Blog

Detecting Anomalous Behavior with Zabbix

8/5/2024 2 min read
Detecting Anomalous Behavior with Zabbix

In our previous blog post, we emphasized the importance of monitoring the average utilization of your infrastructure to detect anomalous behavior and prevent security incidents. The new ISO27001 standard “8.16 Monitoring activities” explicitly requires that networks, systems, and applications be monitored for anomalous behavior, and appropriate measures taken to assess potential information security incidents.

An effective way to achieve this is through automation of monitoring. In this post, we will show you how to implement this using Zabbix, a powerful open-source monitoring tool. The prerequisite is an already running Zabbix system.

Prerequisites

  • An already installed and functional Zabbix system
  • Zabbix agent installed on the hosts to be monitored
  • Linked standard template “Windows by Zabbix agent”

Adapting the Zabbix Standard Template

Ideally, we want to be informed of anomalous behavior across all our hosts. Therefore, it makes sense to make these adjustments directly in the standard template.

In this guide, we calculate the average CPU and RAM usage over the last 30 days and define triggers that warn on a deviation of ±20%.

Adding New Items

Open the template “Windows by Zabbix agent” and add two new items.

Item 1: Average CPU Usage (30 days)

  • Name: Average CPU Usage (30 days)
  • Type: Calculated
  • Data type: Numeric (float)
  • Formula:

avg(//system.cpu.util,30d)
  • Units: %
  • Update interval: 1d

Item 2: Average RAM Usage (30 days)

  • Name: Average RAM Usage (30 days)
  • Type: Calculated
  • Data type: Numeric (float)
  • Formula:

avg(//vm.memory.util,30d)
  • Units: %
  • Update interval: 1d

This automatically averages CPU and RAM usage over a 30-day period and serves as a reliable baseline.

Creating the Triggers

Now we create triggers that warn of significant deviations.

Trigger 1: CPU Deviation

  • Name: Average CPU Usage (30 days) above or below 20%
  • Severity: Warning
  • Expression:

abs(
last(/Windows by Zabbix agent/avg_cpu_usage_30d)
- avg(/Windows by Zabbix agent/avg_cpu_usage_30d,30d)
) > 0.2 * avg(/Windows by Zabbix agent/avg_cpu_usage_30d,30d)

Trigger 2: RAM Deviation

  • Name: Average RAM Usage (30 days) above or below 20%
  • Severity: Warning
  • Expression:

abs(
last(/Windows by Zabbix agent/avg_ram_usage_30d)
- avg(/Windows by Zabbix agent/avg_ram_usage_30d,30d)
) > 0.2 * avg(/Windows by Zabbix agent/avg_ram_usage_30d,30d)

With these triggers, you will be alerted as soon as CPU or RAM usage deviates by more than 20% from the average utilization of the last 30 days.
This lets you detect anomalous behavior early and simultaneously meets the requirements of ISO27001.