{ "tags": [ { "type": "Alert", "name": "Failed Login", "description": "failed login attempt", "labels": [ { "name": "Failed Login", "color": "660066" } ], "patterns": [ "invalid user" ], "actions": [{ "type": "Alert", "min_matches_count": 20, "min_report_count": 1, "min_matches_period": "Hour", "min_report_period": "Hour" }] }, { "type": "Alert", "name": "CPU Threshold Breach", "description": "high cpu utilization", "labels": [ { "name": "High CPU", "color": "660066" } ], "patterns": [ "CPUUtilization AND average>90" ], "actions": [{ "type": "Alert", "min_matches_count": 20, "min_report_count": 1, "min_matches_period": "Hour", "min_report_period": "Hour" }] }, { "type": "AlertNotify", "sub_type": "InactivityAlert", "name": "No CloudWatch Stats", "description": "No stats received", "patterns": [ "target" ], "timeframe_value": 5, "timeframe_period": "Hour", "actions": [{ "type": "Alert", "min_report_count": 10, "min_report_period": "Hour" }] } ], "searches": [ { "name": "cpuutilization", "query": "where(CPUUtilization AND average>0) calculate(AVERAGE:average)" }, { "name": "cpuutilization_server", "query": "where(CPUUtilization AND average>0) GroupBy(target) calculate(AVERAGE:average)" }, { "name": "networkin", "query": "where(NetworkIn AND average>0) calculate(AVERAGE:average)" }, { "name": "networkout", "query": "where(NetworkOut AND average>0) calculate(AVERAGE:average)" }, { "name": "networkin_server", "query": "where(NetworkIn AND average>0) GroupBy(target) calculate(AVERAGE:average)" }, { "name": "networkout_server", "query": "where(NetworkOut AND average>0) GroupBy(target) calculate(AVERAGE:average)" }, { "name": "diskreadbytes", "query": "where(DiskReadBytes AND average>0) calculate(AVERAGE:average)" }, { "name": "diskreadbytes_server", "query": "where(DiskReadBytes AND average>0) GroupBy(target) calculate(AVERAGE:average)" }, { "name": "diskwritebytes", "query": "where(DiskWriteBytes AND average>0) calculate(AVERAGE)" }, { "name": "diskwritesbytes_server", "query": "where(DiskWriteBytes AND average>0) GroupBy(target) calculate(AVERAGE:average)" }, { "name": "logins", "query": "where(session opened for user) calculate(COUNT)" }, { "name": "failed_logins", "query": "where(invalid user) calculate(COUNT)" } ], "widgets": [ { "name": "CPU Load", "description": "Avg System CPU", "search_name": "cpuutilization", "type": "TimelineLineChart", "show_tooltip": true }, { "name": "CPU Load per Instance", "description": "CPU per Server", "search_name": "cpuutilization_server", "type": "BarChart" }, { "name": "NetworkInOut", "description": "Network Activity", "searches_names": [ "networkin", "networkout" ], "show_tooltip": true, "type": "Multiline" }, { "name": "NetworkOut Per Instance", "description": "NetworkOut per Server", "search_name": "networkout_server", "type": "BarChart" }, { "name": "Disk Activity", "description": "Disk Read and Writes", "searches_names": [ "diskreadbytes", "diskwritebytes" ], "show_tooltip": true, "type": "Multiline" }, { "name": "Number of Logins", "description": "SSH access", "search_name": "logins", "type": "Count" }, { "name": "Number of Failed Logins", "description": "Failed SSH access", "search_name": "failed_logins", "type": "Count" } ], "cards": [ { "name": "CPU Load", "description": "Avg System CPU", "queries": [{"leql": { "statement": "where(CPUUtilization AND average>0) calculate(AVERAGE:average)" }}], "visualization": "LINE", }, { "name": "CPU Load per Instance", "description": "CPU per Server", "queries": [{"leql": { "statement": "where(CPUUtilization AND average>0) GroupBy(target) calculate(AVERAGE:average)" }}], "visualization": "BAR" }, { "name": "NetworkOut Per Instance", "description": "NetworkOut per Server", "queries": [{"leql": { "statement": "where(NetworkOut AND average>0) GroupBy(target) calculate(AVERAGE:average)" }}], "visualization": "BAR" }, { "name": "Number of Logins", "description": "SSH access", "queries": [{ "leql": { "statement": "where(session opened for user) calculate(COUNT)" }}], "visualization": "COUNT" }, { "name": "Number of Failed Logins", "description": "Failed SSH access", "queries": [{"leql": { "statement": "where(invalid user) calculate(COUNT)" }}], "visualization": "COUNT" }, { "name": "NetworkInOut", "description": "Network Activity", "queries": [ {"leql": { "statement": "where(NetworkIn AND average>0) calculate(AVERAGE:average)" }},{"leql": { "statement": "where(NetworkOut AND average>0) calculate(AVERAGE:average)" }}], "visualization": "MULTILINE" }, { "name": "Disk Activity", "description": "Disk Read and Writes", "queries": [{"leql": { "statement": "where(DiskReadBytes AND average>0) calculate(AVERAGE:average)" }},{"leql": { "statement": "where(DiskWriteBytes AND average>0) calculate(AVERAGE:average)" }}], "visualization": "MULTILINE" }, ] }