SUMO-252682: Adding monitors info for otel apps - set 5 (#4969)

* SUMO-252682: Adding monitors info for otel apps - set 5

* Apply suggestions from code review

Co-authored-by: Amee Lepcha <[email protected]>

* Apply suggestions from code review

Co-authored-by: Jagadisha V <[email protected]>

* Apply suggestions from code review

Co-authored-by: Jagadisha V <[email protected]>

* Update docs/integrations/pci-compliance/opentelemetry/windows-json-opentelemetry.md

* Update windows-opentelemetry.md

* Update linux-opentelemetry.md

* Update windows-json-opentelemetry.md

* Update windows-opentelemetry.md

* Update linux-opentelemetry.md

* Update windows-json-opentelemetry.md

---------

Co-authored-by: Himanshu Pal <[email protected]>
Co-authored-by: Amee Lepcha <[email protected]>
Co-authored-by: Jagadisha V <[email protected]>

Author: 4 people

docs/integrations/cloud-security-monitoring-analytics/opentelemetry/windows-opentelemetry.md

@@ -305,3 +305,18 @@ The **WWindows - Security Monitoring - Critical Events** dashboard provides anal
 The **Windows - Security Monitoring - Inventory** dashboard helps you to monitor windows events provided by computer, channel, and provider. This dashboard also provides additional information on computer reboots.
 
 <img src='https://sumologic-app-data-v2.s3.amazonaws.com/dashboards/Windows-Cloud-Security-Monitoring-and-Analytics/OpenTelemetry/Windows-Security-Monitoring-Inventory.png' style={{border: '1px solid gray'}} alt="Windows-Security-Monitoring-Inventory" />
+
+
+## Create monitors for Windows - Cloud Security Monitoring and Analytics app
+
+import CreateMonitors from '../../../reuse/apps/create-monitors.md';
+
+<CreateMonitors/>
+
+### Windows - Cloud Security Monitoring and Analytics alerts
+
+| Name | Description | Alert Condition | Recover Condition |
+|:--|:--|:--|:--|
+| `Windows CSMA - Audit Log Tampering Detection` | This alert is triggered when attempt is detected to clear or tamper with Windows audit logs, indicating potential attempts to cover malicious activities. | Count > = 1 | Count < 1 |
+| `Windows CSMA - Failed Authentication Spike` | This alert is triggered when unusual spikes in failed authentication attempts are detected, indicating potential brute force attacks. | Count > = 10 | Count < 10 |
+| `Windows CSMA - Windows Update Failures` | This alert is triggered when repeated Windows Update failures are detected, indicating potential vulnerabilities to known exploits. | Count > = 3 | Count < 3 |

docs/integrations/pci-compliance/opentelemetry/linux-opentelemetry.md

@@ -220,3 +220,17 @@ Use this dashboard to:
 - Monitor actions performed by users with administrative privileges.
 
 <img src={useBaseUrl('https://sumologic-app-data-v2.s3.amazonaws.com/dashboards/PCI-Compliance-For-Linux/OpenTelemetry/PCI-Compliance-Req-10.png')} alt="PCI Compliance for Linux dashboards" style={{border: '1px solid gray'}}/>
+
+## Create monitors for PCI Compliance for Linux app
+
+import CreateMonitors from '../../../reuse/apps/create-monitors.md';
+
+<CreateMonitors/>
+
+### PCI Compliance for Linux alerts
+
+| Name | Description | Alert Condition | Recover Condition |
+|:--|:--|:--|:--|
+| `PCI Linux - Excessive Failed Authentication` | This alert is triggered when multiple failed login attempts are detected over a 5-minute period, indicating potential brute force attempts and addressing PCI Requirement `10.2.4` for invalid logical access attempts. | Count > 5 | Count < = 5 |
+| `PCI Linux - Privileged User Account Changes` | This alert is triggered when privileged user accounts (UID < 1000 or root accounts) are created, deleted, or modified, addressing PCI Requirement `10.2.5` for changes to identification and authentication mechanisms. | Count > 0 | Count < = 0 |
+| `PCI Linux - Unauthorized Sudo Elevation` | This alert is triggered when unauthorized users attempt to use sudo is detected, which addresses PCI Requirement `7.2.0` for implementing an access control system among system components with multiple users. | Count > 2 | Count < = 2 |

docs/integrations/pci-compliance/opentelemetry/windows-json-opentelemetry.md

@@ -264,3 +264,19 @@ Track user activities such as password changes, password resets, excessive faile
 Track your Windows Update activities.
 
 <img src='https://sumologic-app-data-v2.s3.amazonaws.com/dashboards/PCI-Compliance-For-Windows-JSON/OpenTelemetry/Windows-PCI-Req-06-Windows-Updates-Activity.png' alt="Windows - PCI Req 06 - Windows Updates Activity" />
+
+## Create monitors for PCI Compliance For Windows JSON app
+
+import CreateMonitors from '../../../reuse/apps/create-monitors.md';
+
+<CreateMonitors/>
+
+### PCI Compliance For Windows JSON alerts
+
+| Name | Description | Alert Condition | Recover Condition |
+|:--|:--|:--|:--|
+| `Windows PCI - Critical Policy Changes` | This alert is triggered when modifications to security policies or audit policies are detected, indicating potential changes to the system's security posture. It supports PCI DSS Requirements `10.2.2` (track changes to system-level objects) and `10.2.5.b` (track use of identification and authentication mechanisms). | Count >= 1 | Count < 1 |
+| `Windows PCI - Excessive Failed Login Attempts` | This alert is triggered when there are multiple authentication failures detected across Windows environments. These are monitored across different authentication mechanisms like local Windows authentication, Kerberos, and network logons. It correlates failure patterns with specific error codes to identify potential security threats such as password guessing, account enumeration, or attempts to access disabled accounts. This helps security teams differentiate between benign issues and malicious activities. | Count >= 5 | Count < 5 |
+| `Windows PCI - Failed Windows Updates` | This alert is triggered when Windows update failures are detected, which could leave systems vulnerable to known exploits. It aligns with PCI DSS Requirement `6.2.0` for installing critical security patches within one month of release. | Count > = 3 | Count < 3 |
+| `Windows PCI - Security Audit Log Tampering` | This alert is triggered when attempt is detected to clear or tamper with Windows security audit logs, indicating potential attempts to hide malicious activities. It supports PCI DSS Requirements `10.2.0` (implement automated audit trails) and `10.3.0` (record audit trail entries). | Count > = 1 | Count < 1 |
+| `Windows PCI - User Account State Change` | This alert is triggered when critical user account state changes are detected, including account creation, deletion, enablement, and disablement. This supports PCI DSS Requirement 8.1.3 for immediately revoking access for terminated users. | Count > = 1 | Count < 1 |