This monitor will look at the registry key that needs to be set to include command line in 4688 events
| Target | Microsoft.Windows.Server.DC.Computer |
| Parent Monitor | System.Health.ConfigurationState |
| Category | AvailabilityHealth |
| Enabled | True |
| Alert Generate | False |
| Alert Auto Resolve | True |
| Monitor Type | SecurityMonitoringMP.CommandLineAuditSetting |
| Remotable | True |
| Accessibility | Internal |
| RunAs | Default |
Home
<UnitMonitor ID="Security.Monitoring.IncludeCommandLineProcessCreationonDCs" Accessibility="Internal" Enabled="true" Target="Windows!Microsoft.Windows.Server.DC.Computer" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="SecurityMonitoringMP.CommandLineAuditSetting" ConfirmDelivery="false">
<Category>AvailabilityHealth</Category>
<OperationalStates>
<OperationalState ID="RegValueBad" MonitorTypeStateID="RegValueBad" HealthState="Warning"/>
<OperationalState ID="RegValueGood" MonitorTypeStateID="RegValueGood" HealthState="Success"/>
</OperationalStates>
<Configuration>
<ComputerName>$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
</Configuration>
</UnitMonitor>