Relevantnost informací a reakční čas na vzniklé události je tou nejdůležitější věcí, jak předejít incidentům. Dalším velmi důležitým faktorem je neodmyslitelně i porozumění detekcím a hlášením, které platforma ATOM poskytuje. Značné množství monitorovacích nástrojů generuje nepřeberné množství alertů, které většina IT správců nezpracovává a na incidenty reaguje až ve chvíli kdy nastanou. Následná příčina je dohledávána v monitoringu nebo syslogu až ex-post. Služba ATOM zasílá jen ty nejdůležitější aletry a pokud na ně nezareagujete a tým ATOM usoudí, že se jedná o kritický incident, tým ATOM vás upozorní telefonicky (v plánu PREMIUM). Součástí upozornění je také informace, čeho se incident týká a validuje si s vámi, zda se jedná o incident či nikoliv.
Aktuálně služba ATOM disponuje sadou alertů, a každý den jsou přidávány nové. Zejména díky detekcím společného charakteru napříč různými systémy, kdy potřeba jednoho zákazníka může být potřebou zákazníka jiného. Z tohoto důvodu není nutné vynakládat další prostředky vedoucí k definici monitorovací služby, definování sběrů dat, korelace informací, vektorů útoků a podezřelého chování.
Aktuálně, služba ATOM upozorňuje na tyto stavy a anomálie v prostředí, souběžně s pohledem na dashboardy jednotlivých prostředí.
|
Accounts failed to log on |
Count of Events containing the word "started" grouped by EventID |
Malware detected grouped by 'threat |
|
Accounts who remotely logged on the computer "Computer01.contoso.com" (replace with your own computer name) |
Count of Events grouped by Event ID |
Members added To security-enabled groups |
|
Accounts who terminated Microsoft antimalware ("MsMpEng.exe") on any computer |
Count of Events grouped by Event Log |
Memory more than 80% over 5 minutes |
|
Agents that provide wire data |
Count of Events grouped by Event Source |
Memory more than 90% over 5 minutes |
|
Alerts raised by Nagios Servers |
Count of Events with level "Warning" grouped by Event ID |
On which machines and how many times have Windows Firewall Policy settings changed |
|
Alerts raised by Zabbix Server |
Count of IIS Log Entries by Client IP Address |
Operating System Versions |
|
Alerts raised during the past 1 day grouped by their severity |
Count of IIS Log Entries by Host requested by client |
OS Edition distribution for the devices |
|
Alerts raised during the past 1 day sorted by their repeat count value |
Count of IIS Log Entries by HTTP Request Method |
OS Servicing branch distribution for the devices |
|
Alerts raised during the past 24 hours which are now closed |
Count of IIS Log Entries by HTTP User Agent |
Pause configurations for Feature Update |
|
All computers with missing critical or security updates |
Count of IIS Log Entries by URL for the host "www.contoso.com" (replace with your own) |
Pause configurations for Quality Update |
|
All computers with missing update rollups |
Count of IIS Log Entries by URL requested by client (without query strings) |
Processes that initiated or received network traffic |
|
All computers with missing updates |
Critical alerts raised during the past 24 hours |
Processor Queue is average more than 20 from last 15 minutes |
|
All Computers with their most recent data |
Critical alerts raised during the past 24 hours which are still active |
Processor Queue Length and Time over 15 minutes |
|
All Events |
Critical or security updates needed by machines where updates are manually applied |
Processor Time is average more than 30 from last 15 minutes |
|
All Events with level "Warning" |
Critical Service Down |
Protection Status updates per day |
|
All IIS Log Entries |
Critical Windows Service Stoped |
Recommendations by AffectedObjectType |
|
All Outbound communications by Remote IP Address |
Deferral configurations for Feature Update |
Recommendations by AffectedObjectType |
|
All Process names that were executed |
Deferral configurations for Quality Update |
Recommendations by Computer |
|
All Security Activities |
Devices not assessed for Defender AV |
Recommendations by Computer |
|
All Syslog Records grouped by Facility |
Devices pending reboot to complete update |
Recommendations by Database |
|
All Syslog Records grouped by ProcessName |
Devices with Signatures out of date |
Recommendations by Domain |
|
All Syslog Records with Errors |
Disk space less than 10% |
Recommendations by DomainController |
|
All Syslogs |
Disk space less than 20% and more then 10% |
Recommendations by Focus Area |
|
Amount of Network Traffic (in Bytes) by Process |
Distinct malicious IP addresses accessed |
Recommendations by Focus Area |
|
Average HTTP Request time by Client IP Address |
Distinct malicious IP addresses accessed |
Recommendations by Forest |
|
Average HTTP Request time by HTTP Method |
Distinct missing updates across all computers |
Recommendations by Instance |
|
Average Latency (in milliseconds) for connections we were able to measure reliably, grouped by Remote IP Address |
Distinct paths of Executed Commands (Linux) |
Remote IP addresses that have communicated with agents on the subnet '10.0.0.0/8' (any direction) |
|
Bytes received by Protocol Name (transport-level protocol, only some are recognized) |
Distribution of data Types |
Remote procedure call(RPC) attempts |
|
Bytes sent by Application Protocol |
DNS Detect malicious communication |
Restarting servers |
|
Bytes sent by Application Service Name |
Domain security policy changes |
SecuriryAuditdAccountsFailedToLogin |
|
Computer with guest account logons |
Domain security policy changes |
Security Activities on the computer "Computer01.contoso.com" (replace with your own computer name) |
|
Computers missing critical updates |
Error events for machines that have missing critical or security required updates |
Security Activities on the computer "COMPUTER01.contoso.com" for account "Administrator" (replace with your own computer and account names) |
|
Computers missing security updates |
Events in the Operations Manager Event Log whose Event ID is in the range between 2000 and 3000 |
Security groups created or modified |
|
Computers missing security updates |
Executed Commands (Linux) |
Server not sending data (Server Down) |
|
Computers missing security updates |
Failed logon on server |
Shows breakdown of response codes |
|
Computers where "hash.exe" was executed (replace with different process name) more than 5 times |
Find the maximum time taken for each page |
Shows servers that are throwing internal server error |
|
Computers where the Microsoft antimalware process ("MsMpEng.exe") was terminated |
High priority AD assessment security recommendations |
Shows which pages people are getting a 404 for |
|
Computers whose security log was cleared |
High priority SQL assessment security recommendations |
Sources with active alerts raised during the past 24 hours |
|
Computers with automatic update disabled |
How many connections to Operations Manager's SDK service by day |
Stale Computers (data older than 24 hours) |
|
Computers with automatic update disabled |
How many times did each unique AD Recommendation trigger? |
Suspicious executables |
|
Computers with cleaned event logs |
How many times did each unique SQL Recommendation trigger? |
Total bytes by IP version (IPv4 or IPv6) |
|
Computers with cleaned event logs |
Change or reset passwords attempts |
Total Bytes received by each Azure Role Instance |
|
Computers with cleaned event logs |
Change or reset passwords attempts |
Total Bytes received by each IIS Computer |
|
Computers with detected threats |
IIS Log Entries for a specific client IP Address (replace with your own) |
Total Bytes responded back to clients by Client IP Address |
|
Computers with detected threats |
IIS Service Down |
Total Bytes responded back to clients by each IIS ServerIP Address |
|
Computers with detected threats |
IP Addresses of the agents providing wire data |
Total Bytes sent by Client IP Address |
|
Computers with failed Linux user password change |
Loading or Unloading of Kernel modules (Linux) |
Update deployment failures |
|
Computers with failed ssh logons |
Locked accounts |
User accounts created or enabled |
|
Computers with failed su logons |
Locked accounts |
Warning alerts raised during the past 24 hours |
|
Computers with failed sudo logons |
Logon Activity by Account |
When did my servers initiate restart? |
|
Computers with guest account logons |
Logon Activity by Account for accounts who only logged on less than 5 times |
Which Management Group is generating the most data points? |
|
Computers with insufficient protection |
Logon Activity by Computer |
Windows Firewall Policy settings have changed |
|
Computers with new Linux group created |
Logon Activity by Computer Where More than 10 logons have happened |
Windows Firewall Policy settings have changed |
|
Computers with system audit policy changes |
Logons with a clear text password |
WSUS computer membership |
|
Computers with users added to a Linux group |
Low priority AD assessment security recommendations |
|
|
Connections to Remote IP's that we were not able to ping and don't have Latency information for |
Low priority SQL assessment security recommendations |