| DisplayName | Description | ID | Target | Parent Monitor | Category | Enabled | Instance Name | Counter Name | Frequency | Alert Generate | Alert Severity | Alert Priority | Alert Auto Resolve | Monitor Type | Remotable | Accessibility | RunAs |
| Security Monitoring: Account Logon Monitoring not Set on DCs | Monitors Logon auditing setting | Security.Monitoring.AuditAccountLogonDC | Microsoft.Windows.Server.DC.Computer | System.Health.ConfigurationState | AvailabilityHealth | True | | | 0 | False | | | True | Security.Monitoring.AuditPolMonitorType | True | Internal | |
| Security Monitoring: Account Logon Monitoring not Set on Member Servers | Monitors Logon auditing setting on Member Servers. | Security.Monitoring.AuditAccountLogonMS | Microsoft.Windows.Computer | System.Health.ConfigurationState | AvailabilityHealth | False | | | 0 | False | | | True | Security.Monitoring.AuditPolMonitorType | True | Internal | |
| Security Monitoring: Directory Service Change Monitoring not Set on DCs | Monitors directory service change auditing setting | Security.Monitoring.DirectoryServiceChangeAuditing | Microsoft.Windows.Server.DC.Computer | System.Health.ConfigurationState | ConfigurationHealth | True | | | 0 | False | | | True | Security.Monitoring.AuditPolMonitorType | True | Internal | |
| Security Monitoring: Include Command Line for Process Auditing Setting on DCs | This monitor will look at the registry key that needs to be set to include command line in 4688 events | Security.Monitoring.IncludeCommandLineProcessCreationonDCs | Microsoft.Windows.Server.DC.Computer | System.Health.ConfigurationState | AvailabilityHealth | True | | | 0 | False | | | True | SecurityMonitoringMP.CommandLineAuditSetting | True | Internal | |
| Security Monitoring: Include Command Line for Process Auditing Setting on Member Servers | This monitor will look at the registry key that needs to be set to include command line in 4688 events | Security.Monitoring.IncludeCommandLineProcessCreationonMS | Microsoft.Windows.Computer | System.Health.ConfigurationState | AvailabilityHealth | False | | | 0 | False | | | True | SecurityMonitoringMP.CommandLineAuditSetting | True | Internal | |
| Security Monitoring: Check Authentication Packages Registry Key | Description for the new unit monitor. | Security.Monitoring.Monitors.AuthenticationPackages | Microsoft.Windows.Server.OperatingSystem | System.Health.SecurityState | AvailabilityHealth | True | | | 0 | True | Error | Normal | True | MultiStringRegMonitorType | True | Internal | |
| Security Monitoring: Process Creation Setting for Member Servers | Description for the new unit monitor. | Security.Monitoring.ProcessCreationMemberServer | Microsoft.Windows.Computer | System.Health.ConfigurationState | AvailabilityHealth | False | | | 0 | False | | | True | Security.Monitoring.AuditPolMonitorType | True | Public | |
| Security Monitoring: Audit Process Creation Set on DC | This Monitor is for Security Monitoring configuration settings only. It will not generate alerts, but the state view will show you where your gaps are in monitoring. This will monitor the Audit Process Creation setting on Domain Controllers. | Security.Monitoring.SecurityAudit.ProcessCreationDC | Microsoft.Windows.Server.DC.Computer | System.Health.ConfigurationState | ConfigurationHealth | True | | | 0 | False | | | True | Security.Monitoring.AuditPolMonitorType | True | Public | |
| Security Monitoring: Security Group Management Audit not Set on DCs | Monitors Account Management > Security Group Management for Domain Controllers | Security.Monitoring.SGManagementDC | Microsoft.Windows.Server.DC.Computer | System.Health.ConfigurationState | AvailabilityHealth | True | | | 0 | False | | | True | Security.Monitoring.AuditPolMonitorType | True | Internal | |
| Security Monitoring: Domain Controller Special Group Logon | This monitor watches the audit policy settings for Special Group Logon. See https://blogs.technet.microsoft.com/jepayne/2015/11/26/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts/ for details. | Security.Monitoring.SpecialGroupLogonAuditingEnabledonDC | Microsoft.Windows.Server.DC.Computer | System.Health.ConfigurationState | AvailabilityHealth | True | | | 0 | False | | | True | Security.Monitoring.AuditPolMonitorType | True | Internal | |
| Security Monitoring: Member Server Special Group Logon | This monitor watches the audit policy settings for Special Group Logon. See https://blogs.technet.microsoft.com/jepayne/2015/11/26/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts/ for details. | Security.Monitoring.SpecialGroupLogonEnabledOnMemberServers | Microsoft.Windows.Computer | System.Health.ConfigurationState | AvailabilityHealth | False | | | 0 | False | | | True | Security.Monitoring.AuditPolMonitorType | True | Internal | |
| Security Monitoring: User Account Management Audit Setting not Set on Member Servers | Monitors "Security Group Management" auditing setting | Security.Monitoring.UserAccountMgmtMS | Microsoft.Windows.Computer | System.Health.ConfigurationState | AvailabilityHealth | False | | | 0 | False | | | True | Security.Monitoring.AuditPolMonitorType | True | Internal | |
| Security Monitoring: Repeated RDP Logon Failures | | SecurityMonitoringMP.Event.RepeatedLogonMonitor | Microsoft.Windows.Server.OperatingSystem | System.Health.SecurityState | Custom | True | | | 0 | False | | | True | Microsoft.Windows.RepeatedEventLogTimer2StateMonitorType | True | Public | |
| A System - Is Pending Restart | A system has been identified as requiring a system restart. Not all features / functions will be available until after the restart has completed. | SecurityMonitoringMP.Event.SystemPendingRestart | Microsoft.Windows.Server.OperatingSystem | System.Health.AvailabilityState | Custom | False | | | 0 | True | Error | Normal | True | Microsoft.Windows.2SingleEventLog2StateMonitorType | True | Public | |
| Security Monitoring: Event Log Collector Service is stopped | | SecurityMonitoringMP.Health.EventCollectorMonitor | WindowsEventCollectorDiscovery.EventLogCollectorServer | System.Health.AvailabilityState | Custom | True | | | 0 | True | Error | Normal | True | Microsoft.Windows.CheckNTServiceStateMonitorType | True | Public | |
| Security Monitoring: UseLogonCredential key does not exist | | SecurityMonitoringMP.UseLogonCredentialExistsMonitor | Microsoft.Windows.Server.OperatingSystem | System.Health.SecurityState | Custom | False | | | 0 | True | Error | Normal | True | SecurityMonitoringMP.RegValueExistsMonitorType | True | Internal | |
| Security Monitoring: Wdigest passwords stored in clear text | | SecurityMonitoringMP.WDigestRegConfiguredMonitor | Microsoft.Windows.Server.OperatingSystem | System.Health.SecurityState | Custom | True | | | 0 | True | Error | Normal | True | SecurityMonitoringMP.RegValueMonitorType | True | Internal | |