This is a template artifact to allow alerting on a monitoring artifact.
Simply enter ArtifactName and modify VQL as desired.
name: Server.Alerts.GenericMonitor
description: |
This is a template artifact to allow alerting on a monitoring artifact.
Simply enter ArtifactName and modify VQL as desired.
type: SERVER_EVENT
parameters:
- name: ArtifactName
default: Windows.ETW.ETWSessions
sources:
- query: |
SELECT * from watch_monitoring(artifact=ArtifactName)