All Unit Monitors in Security.Monitoring Management Pack

 DisplayNameDescriptionIDTargetParent MonitorCategoryEnabledInstance NameCounter NameFrequencyAlert GenerateAlert SeverityAlert PriorityAlert Auto ResolveMonitor TypeRemotableAccessibilityRunAs
Security.Monitoring.AuditAccountLogonDCSecurity Monitoring: Account Logon Monitoring not Set on DCsMonitors Logon auditing settingSecurity.Monitoring.AuditAccountLogonDCMicrosoft.Windows.Server.DC.ComputerSystem.Health.ConfigurationStateAvailabilityHealthTrue0FalseTrueSecurity.Monitoring.AuditPolMonitorTypeTrueInternal
Security.Monitoring.AuditAccountLogonMSSecurity Monitoring: Account Logon Monitoring not Set on Member ServersMonitors Logon auditing setting on Member Servers.Security.Monitoring.AuditAccountLogonMSMicrosoft.Windows.ComputerSystem.Health.ConfigurationStateAvailabilityHealthFalse0FalseTrueSecurity.Monitoring.AuditPolMonitorTypeTrueInternal
Security.Monitoring.DirectoryServiceChangeAuditingSecurity Monitoring: Directory Service Change Monitoring not Set on DCsMonitors directory service change auditing settingSecurity.Monitoring.DirectoryServiceChangeAuditingMicrosoft.Windows.Server.DC.ComputerSystem.Health.ConfigurationStateConfigurationHealthTrue0FalseTrueSecurity.Monitoring.AuditPolMonitorTypeTrueInternal
Security.Monitoring.IncludeCommandLineProcessCreationonDCsSecurity Monitoring: Include Command Line for Process Auditing Setting on DCsThis monitor will look at the registry key that needs to be set to include command line in 4688 eventsSecurity.Monitoring.IncludeCommandLineProcessCreationonDCsMicrosoft.Windows.Server.DC.ComputerSystem.Health.ConfigurationStateAvailabilityHealthTrue0FalseTrueSecurityMonitoringMP.CommandLineAuditSettingTrueInternal
Security.Monitoring.IncludeCommandLineProcessCreationonMSSecurity Monitoring: Include Command Line for Process Auditing Setting on Member ServersThis monitor will look at the registry key that needs to be set to include command line in 4688 eventsSecurity.Monitoring.IncludeCommandLineProcessCreationonMSMicrosoft.Windows.ComputerSystem.Health.ConfigurationStateAvailabilityHealthFalse0FalseTrueSecurityMonitoringMP.CommandLineAuditSettingTrueInternal
Security.Monitoring.Monitors.AuthenticationPackagesSecurity Monitoring: Check Authentication Packages Registry KeyDescription for the new unit monitor.Security.Monitoring.Monitors.AuthenticationPackagesMicrosoft.Windows.Server.OperatingSystemSystem.Health.SecurityStateAvailabilityHealthTrue0TrueErrorNormalTrueMultiStringRegMonitorTypeTrueInternal
Security.Monitoring.ProcessCreationMemberServerSecurity Monitoring: Process Creation Setting for Member ServersDescription for the new unit monitor.Security.Monitoring.ProcessCreationMemberServerMicrosoft.Windows.ComputerSystem.Health.ConfigurationStateAvailabilityHealthFalse0FalseTrueSecurity.Monitoring.AuditPolMonitorTypeTruePublic
Security.Monitoring.SecurityAudit.ProcessCreationDCSecurity Monitoring: Audit Process Creation Set on DCThis Monitor is for Security Monitoring configuration settings only. It will not generate alerts, but the state view will show you where your gaps are in monitoring. This will monitor the Audit Process Creation setting on Domain Controllers.Security.Monitoring.SecurityAudit.ProcessCreationDCMicrosoft.Windows.Server.DC.ComputerSystem.Health.ConfigurationStateConfigurationHealthTrue0FalseTrueSecurity.Monitoring.AuditPolMonitorTypeTruePublic
Security.Monitoring.SGManagementDCSecurity Monitoring: Security Group Management Audit not Set on DCsMonitors Account Management > Security Group Management for Domain ControllersSecurity.Monitoring.SGManagementDCMicrosoft.Windows.Server.DC.ComputerSystem.Health.ConfigurationStateAvailabilityHealthTrue0FalseTrueSecurity.Monitoring.AuditPolMonitorTypeTrueInternal
Security.Monitoring.SpecialGroupLogonAuditingEnabledonDCSecurity Monitoring: Domain Controller Special Group LogonThis monitor watches the audit policy settings for Special Group Logon. See https://blogs.technet.microsoft.com/jepayne/2015/11/26/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts/ for details.Security.Monitoring.SpecialGroupLogonAuditingEnabledonDCMicrosoft.Windows.Server.DC.ComputerSystem.Health.ConfigurationStateAvailabilityHealthTrue0FalseTrueSecurity.Monitoring.AuditPolMonitorTypeTrueInternal
Security.Monitoring.SpecialGroupLogonEnabledOnMemberServersSecurity Monitoring: Member Server Special Group LogonThis monitor watches the audit policy settings for Special Group Logon. See https://blogs.technet.microsoft.com/jepayne/2015/11/26/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts/ for details.Security.Monitoring.SpecialGroupLogonEnabledOnMemberServersMicrosoft.Windows.ComputerSystem.Health.ConfigurationStateAvailabilityHealthFalse0FalseTrueSecurity.Monitoring.AuditPolMonitorTypeTrueInternal
Security.Monitoring.UserAccountMgmtMSSecurity Monitoring: User Account Management Audit Setting not Set on Member ServersMonitors "Security Group Management" auditing settingSecurity.Monitoring.UserAccountMgmtMSMicrosoft.Windows.ComputerSystem.Health.ConfigurationStateAvailabilityHealthFalse0FalseTrueSecurity.Monitoring.AuditPolMonitorTypeTrueInternal
SecurityMonitoringMP.Event.RepeatedLogonMonitorSecurity Monitoring: Repeated RDP Logon FailuresSecurityMonitoringMP.Event.RepeatedLogonMonitorMicrosoft.Windows.Server.OperatingSystemSystem.Health.SecurityStateCustomTrue0FalseTrueMicrosoft.Windows.RepeatedEventLogTimer2StateMonitorTypeTruePublic
SecurityMonitoringMP.Event.SystemPendingRestartA System - Is Pending RestartA system has been identified as requiring a system restart. Not all features / functions will be available until after the restart has completed.SecurityMonitoringMP.Event.SystemPendingRestartMicrosoft.Windows.Server.OperatingSystemSystem.Health.AvailabilityStateCustomFalse0TrueErrorNormalTrueMicrosoft.Windows.2SingleEventLog2StateMonitorTypeTruePublic
SecurityMonitoringMP.Health.EventCollectorMonitorSecurity Monitoring: Event Log Collector Service is stoppedSecurityMonitoringMP.Health.EventCollectorMonitorWindowsEventCollectorDiscovery.EventLogCollectorServerSystem.Health.AvailabilityStateCustomTrue0TrueErrorNormalTrueMicrosoft.Windows.CheckNTServiceStateMonitorTypeTruePublic
SecurityMonitoringMP.UseLogonCredentialExistsMonitorSecurity Monitoring: UseLogonCredential key does not existSecurityMonitoringMP.UseLogonCredentialExistsMonitorMicrosoft.Windows.Server.OperatingSystemSystem.Health.SecurityStateCustomFalse0TrueErrorNormalTrueSecurityMonitoringMP.RegValueExistsMonitorTypeTrueInternal
SecurityMonitoringMP.WDigestRegConfiguredMonitorSecurity Monitoring: Wdigest passwords stored in clear textSecurityMonitoringMP.WDigestRegConfiguredMonitorMicrosoft.Windows.Server.OperatingSystemSystem.Health.SecurityStateCustomTrue0TrueErrorNormalTrueSecurityMonitoringMP.RegValueMonitorTypeTrueInternal