory utilization, and identify anomalies over time. -Host Metrics dashboards +Host and Process Metrics dashboards ### CPU -The **Host Metrics - CPU** dashboard provides a detailed analysis based on CPU metrics. You can drill down from this dashboard to the **Process Metrics - Details** dashboard by using the honeycombs or line charts in all the panels. +The **Host and Process Metrics - CPU** dashboard provides a detailed analysis based on CPU metrics. You can drill down from this dashboard to the **Host and Process Metrics - Process Details** dashboard by using the honeycombs or line charts in all the panels. Use this dashboard to: * Identify hosts and processes with high CPU utilization. * Examine CPU usage by type and identify anomalies over time. -Host Metrics dashboards +Host and Process Metrics dashboards ### Disk -The **Host Metrics - Disk** dashboard provides detailed information about on disk utilization and disk IO operations.You can drill down from this dashboard to the **Process Metrics - Details** dashboard by using the honeycombs or line charts in all the panels. +The **Host and Process Metrics - Disk** dashboard provides detailed information about on disk utilization and disk IO operations. You can drill down from this dashboard to the **Host and Process Metrics - Process Details** dashboard by using the honeycombs or line charts in all the panels. Use this dashboard to: * Identify hosts with high disk utilization and disk IO operations. * Monitor abnormal spikes in read/write rates. * Compare disk throughput across storage devices of a host. -Host Metrics dashboards +Host and Process Metrics dashboards ### Memory -The **Host Metrics - Memory** dashboard provides detailed information on host memory usage, memory distribution, and swap space utilization. You can drill down from this dashboard to the **Process Metrics - Details** dashboard by using the honeycombs or line charts in all the panels. +The **Host and Process Metrics - Memory** dashboard provides detailed information on host memory usage, memory distribution, and swap space utilization. You can drill down from this dashboard to the **Host and Process Metrics - Process Details** dashboard by using the honeycombs or line charts in all the panels. Use this dashboard to: * Identify hosts with high memory utilization. * Examine memory distribution (free, buffered-cache, used, total) for a given host. * Monitor abnormal spikes in memory and swap utilization. -Host Metrics dashboards +Host and Process Metrics dashboards ### Network -The **Host Metrics - Network** dashboard provides detailed information on host network errors, throughput, and packets sent and received. +The **Host and Process Metrics - Network** dashboard provides detailed information on host network errors, throughput, and packets sent and received. Use this dashboard to: * Determine top hosts with network errors and dropped packets. * Monitor abnormal spikes in incoming/outgoing packets and bytes sent and received. * Use dashboard filters to compare throughput across the interface of a host. -Host Metrics dashboards +Host and Process Metrics dashboards ### TCP -The **Host Metrics - TCP** dashboard provides detailed information around inbound, outbound, open, and established TCP connections. +The **Host and Process Metrics - TCP** dashboard provides detailed information around inbound, outbound, open, and established TCP connections. Use this dashboard to: * Identify abnormal spikes in inbound, outbound, open, or established connections. -Host Metrics dashboards +Host and Process Metrics dashboards -### Process Metrics - Overview +### Process Overview -The **Process Metrics - Overview** dashboard gives you an at-a-glance view of all the processes by open file descriptors, CPU usage, memory usage, disk read/write operations and thread count.You can drill down from this dashboard to the **Process Metrics - Details** dashboard by using the honeycombs or line charts in all the panels. +The **Host and Process Metrics - Process Overview** dashboard gives you an at-a-glance view of all the processes by open file descriptors, CPU usage, memory usage, disk read/write operations and thread count. You can drill down from this dashboard to the **Host and Process Metrics - Process Details** dashboard by using the honeycombs or line charts in all the panels. Use this dashboard to: * Identify top processes by CPU, memory usage, and open file descriptors. * Determine the longest running processes and users that have spawned the most number of processes. -Host Metrics dashboards +Host and Process Metrics dashboards -### Process Metrics - Details +### Process Details -The **Process Metrics - Details** dashboard gives you a detailed view of key process related metrics such as CPU and memory utilization, disk read/write throughput, and major/minor page faults. +The **Host and Process Metrics - Process Details** dashboard gives you a detailed view of key process related metrics such as CPU and memory utilization, disk read/write throughput, and major/minor page faults. Use this dashboard to: -* Determine the number of open file descriptors in all hosts. If the number of open file descriptors reaches the maximum file descriptor limits,, it can cause IOException errors. -* Identify anomalies in CPU usage, memory usage, major/minor page faults and reads/writes over time. +* Determine the number of open file descriptors in all hosts. If the number of open file descriptors reaches the maximum file descriptor limits, it can cause IOException errors. +* Identify anomalies in CPU usage, memory usage, major/minor page faults and reads/writes over time. * Troubleshoot memory leaks using the resident set memory trend chart. -Host Metrics dashboards +Host and Process Metrics dashboards -### Process Metrics - Trends +### Process Trends -The **Process Metrics - Trend** dashboard gives you insight into the state of your processes over time. +The **Host and Process Metrics - Process Trends** dashboard gives you insight into the state of your processes over time. Use this dashboard to: * Analyze the current state of all the processes (sleeping, dead, idle, stopped, total, paging) * Identify anomalies over time in the number of threads, zombie processes, and total processes -Host Metrics dashboards +Host and Process Metrics dashboards -## Upgrade/Downgrade the Host and Process Metrics app (Optional) +## Create monitors for the Host and Process Metrics app -import AppUpdate from '../../reuse/apps/app-update.md'; +import CreateMonitors from '../../reuse/apps/create-monitors.md'; - + -## Uninstalling the Host and Process Metrics app (Optional) +### Host and Process Metrics alerts -import AppUninstall from '../../reuse/apps/app-uninstall.md'; - - +#### Host Metrics +| Name | Description | Alert Condition | Recover Condition | +|:--|:--|:--|:--| +| `Host and Process Metrics - High CPU Utilization` | This alert fires when host CPU utilization exceeds the threshold (Warning: 80%, Critical: 90%). | > 90% (Critical) | <= 90% | +| `Host and Process Metrics - Host Out of Memory` | This alert fires when memory utilization exceeds the threshold (Warning: 80%, Critical: 90%). | > 90% (Critical) | <= 90% | +| `Host and Process Metrics - Host Out of Disk Space` | This alert fires when disk utilization exceeds the threshold (Warning: 80%, Critical: 90%). | > 90% (Critical) | <= 90% | +| `Host and Process Metrics - Host Out of Inodes` | This alert fires when a host's filesystem is close to running out of available iNodes (Warning: 80%, Critical: 90%). | > 90% (Critical) | <= 90% | +| `Host and Process Metrics - Host Swap is Filling Up` | This alert fires when swap utilization exceeds the threshold (Warning: 60%, Critical: 80%). | > 80% (Critical) | <= 80% | +| `Host and Process Metrics - Host Swap is Filling Up (Windows)` | This alert fires when swap utilization exceeds the threshold for Windows machines (Warning: 60%, Critical: 80%). | > 80% (Critical) | <= 80% | +| `Host and Process Metrics - High Network Errors` | This alert fires when a host has encountered network errors in the last five minutes. | > 200 (Critical) | <= 200 | +| `Host and Process Metrics - Unusual Disk Read Rate` | This alert fires when the disk is reading an unusually high amount of data (> 50 MB/s) over a 5-minute time interval. | > 50 MB/s (Warning) | <= 50 MB/s | +| `Host and Process Metrics - Unusual Disk Write Rate` | This alert fires when the disk is writing an unusually high amount of data (> 50 MB/s) over a 5-minute time interval. | > 50 MB/s (Warning) | <= 50 MB/s | +| `Host and Process Metrics - Unusual Network Throughput In` | This alert fires when host network interfaces are receiving an unusually high amount of data (> 100 MB/s) over a 5-minute time interval. | > 100 MB/s (Warning) | <= 100 MB/s | +| `Host and Process Metrics - Unusual Network Throughput Out` | This alert fires when host network interfaces are sending an unusually high amount of data (> 100 MB/s) over a 5-minute time interval. | > 100 MB/s (Warning) | <= 100 MB/s | +| `Host and Process Metrics - High CPU IO Wait` | This alert fires when CPU I/O wait is high, indicating disk or network I/O bottlenecks causing the CPU to idle while waiting for operations to complete. | > 50% (Critical) | <= 50% | +| `Host and Process Metrics - High Disk IO` | This alert fires when disk I/O operations in progress are high, indicating disk saturation that can lead to slow application response times and system degradation. | > 100 (Critical) | <= 100 | +| `Host and Process Metrics - High Network Packet Drops` | This alert fires when network packet drops are high, indicating network congestion or buffer overflow leading to retransmissions and degraded application performance. | > 200 (Critical) | <= 200 | -## Host and Process Metrics Alerts +#### Process Metrics -### For Host Metrics +| Name | Description | Alert Condition | Recover Condition | +|:--|:--|:--|:--| +| `Host and Process Metrics - Process High CPU Usage` | This alert fires when the CPU utilization of a process exceeds the threshold (Warning: 60%, Critical: 80%). | > 80% (Critical) | <= 80% | +| `Host and Process Metrics - Process High Memory Usage` | This alert fires when the memory used by a process exceeds the threshold (Warning: 60%, Critical: 80%). | > 80% (Critical) | <= 80% | +| `Host and Process Metrics - Process High Open File Descriptors` | This alert fires when the number of file descriptors used by a process exceeds the threshold (Warning: 800, Critical: 1000). | > 1000 (Critical) | <= 1000 | +| `Host and Process Metrics - Process High Page Faults` | This alert fires when the rate of page faults exceeds the threshold (Warning: 800, Critical: 1000). | > 1000 (Critical) | <= 1000 | +| `Host and Process Metrics - Process High Read Rate` | This alert fires when a process is reading an unusually high amount of data (> 20 MB/s) over a 5-minute time interval. | > 20 MB/s (Warning) | <= 20 MB/s | +| `Host and Process Metrics - Process High Write Rate` | This alert fires when a process is writing an unusually high amount of data (> 20 MB/s) over a 5-minute time interval. | > 20 MB/s (Warning) | <= 20 MB/s | -Sumo Logic provides out-of-the-box alerts available via [Sumo Logic monitors](/docs/alerts/monitors). These alerts are built based on metrics datasets and have preset thresholds based on industry best practices and recommendations. +## Upgrade/Downgrade the Host and Process Metrics app (Optional) -| Alert Name | Alert Description | Alert Condition | Recover Condition | -|:-----------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------|:-----------------|:-------------------| -| Host Metrics - High CPU Utilization | This alert fires when host CPU utilization is over 80%. | > 80 % | `<=` 80 % | -| Host Metrics - High Network Errors | This alert fires when a host has encountered network errors in the last five minutes. | > 1% | `<=` 1% | -| Host Metrics - Unusual network throughput in | This alert fires when host network interfaces are receiving an unusually high amount of data (> 100 MB/s) over a 5-minute time interval. | > 100 MB/sec | `<=` 100 MB/sec | -| Host Metrics - Unusual network throughput out | This alert fires when host network interfaces are sending an unusually high amount of data (> 100 MB/s) over a 5-minute time interval. | > 100 MB/sec | `<=` 100 MB/sec | -| Host Metrics - Host out of memory | This alert fires when memory utilization is over 90%. | > 90 % | `<=` 90 % | -| Host Metrics - Host out of inodes | This alert fires when a host's filesystem is close to running out of available iNodes (> 90% used). | > 90 % | `<=` 90 % | -| Host Metrics - Host swap is filling up | This alert fires when swap utilization is over 80%. | > 80 % | `<=` 80 % | -| Host Metrics - Host out of disk space | This alert fires when disk utilization is over 90%. | > 90 % | `<=` 90 % | -| Host Metrics - Unusual disk read rate | This alert fires when the disk is reading an unusually high amount of data (> 50 MB/s) over a 5-minute time interval. | > 50 MB/sec | `<=` 50 MB/sec | -| Host Metrics - Unusual disk write rate | This alert fires when the Disk is writing an unusually high amount of data (> 50 MB/s) over a 5-minute time interval. | > 50 MB/sec | `<=` 50 MB/sec | +import AppUpdate from '../../reuse/apps/app-update.md'; + -### For Process Metrics +## Uninstalling the Host and Process Metrics app (Optional) -Sumo Logic provides out-of-the-box alerts available via [Sumo Logic monitors](/docs/alerts/monitors). These alerts are built based on metrics datasets and have preset thresholds based on industry best practices and recommendations. +import AppUninstall from '../../reuse/apps/app-uninstall.md'; -| Alert Name | Alert Description | Alert Condition | Recover Condition | -|:----------------------------------------------|:------------------------------------------------------------------------------------------------------------------------|:-----------------|:-------------------| -| Process Metrics - High CPU Usage | This alert fires when the CPU utilization of a process is over 80% of the system CPU. | > 80 % | `<=` 80 % | -| Process Metrics - High Read Rate | This alert fires when a process is reading an unusually high amount of data (> 20 MB/s) over a 5-minute time interval. | > 50 MB/sec | `<=` 50 MB/sec | -| Process Metrics - High Write Rate | This alert fires when a process is writing an unusually high amount of data (> 20 MB/s) over a 5-minute time interval. | > 50 MB/sec | `<=` 50 MB/sec | -| Process Metrics - High Page Faults | This alert fires when the rate of page faults is high (> 1000). | > 1000 | `<=` 1000 | -| Process Metrics - High Memory Usage | This alert fires when the memory used by a process is over 80% of system memory. | > 80 % | `<=` 80 % | -| Process Metrics - High Open file descriptors | This alert fires when the number of file descriptors used by a process is more than 1000. | > 1000 | `<=` 1000 | + diff --git a/docs/integrations/microsoft-azure/windows-legacy.md b/docs/integrations/microsoft-azure/windows-legacy.md index b1ad64a1c95..8de8a24df94 100644 --- a/docs/integrations/microsoft-azure/windows-legacy.md +++ b/docs/integrations/microsoft-azure/windows-legacy.md @@ -94,7 +94,7 @@ import ViewDashboards from '../../reuse/apps/view-dashboards.md'; ### Overview -See information about Windows update errors, fatal or warning messages, policy changes, system restarts, and changes to administrative groups. +The **Windows 7+ - 2008 (Legacy) - Overview** dashboard shows information about Windows update errors, fatal or warning messages, policy changes, system restarts, and changes to administrative groups. Overview @@ -111,7 +111,7 @@ See information about Windows update errors, fatal or warning messages, policy c ### Default -See information about the start and stop operations for Windows services; Windows events; operations events; and errors and warnings. +The **Windows 7+ - 2008 (Legacy) - Default** dashboard shows information about the start and stop operations for Windows services; Windows events; operations events; and errors and warnings. Default @@ -126,7 +126,7 @@ See information about the start and stop operations for Windows services; Window ### Login Status -See information about successful and failed logins, and successful RDP reconnects. +The **Windows 7+ - 2008 (Legacy) - Login Status** dashboard shows information about successful and failed logins, and successful RDP reconnects. Login Status @@ -141,7 +141,7 @@ See information about successful and failed logins, and successful RDP reconnect ### Event Errors -See information about Window event messages that contain a keyword that indicates a problem. (If a Windows event contains "error", "timeout", "exception", or "fail", Sumo tags the message with "error_keyword", "timeout_keyword", "exception_keyword", or "fail_keyword" respectively.) +The **Windows 7+ - 2008 (Legacy) - Event Errors** dashboard shows information about Window event messages that contain a keyword that indicates a problem. (If a Windows event contains "error", "timeout", "exception", or "fail", Sumo tags the message with "error_keyword", "timeout_keyword", "exception_keyword", or "fail_keyword" respectively.) Event Errors @@ -157,6 +157,23 @@ See information about Window event messages that contain a keyword that indicate **Error Keyword - LogReduce**. See a LogReduce analysis of event messages that contain problem keywords. (Sumo's LogReduce algorithm uses fuzzy logic to cluster messages together based on string and pattern similarity. For more information, see, [Detect Patterns with LogReduce](/docs/search/behavior-insights/logreduce/detect-patterns-with-logreduce)). +## Create monitors for the Windows Legacy app + +import CreateMonitors from '../../reuse/apps/create-monitors.md'; + + + +### Windows Legacy alerts + +| Name | Description | Alert Condition | Recover Condition | +|:--|:--|:--|:--| +| `Windows 7+ - 2008 (Legacy) - Excessive Failed Logins` | This alert is triggered when a single user has more than 10 failed login attempts within 5 minutes. This may indicate a brute-force attack or credential stuffing attempt against the user's account. | Count > 0 | Count <= 0 | +| `Windows 7+ - 2008 (Legacy) - User Account Locked Out` | This alert is triggered when a user account is locked out. This may indicate a brute-force attack has triggered the account lockout policy, or a misconfigured service is repeatedly attempting authentication with stale credentials. | Count > 0 | Count <= 0 | +| `Windows 7+ - 2008 (Legacy) - User Added to Administrative Group` | This alert is triggered when a user is added to a privileged administrative group such as Administrators, Domain Admins, Schema Admins, Server Operators, Account Operators, or Backup Operators. This may indicate privilege escalation or unauthorized access. | Count > 0 | Count <= 0 | +| `Windows 7+ - 2008 (Legacy) - Audit Log Cleared` | This alert is triggered when the Windows Security audit log is cleared. This is a high-severity indicator as attackers often clear audit logs to cover their tracks after compromising a system. | Count > 0 | Count <= 0 | +| `Windows 7+ - 2008 (Legacy) - Firewall Rule Modified` | This alert is triggered when a Windows Firewall rule is added, modified, or deleted. Unauthorized firewall changes may indicate an attacker attempting to open access to the system or exfiltrate data. | Count > 0 | Count <= 0 | +| `Windows 7+ - 2008 (Legacy) - User Account Deleted` | This alert is triggered when a user account is deleted. This could indicate unauthorized administrative activity or an insider threat attempting to disrupt operations. | Count > 0 | Count <= 0 | + ## Upgrade/Downgrade the Windows Legacy app (Optional) import AppUpdate from '../../reuse/apps/app-update.md';