Home
  •  

Center Database Data Drive Free Space Monitoring Alert

Microsoft.AdvancedThreatAnalytics.1_7.Center.CenterDatabaseDataDriveFreeSpaceMonitoringAlert (Rule)

Rule to monitor Microsoft ATA 1.7 Center - EventID 1001 - Center Database Data Drive Free Space Monitoring Alert

Knowledge Base article:

Summary

The ATA Center monitors the database drive free space.

Causes

The database drive free space is below the recommended monitor.

Resolutions

Add additional space to the database drive or move the database to a larger drive. See https://docs.microsoft.com/en-us/advanced-threat-analytics/deploy-use/ata-database-management

Element properties:

TargetMicrosoft.AdvancedThreatAnalytics.1_7.Center
CategoryAvailabilityHealth
EnabledTrue
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
RemotableTrue
Alert Message
Center Database Data Drive Free Space Monitoring Alert Alert
Alert for rule Microsoft ATA 1.7 Center - EventID 1001 - Center Database Data Drive Free Space Monitoring Alert

Member Modules:

ID Module Type TypeId RunAs 
Microsoft.Windows.EventCollector DataSource Microsoft.Windows.EventCollector Default
System.Health.GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.AdvancedThreatAnalytics.1_7.Center.CenterDatabaseDataDriveFreeSpaceMonitoringAlert" Target="Microsoft.AdvancedThreatAnalytics.1_7.Center" Enabled="true" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>AvailabilityHealth</Category>

  <DataSources>

    <DataSource ID="Microsoft.Windows.EventCollector" TypeID="Windows!Microsoft.Windows.EventCollector">

      <ComputerName>.</ComputerName>

      <LogName>Microsoft ATA</LogName>

      <AllowProxying>false</AllowProxying>

      <Expression>

        <SimpleExpression>

          <ValueExpression>

            <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

          </ValueExpression>

          <Operator>Equal</Operator>

          <ValueExpression>

            <Value Type="UnsignedInteger">1001</Value>

          </ValueExpression>

        </SimpleExpression>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="System.Health.GenerateAlert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>1</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.AdvancedThreatAnalytics.1_7.Center.CenterDatabaseDataDriveFreeSpaceMonitoringAlert.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

    </WriteAction>

  </WriteActions>

</Rule>