Overview
Windows Performance Counters are tools for tracking system data like CPU, memory, disk, and network usage. This monitoring helps detect performance anomalies, which could indicate potential security threats. Using Argus, you can automate the collection, analysis, and alerting of performance metrics from Windows endpoints.
Key Steps in Monitoring
- List Available Counters:
- Use the PowerShell command Get-Counter -ListSet * to view all performance counters.
- To focus on a specific counter group, like “Memory,” use:
(Get-Counter -ListSet * | where {$_.CounterSetName -eq ‘Memory’}).Paths
- Examples of counter paths:
- \Memory\Available Bytes
- \Processor(_Total)% Processor Time
- Collect Metrics:
- Use PowerShell to gather specific metrics, e.g., CPU usage:
(Get-Counter ‘\Processor(_Total)\% Processor Time’).CounterSamples[0]
Integrating Argus for Monitoring
- Setup Infrastructure:
- Deploy a Argus server (v4.8.0) and install the Argus agent on Windows endpoints.
- Configure Argus Agent:
- Update the agent configuration file to run specific PowerShell commands for performance monitoring.
- Example for monitoring CPU usage:
<wodle name=”command”>
<disabled>no</disabled>
<tag>CPUUsage</tag>
<command>Powershell -c “@{ winCounter = (Get-Counter ‘\Processor(_Total)\% Processor Time’).CounterSamples[0] } | ConvertTo-Json -compress”</command>
<interval>1m</interval>
</wodle>
- Commands for monitoring memory, network, and disk are similar.
- Restart Agent:
NET START Argus
- Create Server Rules:
- Add rules to detect and alert on performance anomalies.
- Example:
- Rule for high CPU usage:
<rule id=”303001″ level=”5″>
<field name=”winCounter.CookedValue”>^8\d.\d+$</field>
<description>CPU Usage above 80%</description>
</rule>
- Restart Argus Manager:
sudo systemctl restart Argus-manager
Building Custom Dashboards
- Visualizations:
- Create visualizations in the Argus dashboard for CPU, memory, disk, and network metrics.
- Example for CPU:
- Y-axis: Maximum winCounter.CookedValue
- X-axis: Date Histogram (timestamp)
- Dashboards:
- Combine visualizations into a single dashboard for easy monitoring.
Advanced Features
- Custom Data Types:
- Modify the Argus template to change metric data types for better analysis.
- Re-indexing Data:
- Use Elasticsearch commands to update and re-organize indexed data.
Conclusion
This guide demonstrates how to use Argus to monitor critical Windows system metrics effectively, enhancing endpoint security through proactive anomaly detection.