This monitor watches the audit policy settings for Special Group Logon. See https://blogs.technet.microsoft.com/jepayne/2015/11/26/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts/ for details.
| Target | Microsoft.Windows.Computer |
| Parent Monitor | System.Health.ConfigurationState |
| Category | AvailabilityHealth |
| Enabled | False |
| Alert Generate | False |
| Alert Auto Resolve | True |
| Monitor Type | Security.Monitoring.AuditPolMonitorType |
| Remotable | True |
| Accessibility | Internal |
| RunAs | Default |
Home
<UnitMonitor ID="Security.Monitoring.SpecialGroupLogonEnabledOnMemberServers" Accessibility="Internal" Enabled="false" Target="Windows!Microsoft.Windows.Computer" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Security.Monitoring.AuditPolMonitorType" ConfirmDelivery="false">
<Category>AvailabilityHealth</Category>
<OperationalStates>
<OperationalState ID="ResultBad" MonitorTypeStateID="ResultBad" HealthState="Warning"/>
<OperationalState ID="ResultGood" MonitorTypeStateID="ResultGood" HealthState="Success"/>
</OperationalStates>
<Configuration>
<IntervalSeconds>86400</IntervalSeconds>
<SyncTime/>
<SubCommandAuditSetting>Special Logon</SubCommandAuditSetting>
<Result>Success and Failure</Result>
</Configuration>
</UnitMonitor>