| DisplayName | Description | ID | Target | Category | Enabled | Instance Name | Counter Name | Frequency | Event_ID | Event Source | Alert Generate | Alert Severity | Alert Priority | Remotable | Event Log |
| Abnormal Behavior Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.AbnormalBehaviorSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| Abnormal Protocol Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.AbnormalProtocolSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| Abnormal Sensitive Group Membership Change Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.AbnormalSensitiveGroupMembershipChangeSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| Abnormal Vpn Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.AbnormalVpnSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| Account Enumeration Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.AccountEnumerationSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| Brute Force Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.BruteForceSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| Center Database Data Drive Free Space Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.CenterDatabaseDataDriveFreeSpaceMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | AvailabilityHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Center Database Disconnected Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.CenterDatabaseDisconnectedMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | AvailabilityHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Center External Ip Address Resolution Failure Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.CenterExternalIpAddressResolutionFailureMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | AvailabilityHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Center Mail Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.CenterMailMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | ConfigurationHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Center Not Receiving Traffic Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.CenterNotReceivingTrafficMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | AvailabilityHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Center Overloaded Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.CenterOverloadedMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Center Syslog Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.CenterSyslogMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | ConfigurationHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Certificate Expiry Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.CertificateExpiryMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | ConfigurationHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Database AtSVC Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseAtSvcBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database AtSVC Block Size | 300 | 0 | | False | | | True | |
| Database DNS Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseDnsBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database DNS Block Size | 300 | 0 | | False | | | True | |
| Database DRSR Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseDrsrBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database DRSR Block Size | 300 | 0 | | False | | | True | |
| Database GroupMembershipChangeEvent Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseGroupMembershipChangeEventBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database GroupMembershipChangeEvent Block Size | 300 | 0 | | False | | | True | |
| Database KerberosAP Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseKerberosApBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database KerberosAP Block Size | 300 | 0 | | False | | | True | |
| Database KerberosAS Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseKerberosAsBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database KerberosAS Block Size | 300 | 0 | | False | | | True | |
| Database KerberosTGS Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseKerberosTgsBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database KerberosTGS Block Size | 300 | 0 | | False | | | True | |
| Database LDAP Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseLdapBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database LDAP Block Size | 300 | 0 | | False | | | True | |
| Database LogicalActivity Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseLogicalActivityBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database LogicalActivity Block Size | 300 | 0 | | False | | | True | |
| Database LogonEvent Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseLogonEventBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database LogonEvent Block Size | 300 | 0 | | False | | | True | |
| Database LsaRPC Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseLsaRpcBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database LsaRPC Block Size | 300 | 0 | | False | | | True | |
| Database Netlogon Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseNetlogonBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database Netlogon Block Size | 300 | 0 | | False | | | True | |
| Database NTLM Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseNtlmBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database NTLM Block Size | 300 | 0 | | False | | | True | |
| Database NTLMEvent Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseNtlmEventBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database NTLMEvent Block Size | 300 | 0 | | False | | | True | |
| Database SAMR Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseSAMRBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database SAMR Block Size | 300 | 0 | | False | | | True | |
| Database ServiceControl Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseServiceControlBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database ServiceControl Block Size | 300 | 0 | | False | | | True | |
| Database ServiceInstalledEvent Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseServiceInstalledEventBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database ServiceInstalledEvent Block Size | 300 | 0 | | False | | | True | |
| Database SMB Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseSmbBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database SMB Block Size | 300 | 0 | | False | | | True | |
| Database SrvSVC Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseSrvSvcBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database SrvSVC Block Size | 300 | 0 | | False | | | True | |
| Database TaskScheduler Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseTaskSchedulerBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database TaskScheduler Block Size | 300 | 0 | | False | | | True | |
| Database VpnAuthenticationEvent Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseVpnAuthenticationEventBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database VpnAuthenticationEvent Block Size | 300 | 0 | | False | | | True | |
| Database Wmi Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.DatabaseWmiBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | Database Wmi Block Size | 300 | 0 | | False | | | True | |
| Directory Services Replication Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.DirectoryServicesReplicationSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| DNS Reconnaissance Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.DnsReconnaissanceSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| Encryption Downgrade-Golden Ticket Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.EncryptionDowngradeGoldenTicketSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| Encryption Downgrade-Over Pass-the-Hash Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.EncryptionDowngradeOverPasstheHashSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| Encryption Downgrade-Skeleton Key Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.EncryptionDowngradeSkeletonKeySuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| Encryption Downgrade Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.EncryptionDowngradeSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| EntityProfiler Event Activity Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.EntityProfilerEventActivityBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | EntityProfiler Event Activity Block Size | 300 | 0 | | False | | | True | |
| EntityProfiler Logical Activity Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.EntityProfilerLogicalActivityBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | EntityProfiler Logical Activity Block Size | 300 | 0 | | False | | | True | |
| EntityProfiler Network Activity Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.EntityProfilerNetworkActivityBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | EntityProfiler Network Activity Block Size | 300 | 0 | | False | | | True | |
| EntityReceiver Entity Batch Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.EntityReceiverEntityBatchBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | EntityReceiver Entity Batch Block Size | 300 | 0 | | False | | | True | |
| Enumerate Sessions Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.EnumerateSessionsSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| EventActivityProcessor Event Activity Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.EventActivityProcessorEventActivityBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | EventActivityProcessor Event Activity Block Size | 300 | 0 | | False | | | True | |
| EventActivityProcessor Postponed Event Activity Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.EventActivityProcessorPostponedEventActivityBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | EventActivityProcessor Postponed Event Activity Block Size | 300 | 0 | | False | | | True | |
| Forged Pac Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.ForgedPacSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| Gateway Capture Network Adapter Faulted Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.GatewayCaptureNetworkAdapterFaultedMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | AvailabilityHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Gateway Capture Network Adapter Missing Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.GatewayCaptureNetworkAdapterMissingMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | ConfigurationHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Gateway Directory Services Client Account Password Expiry Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.GatewayDirectoryServicesClientAccountPasswordExpiryMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | ConfigurationHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Gateway Directory Services Client Connectivity Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.GatewayDirectoryServicesClientConnectivityMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | AvailabilityHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Gateway Disconnected Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.GatewayDisconnectedMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | AvailabilityHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Gateway Domain Synchronizer Not Assigned Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.GatewayDomainSynchronizerNotAssignedMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | ConfigurationHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Gateway Low Memory Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.GatewayLowMemoryMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Gateway Overloaded Event Activities Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.GatewayOverloadedEventActivitiesMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Gateway Overloaded Network Activities Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.GatewayOverloadedNetworkActivitiesMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Gateway Radius Event Listener Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.GatewayRadiusEventListenerMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | AvailabilityHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Gateways Outdated Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.GatewaysOutdatedMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | ConfigurationHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Gateway Start Failure Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.GatewayStartFailureMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | AvailabilityHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Gateway Syslog Event Listener Monitoring Alert Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.GatewaySyslogEventListenerMonitoringAlert | Microsoft.AdvancedThreatAnalytics.1_9.Center | AvailabilityHealth | True | | | 0 | 0 | | True | Warning | Normal | True | Microsoft ATA |
| Encryption Downgrade Suspicious Activity (Skeleton Key) Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.GoldenTicketSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| Golden Ticket Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.HoneytokenActivitySuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| Ldap Brute Force Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.LdapBruteForceSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| LogicalActivityTranslator Event Activity Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.LogicalActivityTranslatorEventActivityBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | LogicalActivityTranslator Event Activity Block Size | 300 | 0 | | False | | | True | |
| LogicalActivityTranslator Network Activity Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.LogicalActivityTranslatorNetworkActivityBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | LogicalActivityTranslator Network Activity Block Size | 300 | 0 | | False | | | True | |
| LogicalActivityTranslator Unique Entity Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.LogicalActivityTranslatorUniqueEntityBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | LogicalActivityTranslator Unique Entity Block Size | 300 | 0 | | False | | | True | |
| Malicious Service Creation Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.MaliciousServiceCreationSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| Massive Object Deletion Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.MassiveObjectDeletionSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| NetworkActivityProcessor Network Activity Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.NetworkActivityProcessorNetworkActivityBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | NetworkActivityProcessor Network Activity Block Size | 300 | 0 | | False | | | True | |
| NetworkActivityProcessor Postponed Network Activity Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.NetworkActivityProcessorPostponedNetworkActivityBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | NetworkActivityProcessor Postponed Network Activity Block Size | 300 | 0 | | False | | | True | |
| Pass The Hash Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.PassTheHashSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| Pass The Ticket Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.PassTheTicketSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| Remote Execution Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.RemoteExecutionSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| Retrieve Data Protection Backup Key Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.RetrieveDataProtectionBackupKeySuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| SAMR Reconnaissance Suspicious Activity Rule | | Microsoft.AdvancedThreatAnalytics.1_9.Center.SamrReconnaissanceSuspiciousActivity | Microsoft.AdvancedThreatAnalytics.1_9.Center | SecurityHealth | False | | | 0 | 0 | | True | Error | Normal | True | Microsoft ATA |
| UniqueEntityProcessor Unique Entity Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Center.UniqueEntityProcessorUniqueEntityBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Center | PerformanceCollection | True | Microsoft ATA Center | UniqueEntityProcessor Unique Entity Block Size | 300 | 0 | | False | | | True | |
| ATA Gateway Failed to Authenticate Against the Domain Controller | Rule to monitor Microsoft ATA 1.9 Gateway - ATA Gateway Failed to Authenticate Against the Domain Controller | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.ActiveDirectoryAuthenticationFailure | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | AvailabilityHealth | True | | | 0 | 0 | | True | Error | Normal | True | |
| Counters might be disabled in the registry | Rule to monitor Microsoft ATA 1.9 Gateway - Counters might be disabled in the registry | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.CountersDisabled | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | AvailabilityHealth | True | | | 0 | 0 | | True | Error | Normal | True | |
| EntityResolver Activity Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.EntityResolverActivityBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | PerformanceCollection | True | Microsoft ATA Gateway | EntityResolver Activity Block Size | 300 | 0 | | False | | | True | |
| EntitySender Entity Batch Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.EntitySenderEntityBatchBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | PerformanceCollection | True | Microsoft ATA Gateway | EntitySender Entity Batch Block Size | 300 | 0 | | False | | | True | |
| EntitySender Entity Batch Send Time | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.EntitySenderEntityBatchSendTime | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | PerformanceCollection | True | Microsoft ATA Gateway | EntitySender Entity Batch Send Time | 300 | 0 | | False | | | True | |
| ATA Gateway Failed to Authenticate Against Center | Rule to monitor Microsoft ATA 1.9 Gateway - ATA Gateway Failed to Authenticate Against Center | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.FailedToAuthenticateAgainstCenter | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | AvailabilityHealth | True | | | 0 | 0 | | True | Error | Normal | True | |
| ATA Gateway failed to establish connection to the ATA Center | Rule to monitor Microsoft ATA 1.9 Gateway - ATA Gateway failed to establish connection to the ATA Center | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.FailedToEstablishConnectionToCenter | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | AvailabilityHealth | True | | | 0 | 0 | | True | Error | Normal | True | |
| ATA Gateway Failed to Parse SIEM Syslog Message | Rule to monitor Microsoft ATA 1.9 Gateway - ATA Gateway Failed to Parse SIEM Syslog Message | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.FailedToParseSyslog | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | AvailabilityHealth | True | | | 0 | 0 | | True | Error | Normal | True | |
| ATA Gateway failed to query the domain controller using the LDAP protocol | Rule to monitor Microsoft ATA 1.9 Gateway - ATA Gateway failed to query the domain controller using the LDAP protocol | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.FailedToQueryDCUsingLDAPProtocol | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | AvailabilityHealth | True | | | 0 | 0 | | True | Error | Normal | True | |
| ATA Gateway failed to synchronize the configuration from the ATA Center | Rule to monitor Microsoft ATA 1.9 Gateway - ATA Gateway failed to synchronize the configuration from the ATA Center | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.FailedToSynchronizeConfigurationFromCenter | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | AvailabilityHealth | True | | | 0 | 0 | | True | Error | Normal | True | |
| ATA Gateway Failed to Validate Center Certificate Chain | Rule to monitor Microsoft ATA 1.9 Gateway - ATA Gateway Failed to Validate Center Certificate Chain | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.FailedToValidateCenterCertificateChain | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | AvailabilityHealth | True | | | 0 | 0 | | True | Error | Normal | True | |
| ATA Gateway does not have enough memory | Rule to monitor Microsoft ATA 1.9 Gateway - ATA Gateway does not have enough memory | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.GatewayDoesNotHaveEnoughMemory | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | AvailabilityHealth | True | | | 0 | 0 | | True | Error | Normal | True | |
| GatewayUpdaterResourceManager Commit Memory Max Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.GatewayUpdaterResourceManagerCommitMemoryMaxSize | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | PerformanceCollection | True | Microsoft ATA Gateway Updater | GatewayUpdaterResourceManager Commit Memory Max Size | 300 | 0 | | False | | | True | |
| GatewayUpdaterResourceManager CPU Time Max \% | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.GatewayUpdaterResourceManagerCPUTimeMax_ | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | PerformanceCollection | True | Microsoft ATA Gateway Updater | GatewayUpdaterResourceManager CPU Time Max \% | 300 | 0 | | False | | | True | |
| GatewayUpdaterResourceManager Working Set Limit Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.GatewayUpdaterResourceManagerWorkingSetLimitSize | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | PerformanceCollection | True | Microsoft ATA Gateway Updater | GatewayUpdaterResourceManager Working Set Limit Size | 300 | 0 | | False | | | True | |
| There is a host entry in the HOSTS file pointing to the machine's shortname | Rule to monitor Microsoft ATA 1.9 Gateway - There is a host entry in the HOSTS file pointing to the machine's shortname | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.HostEntryInHOSTSFile | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | AvailabilityHealth | True | | | 0 | 0 | | True | Error | Normal | True | |
| Message Analyzer is installed on the ATA Gateway | Rule to monitor Microsoft ATA 1.9 Gateway - Message Analyzer is installed on the ATA Gateway | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.MessageAnalyzerIsInstalledOnGateway | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | AvailabilityHealth | True | | | 0 | 0 | | True | Error | Normal | True | |
| NetworkActivityTranslator Message Data 0 Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.NetworkActivityTranslatorMessageData0BlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | PerformanceCollection | True | Microsoft ATA Gateway | NetworkActivityTranslator Message Data 0 Block Size | 300 | 0 | | False | | | True | |
| NetworkListener ETW Dropped Events/Sec | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.NetworkListenerETWDroppedEvents_Sec | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | PerformanceCollection | True | Microsoft ATA Gateway | NetworkListener ETW Dropped Events/Sec | 300 | 0 | | False | | | True | |
| NetworkListener PEF Dropped Events/Sec | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.NetworkListenerPEFDroppedEvents_Sec | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | PerformanceCollection | True | Microsoft ATA Gateway | NetworkListener PEF Dropped Events/Sec | 300 | 0 | | False | | | True | |
| NetworkListener PEF Parsed Messages/Sec | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.NetworkListenerPEFParsedMessages_Sec | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | PerformanceCollection | True | Microsoft ATA Gateway | NetworkListener PEF Parsed Messages/Sec | 300 | 0 | | False | | | True | |
| There are other pending installations on your computer | Rule to monitor Microsoft ATA 1.9 Gateway - There are other pending installations on your computer | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.OtherPendingInstallations | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | AvailabilityHealth | True | | | 0 | 0 | | True | Error | Normal | True | |
| PEF (Message Analyzer) was not installed correctly | Rule to monitor Microsoft ATA 1.9 Gateway - PEF (Message Analyzer) was not installed correctly | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.PEFWasNotInstalledCorrectly | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | AvailabilityHealth | True | | | 0 | 0 | | True | Error | Normal | True | |
| PIDs was enabled for process names in the ATA Gateway | Rule to monitor Microsoft ATA 1.9 Gateway - PIDs was enabled for process names in the ATA Gateway | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.PIDsWasEnabledForProcessNamesInGateway | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | AvailabilityHealth | True | | | 0 | 0 | | True | Error | Normal | True | |
| RadiusEventActivityTranslator Radius Packet Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.RadiusEventActivityTranslatorRadiusPacketBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | PerformanceCollection | True | Microsoft ATA Gateway | RadiusEventActivityTranslator Radius Packet Block Size | 300 | 0 | | False | | | True | |
| SyslogEventActivityTranslator String Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.SyslogEventActivityTranslatorStringBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | PerformanceCollection | True | Microsoft ATA Gateway | SyslogEventActivityTranslator String Block Size | 300 | 0 | | False | | | True | |
| WefEventActivityTranslator String Block Size | 1.9 | Microsoft.AdvancedThreatAnalytics.1_9.Gateway.WefEventActivityTranslatorStringBlockSize | Microsoft.AdvancedThreatAnalytics.1_9.Gateway | PerformanceCollection | True | Microsoft ATA Gateway | WefEventActivityTranslator String Block Size | 300 | 0 | | False | | | True | |