Skip to content
Open
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,25 @@ The **Windows - Security Analytics - Default Accounts Usage** dashboard allows y

<img src={useBaseUrl('img/integrations/cloud-security-monitoring-analytics/Windows-Security-Analytics-Default-Accounts-Usage.png')} alt="Windows cloud Security Analytics dashboards" />

## Create monitors for the Windows Cloud Security app

import CreateMonitors from '../../reuse/apps/create-monitors.md';

<CreateMonitors/>

### Windows Cloud Security Monitoring and Analytics alerts

| Name | Description | Alert Condition | Recover Condition |
|:--|:--|:--|:--|
| `Windows CSMA - Excessive Failed Logins` | This alert is triggered when a single user has more than 10 failed login attempts within 15 minutes. This may indicate a brute-force attack or credential stuffing attempt against the user's account. | Count > 0 | Count < = 0 |
| `Windows CSMA - User Account Locked Out` | This alert is triggered when a user account is locked out (EventID 4740). This may indicate a brute-force attack has triggered the account lockout policy, or a misconfigured service is repeatedly attempting authentication with stale credentials. | Count > 0 | Count < = 0 |
| `Windows CSMA - User Added to Administrative Group` | This alert is triggered when a user is added to a privileged administrative group such as Administrators, Domain Admins, Schema Admins, or Enterprise Admins. This may indicate privilege escalation or unauthorized access. | Count > 0 | Count < = 0 |
| `Windows CSMA - Audit Log Cleared` | This alert is triggered when the Windows Security or System audit log is cleared (EventIDs 104, 517, 1102). This is a high-severity indicator as attackers often clear audit logs to cover their tracks after compromising a system. | Count > 0 | Count < = 0 |
| `Windows CSMA - Windows Defender Malware Detected` | This alert is triggered when Windows Defender detects malware or other potentially unwanted software. Immediate investigation is required to determine the scope of infection. | Count > 0 | Count < = 0 |
| `Windows CSMA - Windows Defender Real-Time Protection Disabled` | This alert is triggered when Windows Defender Real-Time Protection is disabled (EventID 5001). Disabling real-time protection leaves the system vulnerable to malware and may indicate an attacker attempting to evade detection. | Count > 0 | Count < = 0 |
| `Windows CSMA - Windows Firewall Disabled` | This alert is triggered when the Windows Firewall Service is stopped (EventID 5025). A disabled firewall significantly increases the attack surface and may indicate an attacker attempting to open network access. | Count > 0 | Count < = 0 |
| `Windows CSMA - Default Account Activity` | This alert is triggered when activity is detected from default or built-in accounts (Administrator, Guest, Root, System). These accounts should not be used in a properly configured environment and activity may indicate unauthorized access or policy violation. | Count > 0 | Count < = 0 |

## Upgrade/Downgrade the Windows Cloud Security app (Optional)

import AppUpdate from '../../reuse/apps/app-update.md';
Expand Down
53 changes: 19 additions & 34 deletions docs/integrations/hosts-operating-systems/host-process-metrics.md
Original file line number Diff line number Diff line change
Expand Up @@ -365,6 +365,25 @@ Use this dashboard to:

<img src={useBaseUrl('img/integrations/hosts-operating-systems/Process-Metrics-Trends.png')} alt="Host Metrics dashboards" />

## Create monitors for the Host and Process Metrics app

import CreateMonitors from '../../reuse/apps/create-monitors.md';

<CreateMonitors/>

### Host and Process Metrics alerts

| Alert Name | Alert Description and Conditions | Alert Condition (Warning) | Alert Condition (Critical) |
|:--|:--|:--|:--|
| `Host and Process Metrics - High CPU Usage` | This alert is triggered when CPU usage is high (idle drops below threshold). Sustained high CPU usage may indicate resource exhaustion, runaway processes, or the need for capacity scaling. | Idle < = 20% | Idle < = 5% |
| `Host and Process Metrics - High Memory Usage` | This alert is triggered when memory utilization exceeds safe thresholds. High memory usage can lead to OOM kills, swap thrashing, and degraded application performance. | Used > 85% | Used > 95% |
| `Host and Process Metrics - High Disk Usage` | This alert is triggered when disk space utilization is high. Running out of disk space can cause application crashes, data loss, and system instability. | Used > 85% | Used > 95% |
| `Host and Process Metrics - High CPU IO Wait` | This alert is triggered when CPU I/O wait is high, indicating disk or network I/O bottlenecks causing the CPU to idle while waiting for operations to complete. | IOWait > 30% | IOWait > 50% |
| `Host and Process Metrics - High Disk IO` | This alert is triggered when disk I/O operations in progress are high, indicating disk saturation that can lead to slow application response times and system degradation. | IOPS > 50 | IOPS > 100 |
| `Host and Process Metrics - High Network Errors` | This alert is triggered when network interface errors are high. Network errors can indicate faulty hardware, driver issues, or network congestion affecting connectivity and throughput. | Error rate > 50/s | Error rate > 200/s |
| `Host and Process Metrics - High Network Packet Drops` | This alert is triggered when network packet drops are high. Packet drops indicate network congestion or buffer overflow, leading to retransmissions and degraded application performance. | Drop rate > 50/s | Drop rate > 200/s |
| `Host and Process Metrics - High Swap Usage` | This alert is triggered when swap space usage is high. Excessive swap usage indicates memory pressure and can severely degrade system performance due to disk-based memory operations. | Free < = 500MB | Free < = 100MB |

## Upgrade/Downgrade the Host and Process Metrics app (Optional)

import AppUpdate from '../../reuse/apps/app-update.md';
Expand All @@ -376,37 +395,3 @@ import AppUpdate from '../../reuse/apps/app-update.md';
import AppUninstall from '../../reuse/apps/app-uninstall.md';

<AppUninstall/>


## Host and Process Metrics Alerts

### For Host Metrics

Sumo Logic provides out-of-the-box alerts available via [Sumo Logic monitors](/docs/alerts/monitors). These alerts are built based on metrics datasets and have preset thresholds based on industry best practices and recommendations.

| Alert Name | Alert Description | Alert Condition | Recover Condition |
|:-----------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------|:-----------------|:-------------------|
| Host Metrics - High CPU Utilization | This alert fires when host CPU utilization is over 80%. | > 80 % | `<=` 80 % |
| Host Metrics - High Network Errors | This alert fires when a host has encountered network errors in the last five minutes. | > 1% | `<=` 1% |
| Host Metrics - Unusual network throughput in | This alert fires when host network interfaces are receiving an unusually high amount of data (> 100 MB/s) over a 5-minute time interval. | > 100 MB/sec | `<=` 100 MB/sec |
| Host Metrics - Unusual network throughput out | This alert fires when host network interfaces are sending an unusually high amount of data (> 100 MB/s) over a 5-minute time interval. | > 100 MB/sec | `<=` 100 MB/sec |
| Host Metrics - Host out of memory | This alert fires when memory utilization is over 90%. | > 90 % | `<=` 90 % |
| Host Metrics - Host out of inodes | This alert fires when a host's filesystem is close to running out of available iNodes (> 90% used). | > 90 % | `<=` 90 % |
| Host Metrics - Host swap is filling up | This alert fires when swap utilization is over 80%. | > 80 % | `<=` 80 % |
| Host Metrics - Host out of disk space | This alert fires when disk utilization is over 90%. | > 90 % | `<=` 90 % |
| Host Metrics - Unusual disk read rate | This alert fires when the disk is reading an unusually high amount of data (> 50 MB/s) over a 5-minute time interval. | > 50 MB/sec | `<=` 50 MB/sec |
| Host Metrics - Unusual disk write rate | This alert fires when the Disk is writing an unusually high amount of data (> 50 MB/s) over a 5-minute time interval. | > 50 MB/sec | `<=` 50 MB/sec |


### For Process Metrics

Sumo Logic provides out-of-the-box alerts available via [Sumo Logic monitors](/docs/alerts/monitors). These alerts are built based on metrics datasets and have preset thresholds based on industry best practices and recommendations.

| Alert Name | Alert Description | Alert Condition | Recover Condition |
|:----------------------------------------------|:------------------------------------------------------------------------------------------------------------------------|:-----------------|:-------------------|
| Process Metrics - High CPU Usage | This alert fires when the CPU utilization of a process is over 80% of the system CPU. | > 80 % | `<=` 80 % |
| Process Metrics - High Read Rate | This alert fires when a process is reading an unusually high amount of data (> 20 MB/s) over a 5-minute time interval. | > 50 MB/sec | `<=` 50 MB/sec |
| Process Metrics - High Write Rate | This alert fires when a process is writing an unusually high amount of data (> 20 MB/s) over a 5-minute time interval. | > 50 MB/sec | `<=` 50 MB/sec |
| Process Metrics - High Page Faults | This alert fires when the rate of page faults is high (> 1000). | > 1000 | `<=` 1000 |
| Process Metrics - High Memory Usage | This alert fires when the memory used by a process is over 80% of system memory. | > 80 % | `<=` 80 % |
| Process Metrics - High Open file descriptors | This alert fires when the number of file descriptors used by a process is more than 1000. | > 1000 | `<=` 1000 |
17 changes: 17 additions & 0 deletions docs/integrations/microsoft-azure/windows-legacy.md
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,23 @@ See information about Window event messages that contain a keyword that indicate

**Error Keyword - LogReduce**. See a LogReduce analysis of event messages that contain problem keywords. (Sumo's LogReduce algorithm uses fuzzy logic to cluster messages together based on string and pattern similarity. For more information, see, [Detect Patterns with LogReduce](/docs/search/behavior-insights/logreduce/detect-patterns-with-logreduce)).

## Create monitors for the Windows Legacy app

import CreateMonitors from '../../reuse/apps/create-monitors.md';

<CreateMonitors/>

### Windows Legacy alerts

| Name | Description | Alert Condition | Recover Condition |
|:--|:--|:--|:--|
| `Windows Legacy - Excessive Failed Logins` | This alert is triggered when a single user has more than 10 failed login attempts within 15 minutes. This may indicate a brute-force attack or credential stuffing attempt against the user's account. | Count > 0 | Count < = 0 |
| `Windows Legacy - User Account Locked Out` | This alert is triggered when a user account is locked out. This may indicate a brute-force attack has triggered the account lockout policy, or a misconfigured service is repeatedly attempting authentication with stale credentials. | Count > 0 | Count < = 0 |
| `Windows Legacy - User Added to Administrative Group` | This alert is triggered when a user is added to a privileged administrative group such as Administrators, Domain Admins, Schema Admins, Server Operators, Account Operators, or Backup Operators. This may indicate privilege escalation or unauthorized access. | Count > 0 | Count < = 0 |
| `Windows Legacy - Audit Log Cleared` | This alert is triggered when the Windows Security audit log is cleared. This is a high-severity indicator as attackers often clear audit logs to cover their tracks after compromising a system. | Count > 0 | Count < = 0 |
| `Windows Legacy - Firewall Rule Modified` | This alert is triggered when a Windows Firewall rule is added, modified, or deleted. Unauthorized firewall changes may indicate an attacker attempting to open access to the system or exfiltrate data. | Count > 0 | Count < = 0 |
| `Windows Legacy - User Account Deleted` | This alert is triggered when a user account is deleted. This could indicate unauthorized administrative activity or an insider threat attempting to disrupt operations. | Count > 0 | Count < = 0 |

## Upgrade/Downgrade the Windows Legacy app (Optional)

import AppUpdate from '../../reuse/apps/app-update.md';
Expand Down