The relevance of the information and the reaction time for the events that have occurred are the most important thing to prevent from incidents. Another very important factor is the inherent understanding of the ATOM platform's detection and reporting. A large number of monitoring tools generate a plethora of alerts that most IT administrators do not process and respond to incidents only when they occur. The subsequent cause is traced in monitoring or syslog to ex-post. ATOM sends only the most important alterms, and if you do not respond to it and ATOM thinks it is a critical incident, ATOM will notify you by phone (PREMIUM plan). The notice also includes information about what the incident is about and validates with you whether or not an incident is involved.

ATOM currently has a set of alerts, and new ones are added each day. Especially thanks to common detections across different systems where the need of one customer may be the need of another customer. For this reason, it is not necessary to spend additional resources to define a monitoring service, define data collections, correlate information, attack vectors, and suspicious behavior.
Currently, ATOM alerts you to these conditions and anomalies in the environment, along with the dashboards of each environment.

Accounts failed to log on

Count of Events containing the word "started" grouped by EventID

Malware detected grouped by 'threat

Accounts who remotely logged on the computer "Computer01.contoso.com" (replace with your own computer name)

Count of Events grouped by Event ID

Members added To security-enabled groups

Accounts who terminated Microsoft antimalware ("MsMpEng.exe") on any computer

Count of Events grouped by Event Log

Memory more than 80% over 5 minutes

Agents that provide wire data

Count of Events grouped by Event Source

Memory more than 90% over 5 minutes

Alerts raised by Nagios Servers

Count of Events with level "Warning" grouped by Event ID

On which machines and how many times have Windows Firewall Policy settings changed

Alerts raised by Zabbix Server

Count of IIS Log Entries by Client IP Address

Operating System Versions

Alerts raised during the past 1 day grouped by their severity

Count of IIS Log Entries by Host requested by client

OS Edition distribution for the devices

Alerts raised during the past 1 day sorted by their repeat count value

Count of IIS Log Entries by HTTP Request Method

OS Servicing branch distribution for the devices

Alerts raised during the past 24 hours which are now closed

Count of IIS Log Entries by HTTP User Agent

Pause configurations for Feature Update

All computers with missing critical or security updates

Count of IIS Log Entries by URL for the host "www.contoso.com" (replace with your own)

Pause configurations for Quality Update

All computers with missing update rollups

Count of IIS Log Entries by URL requested by client (without query strings)

Processes that initiated or received network traffic

All computers with missing updates

Critical alerts raised during the past 24 hours

Processor Queue is average more than 20 from last 15 minutes

All Computers with their most recent data

Critical alerts raised during the past 24 hours which are still active

Processor Queue Length and Time over 15 minutes

All Events

Critical or security updates needed by machines where updates are manually applied

Processor Time is average more than 30 from last 15 minutes

All Events with level "Warning"

Critical Service Down

Protection Status updates per day

All IIS Log Entries

Critical Windows Service Stoped

Recommendations by AffectedObjectType

All Outbound communications by Remote IP Address

Deferral configurations for Feature Update

Recommendations by AffectedObjectType

All Process names that were executed

Deferral configurations for Quality Update

Recommendations by Computer

All Security Activities

Devices not assessed for Defender AV

Recommendations by Computer

All Syslog Records grouped by Facility

Devices pending reboot to complete update

Recommendations by Database

All Syslog Records grouped by ProcessName

Devices with Signatures out of date

Recommendations by Domain

All Syslog Records with Errors

Disk space less than 10%

Recommendations by DomainController

All Syslogs

Disk space less than 20% and more then 10%

Recommendations by Focus Area

Amount of Network Traffic (in Bytes) by Process

Distinct malicious IP addresses accessed

Recommendations by Focus Area

Average HTTP Request time by Client IP Address

Distinct malicious IP addresses accessed

Recommendations by Forest

Average HTTP Request time by HTTP Method

Distinct missing updates across all computers

Recommendations by Instance

Average Latency (in milliseconds) for connections we were able to measure reliably, grouped by Remote IP Address

Distinct paths of Executed Commands (Linux)

Remote IP addresses that have communicated with agents on the subnet '10.0.0.0/8' (any direction)

Bytes received by Protocol Name (transport-level protocol, only some are recognized)

Distribution of data Types

Remote procedure call(RPC) attempts

Bytes sent by Application Protocol

DNS Detect malicious communication

Restarting servers

Bytes sent by Application Service Name

Domain security policy changes

SecuriryAuditdAccountsFailedToLogin

Computer with guest account logons

Domain security policy changes

Security Activities on the computer "Computer01.contoso.com" (replace with your own computer name)

Computers missing critical updates

Error events for machines that have missing critical or security required updates

Security Activities on the computer "COMPUTER01.contoso.com" for account "Administrator" (replace with your own computer and account names)

Computers missing security updates

Events in the Operations Manager Event Log whose Event ID is in the range between 2000 and 3000

Security groups created or modified

Computers missing security updates

Executed Commands (Linux)

Server not sending data (Server Down)

Computers missing security updates

Failed logon on server

Shows breakdown of response codes

Computers where "hash.exe" was executed (replace with different process name) more than 5 times

Find the maximum time taken for each page

Shows servers that are throwing internal server error

Computers where the Microsoft antimalware process ("MsMpEng.exe") was terminated

High priority AD assessment security recommendations

Shows which pages people are getting a 404 for

Computers whose security log was cleared

High priority SQL assessment security recommendations

Sources with active alerts raised during the past 24 hours

Computers with automatic update disabled

How many connections to Operations Manager's SDK service by day

Stale Computers (data older than 24 hours)

Computers with automatic update disabled

How many times did each unique AD Recommendation trigger?

Suspicious executables

Computers with cleaned event logs

How many times did each unique SQL Recommendation trigger?

Total bytes by IP version (IPv4 or IPv6)

Computers with cleaned event logs

Change or reset passwords attempts

Total Bytes received by each Azure Role Instance

Computers with cleaned event logs

Change or reset passwords attempts

Total Bytes received by each IIS Computer

Computers with detected threats

IIS Log Entries for a specific client IP Address (replace with your own)

Total Bytes responded back to clients by Client IP Address

Computers with detected threats

IIS Service Down

Total Bytes responded back to clients by each IIS ServerIP Address

Computers with detected threats

IP Addresses of the agents providing wire data

Total Bytes sent by Client IP Address

Computers with failed Linux user password change

Loading or Unloading of Kernel modules (Linux)

Update deployment failures

Computers with failed ssh logons

Locked accounts

User accounts created or enabled

Computers with failed su logons

Locked accounts

Warning alerts raised during the past 24 hours

Computers with failed sudo logons

Logon Activity by Account

When did my servers initiate restart?

Computers with guest account logons

Logon Activity by Account for accounts who only logged on less than 5 times

Which Management Group is generating the most data points?

Computers with insufficient protection

Logon Activity by Computer

Windows Firewall Policy settings have changed

Computers with new Linux group created

Logon Activity by Computer Where More than 10 logons have happened

Windows Firewall Policy settings have changed

Computers with system audit policy changes

Logons with a clear text password

WSUS computer membership

Computers with users added to a Linux group

Low priority AD assessment security recommendations

Connections to Remote IP's that we were not able to ping and don't have Latency information for

Low priority SQL assessment security recommendations

Contacts

  • USA | California
    KPCS Consulting LLC
    861 Idylberry Rd. 94903
    San Rafael, CA, USA
    Tel: +1 (415) 802-9392
    Email:  
  • USA | Nevada
    KPCS Consulting LLC
    209 Surrey St. 89074
    Henderson, NV, USA
    Tel: +1 (415) 802-9392
    Email:  
  • Czech Republic
    KPCS CZ s.r.o.
    Kubánské nám. 1391/11
    100 00 Praha, CZ
    Tel: +420 778 411 744
    Email: