SUMO-252682: Adding monitors info for otel apps - set 5

Author: chetanchoudhary-sumo

docs/integrations/cloud-security-monitoring-analytics/opentelemetry/windows-opentelemetry.md

@@ -305,3 +305,18 @@ The **WWindows - Security Monitoring - Critical Events** dashboard provides anal
 The **Windows - Security Monitoring - Inventory** dashboard helps you to monitor windows events provided by computer, channel, and provider. This dashboard also provides additional information on computer reboots.
 
 <img src='https://sumologic-app-data-v2.s3.amazonaws.com/dashboards/Windows-Cloud-Security-Monitoring-and-Analytics/OpenTelemetry/Windows-Security-Monitoring-Inventory.png' style={{border: '1px solid gray'}} alt="Windows-Security-Monitoring-Inventory" />
+
+
+## Create monitors for Windows - Cloud Security Monitoring and Analytics - OpenTelemetry app
+
+import CreateMonitors from '../../../reuse/apps/create-monitors.md';
+
+<CreateMonitors/>
+
+### Windows - Cloud Security Monitoring and Analytics - OpenTelemetry Alerts
+
+| Name | Description | Alert Condition | Recover Condition |
+|:--|:--|:--|:--|
+| `Windows CSMA - Audit Log Tampering Detection` | This alert is triggered when attempts to clear or tamper with Windows audit logs are detected, indicating potential attempts to cover malicious activities. | Count >= 1 | Count < 1 |
+| `Windows CSMA - Failed Authentication Spike` | This alert is triggered when unusual spikes in failed authentication attempts are detected, indicating potential brute force attacks. | Count >= 10 | Count < 10 |
+| `Windows CSMA - Windows Update Failures` | This alert is triggered when repeated Windows Update failures are detected, indicating potential vulnerabilities to known exploits. | Count >= 3 | Count < 3 |

docs/integrations/pci-compliance/opentelemetry/linux-opentelemetry.md

@@ -220,3 +220,17 @@ Use this dashboard to:
 - Monitor actions performed by users with administrative privileges.
 
 <img src={useBaseUrl('https://sumologic-app-data-v2.s3.amazonaws.com/dashboards/PCI-Compliance-For-Linux/OpenTelemetry/PCI-Compliance-Req-10.png')} alt="PCI Compliance for Linux dashboards" style={{border: '1px solid gray'}}/>
+
+## Create monitors for PCI Compliance for Linux - OpenTelemetry app
+
+import CreateMonitors from '../../../reuse/apps/create-monitors.md';
+
+<CreateMonitors/>
+
+### PCI Compliance for Linux - OpenTelemetry Alerts
+
+| Name | Description | Alert Condition | Recover Condition |
+|:--|:--|:--|:--|
+| `PCI Linux - Excessive Failed Authentication` | This alert is triggered when multiple failed login attempts are detected over a 5-minute period, indicating potential brute force attempts and addressing PCI Requirement 10.2.4 for invalid logical access attempts. | Count > 5 | Count <= 5 |
+| `PCI Linux - Privileged User Account Changes` | This alert is triggered when privileged user accounts (UID < 1000 or root accounts) are created, deleted, or modified, addressing PCI Requirement 10.2.5 for changes to identification and authentication mechanisms. | Count > 0 | Count <= 0 |
+| `PCI Linux - Unauthorized Sudo Elevation` | This alert is triggered when unauthorized users attempt to use sudo, addressing PCI Requirement 7.2 for implementing an access control system for system components with multiple users. | Count > 2 | Count <= 2 |

docs/integrations/pci-compliance/opentelemetry/windows-json-opentelemetry.md

@@ -264,3 +264,19 @@ Track user activities such as password changes, password resets, excessive faile
 Track your Windows Update activities.
 
 <img src='https://sumologic-app-data-v2.s3.amazonaws.com/dashboards/PCI-Compliance-For-Windows-JSON/OpenTelemetry/Windows-PCI-Req-06-Windows-Updates-Activity.png' alt="Windows - PCI Req 06 - Windows Updates Activity" />
+
+## Create monitors for PCI Compliance For Windows JSON - OpenTelemetry app
+
+import CreateMonitors from '../../../reuse/apps/create-monitors.md';
+
+<CreateMonitors/>
+
+### PCI Compliance For Windows JSON - OpenTelemetry Alerts
+
+| Name | Description | Alert Condition | Recover Condition |
+|:--|:--|:--|:--|
+| `Windows PCI - Critical Policy Changes` | This alert is triggered when modifications to security policies or audit policies are detected, indicating potential changes to the system's security posture. It supports PCI DSS Requirements 10.2.2 (Track changes to system-level objects) and 10.2.5.b (Track use of identification and authentication mechanisms). | Count >= 1 | Count < 1 |
+| `Windows PCI - Excessive Failed Login Attempts` | This alert is triggered when authentication failures across Windows environments are detected and analyzed, examining mechanisms like local Windows authentication, Kerberos, and network logons. It correlates failure patterns with specific error codes to identify potential security threats such as password guessing, account enumeration, or attempts to access disabled accounts. This helps security teams differentiate between benign issues and malicious activities. | Count >= 5 | Count < 5 |
+| `Windows PCI - Failed Windows Updates` | This alert is triggered when Windows Update failures are detected, which could leave systems vulnerable to known exploits. It aligns with PCI DSS Requirement 6.2 for installing critical security patches within one month of release. | Count >= 3 | Count < 3 |
+| `Windows PCI - Security Audit Log Tampering` | This alert is triggered when attempts to clear or tamper with Windows security audit logs are detected, indicating potential attempts to hide malicious activities. It supports PCI DSS Requirements 10.2 (Implement automated audit trails) and 10.3 (Record audit trail entries). | Count >= 1 | Count < 1 |
+| `Windows PCI - User Account State Change` | This alert is triggered when critical user account state changes are detected, including account creation, deletion, enablement, and disablement, to comply with PCI DSS Requirement 8.1.3 for immediately revoking access for terminated users. | Count >= 1 | Count < 1 |