When managing conditions under your policies, NinjaOne has many templates that can be selected to quickly add a series of condition types to your policy. When selecting Use Template, a pop-up window displays categorized templates and allows users to search for templates.
Below is a breakdown of each condition template. Use the following bullets to jump to the condition template you would like to learn more about:
- Antivirus
- Application Management
- Backup
- Hardware
- Network Management
- Security
- Server Management
- User Behavior
- Workstation Management
Antivirus
| Template Name | Condition | Process / Service / Source | Up / Down / Event IDs | Time / Text |
|---|---|---|---|---|
| Webroot: Process Down | Process | Webroot SecureAnywhere Core Service, Webroot SecureAnywhere Endpoint Protection, WRCoreService, WRSkyClient, WRSVC | Down | 3 Minutes |
| Webroot: Daemon Down | Daemon | WSDaemon | Down | 3 Minutes |
| Sophos: Service Down | Windows Service | Sophos Agent, Sophos Anti-Virus, Sophos AutoUpdate Service, Sophos Client Firewall, Sophos Client Firewall Manager, Sophos Device Control Service, Sophos Device Encryption Service, Sophos Endpoint Defense Service, Sophos Patch Agent, Sophos Web Control Service, Sophos Web Intelligence Service, Sophos Web Intelligence Update, Sophos Web Filter Service, Sophos Network Treat Protection, Sophos System Protection Service, Sophos Clean Service, HitmanPo.Alert Service, Sophos Live Query, Sophos Safestore Service | Down | 3 Minutes |
| ESET: Service Down | Windows Service | ekmEpfw, ehttpsrv, ekrn, efdeais, efdesrv, EraAgentSvc | Down | 3 Minutes |
| Windows Defender: Service Down | Windows Service | windefend, mpssvc, MsMpEng, Windows Defender Service | Down | 3 Minutes |
| Trend Micro: Apex One Service Down | Windows Service | CETASvc, Trend Micro Endpoint Basecamp, Trend Micro Web Service Communicator, TmCCSF, tmlisten, ntrtscan, TmWSCSvc | Down | 3 Minutes |
| Trend Micro: Worry-Free Business Security Service Down | Windows Service | PccNTMon, PccNT, TmListen, NTRtScan, TmPfw, TMBMSRV | Down | 3 Minutes |
| Trend Micro: Service Down | Daemon | com.trendmicro.icore.main | Down | 3 Minutes |
| Kasperskey: Service Down | Windows Service | soyuz, angara | Down | 3 Minutes |
| Broadcom (Symantec) Endpoint Protection: Service Down | Windows Service | snc64, DoScan, Smc, SepMasterService, ccSvcHst | Down | 3 Minutes |
| Broadcom (Symantec) Endpoint Protection Manager : Service Down | Windows Service | SemSvc, SemLaumchSvc | Down | 3 Minutes |
| AVG: Service Down | Windows Service | AVG Antivirus, avgIDSAgent, AvgWscReporter, AVG Secure Browser Elevation Service, avg8wd, avgadmsv, avgtcpsv | Down | 3 Minutes |
| MalwareBytes: Service Down | Windows Service | MBAMService, MBEndpointAgent, MBAMIService, mbMgmtSvc, MsMpSvc, MBAMScheduler | Down | 3 Minutes |
| VIPRE: Service Down | Windows Service | VipreNis, SBAMSvc, ViprePPLSvc | Down | 3 Minutes |
| Panda: Service Down | Windows Service | NanoServiceMain, PandaAgent, pselamsvc, PSUAService, Panda VPN Service | Down | 3 Minutes |
Application Management
| Template Name | Condition | Process / Service / Source | Up / Down / Event IDs | Time / Text |
|---|---|---|---|---|
| TeamViewer service down | Windows Service | TeamViewer | Down | 3 Minutes |
| Windows FTP - Services | Windows Service | MSFtpsvc | Down | 3 Minutes |
Backup
| Template Name | Condition | Process / Service / Source | Up / Down / Event IDs | Time / Text |
|---|---|---|---|---|
| Windows Server Backup Service | Windows Service | SDRSVC | Down | 3 Minutes |
| Windows Server Backup Failure | Windows Event | Micrsoft-Windows-Backup | 5, 9, 17, 18, 19, 20, 21, 22, 49, 50, 52, 517, 518, 521, 527, 528, 544, 545, 546, 561, 564 | |
| Windows Server Backup Cancelled | Windows Event | Micrsoft-Windows-Backup | 8, 100, 612 | |
| Veeam: Agent Down | Windows Service | VeeamManagementAgentSvc, VeeamEndpointBackupSvc, VeeamBackupSvc | Down | 3 Minutes |
| Acronis: Backup Services Down | Windows Service | AcronisActiveProtectionService, mmsminisrv, afcdpsrv, AcrSch2Svc, syncagentsrv, MMS, AMS, AcronisMonitoringService, AcronisAgent, RpcEptMapper | Down | 3 Minutes |
| Altaro: Backup Services Down | Windows Service | Altaro.UI.Service.exe, Altaro.DedupService.exe, Altaro.SubAgent.exe, Altaro.SubAgent.N2.exe, Altaro.OffsiteServer.Service.exe, Altaro.OffsiteServer.UI.Service.exe, Altaro.DedupService.exe, Altaro.Agent.exe | Down | 3 Minutes |
| MSP360: Backup Services Down | Windows Service | Cloudberry Backup Service | Down | 3 Minutes |
| StorageCraft: Backup Services Down | Windows Service | StorageCraft ImageManager, StorageCraft ImageReady, StorageCraft SPX, StorageCraft EndPoint Agent, VSNAPVSS, raw_agent_svc, SPXService, stc_endpt_svc, ShadowProtectSvc, StorageCraft Raw Agent, SPXService, StorageCraft EndPoint Agent | Down | 3 Minutes |
| Datto: Backup Service Stopped | Windows Service | DattoBackupAgentService, DattoProvider, DattoCloudContinuity.exe | Down | 3 Minutes |
| Carbonite: Backup Service Stopped | Windows Service | CarboniteService, ZCBService, CSBFltrSrv, CSBUIService, CSBUIService-64, ZWCService | Down | 3 Minutes |
| N-able: Backup Service Down | Windows Service | Backup Service Controller | Down | 3 Minutes |
| Microsoft Backup: Event IDs | Windows Event | Microsoft-Windows-Backup | 4, 5, 8 | |
Hardware
| Template Name | Condition | Process / Service / Source | Up / Down / Event IDs | Time / Text |
|---|---|---|---|---|
| Chassis Intrusion - Event IDs | Windows Event | Server Administrator | 1254 | |
| Drive Errors/RAID Failures - Event IDs | Windows Event | Disk | 7, 11, 41, 51, 29 | |
Network Management
| Template Name | Condition | Process / Service / Source | Up / Down / Event IDs | Time / Text |
|---|---|---|---|---|
| TCP Max. Connection Limit Reached - Event IDs | Windows Event | tcpip | 4226 | |
| TCP/IP: Duplicate IP in Network - Event ID 1 | Windows Event | tcpip | 4199 | |
| TCP/IP: Duplicate IP in Network - Event ID 2 | Windows Event | netbt | 4319, 4320 |
Security
| Template Name | Condition | Process / Service / Source | Up / Down / Event IDs | Time / Text |
|---|---|---|---|---|
| Windows Security Center Service is Down | Windows Service | wscvsvc | Down | 3 Minutes |
| Windows Security Account Manager is Down | Windows Service | SamSs | Down | 3 Minutes |
| User Account Created or Enabled | Windows Event | Microsoft-Windows-Security-Auditing | 4720, 4722 | |
| User Account Disabled or Deleted | Windows Event | Microsoft-Windows-Security-Auditing | 4725, 4726 | |
| User Account Password Change or Reset | Windows Event | Microsoft-Windows-Security-Auditing | 4723, 4724 | |
| User Account Failed to Login | Windows Event | Microsoft-Windows-Security-Auditing | 4625 | |
| Domain Controller Failed to Validate Credentials | Windows Event | Microsoft-Windows-Security-Auditing | 4777 | |
| User Account Locked Out | Windows Event | Microsoft-Windows-Security-Auditing | 4740, 6279 | |
| User Account Unlocked | Windows Event | Microsoft-Windows-Security-Auditing | 4767, 6280 | |
| Security-Enabled Group Created | Windows Event | Microsoft-Windows-Security-Auditing | 4727, 4731, 4754 | |
| Security-Enabled Group Changed | Windows Event | Microsoft-Windows-Security-Auditing | 4735, 4737 | |
| Security-Enabled Group Deleted | Windows Event | Microsoft-Windows-Security-Auditing | 4730, 4734, 4758 | |
| Member Added to Security-Enabled Group | Windows Event | Microsoft-Windows-Security-Auditing | 4728, 4732, 4756 | |
| Member Removed From Security-Enabled Group | Windows Event | Microsoft-Windows-Security-Auditing | 4729, 4733, 4757 | |
| Security Group's Type Changed | Windows Event | Microsoft-Windows-Security-Auditing | 4764 | |
| Windows Firewall Service Stopped | Windows Event | Microsoft-Windows-Security-Auditing | 5025, 5034 | |
| Windows Firewall Security Policy Issue | Windows Event | Microsoft-Windows-Security-Auditing | 5027, 5028, 5029 | |
| Windows Firewall Failed | Windows Event | Microsoft-Windows-Security-Auditing | 5030, 5035, 5037 | |
| Change Made to Windows Firewall Exceptions | Windows Event | Microsoft-Windows-Security-Auditing | 4946, 4947, 4948 | |
| Windows Firewall Settings Changed | Windows Event | Microsoft-Windows-Security-Auditing | 4950, 4951, 4854, 4956 | |
| DoS Attack Detected via Windows Filtering Platform | Windows Event | Microsoft-Windows-Security-Auditing | 5148 | |
| Windows Filtering Platform Blocked a Packet | Windows Event | Microsoft-Windows-Security-Auditing | 5150, 5151, 5152, 5153 | |
| Windows Filtering Platform Blocked a Connection | Windows Event | Microsoft-Windows-Security-Auditing | 5155, 5157, 5159 | |
| Image File Hashes Incorrect | Windows Event | Microsoft-Windows-Security-Auditing | 5038, 6281 | |
| Windows Security Event Log Cleared | Windows Event | Microsoft-Windows-Security-Auditing | 1102 | |
| Windows Security Event Log is Full | Windows Event | Microsoft-Windows-Security-Auditing | 1104 | |
Server Management
| Template Name | Condition | Process / Service / Source | Up / Down / Event IDs | Time / Text |
|---|---|---|---|---|
| Active Directory Domain Controller - Services | Windows Service | NTDS, ADWS, Netlogon, DNS, DNScache, DHCP, DFSR, IsmServ, KDC, w32time, RPCSS, SAMSS, CertSvc, KPSSVC | Down | 3 Minutes |
| DHCP Server - Services | Windows Service | dhcpserver, dhcp, dns | Down | 3 Minutes |
| DNS Server - Services | Windows Service | Dnscache, DNS | Down | 3 Minutes |
| Hyper-V Server - Services | Windows Service | vmms, vmicheartbeat, HvHost | Down | 3 Minutes |
| Web Server IIS | Windows Service | WAS, W3SVC, iisadmin, httpfilter | Down | 3 Minutes |
| Windows Server Update Services | Windows Service | WSUSservice | Down | 3 Minutes |
| Windows Server Essentials Services | Windows Service | WseClientMgmtSvc, WseClientMonitorSvc, WseComputerBackupSvc, WseEmailSvc, WseHealthSvc, WseMgmtSvc, WseMediaSvc, WseNtfSvc, ServiceProviderRegistry, WseStorageSvc | Down | 3 Minutes |
| Exchange Server 2016 - Mailbox Services | Windows Service | MSExchangeMailboxReplication, HostControllerService, MSExchangeADTopology, MSComplianceAudit, MSExchangeCompliance, MSExchangeDagMgmt, MSExchangeDiagnostics, MSExchange Mitigation, MSExchangeFrontEndTransport, MSExchangeHM,MSExchangeHMRecovery, MSExchangeIS,MSExchangeMailboxAssistants, MSExchangeDelivery, MSExchangeSubmission, MSExchangeNotificationsBroker, MSExchangeRepl, MSExchangeRPC, MSExchangeFastSearch, MSExchangeServiceHost, MSExchangeThrottling, MSExchangeTransport | Down | 3 Minutes |
| Exchange Server 2019 - Mailbox Services | Windows Service | MSExchangeMailboxReplication, HostControllerService, MSExchangeADTopology, MSComplianceAudit, MSExchangeCompliance, MSExchangeDagMgmt, MSExchangeDiagnostics, MSExchange Mitigation, MSExchangeFrontEndTransport, MSExchangeHM,MSExchangeHMRecovery, MSExchangeIS,MSExchangeMailboxAssistants, MSExchangeDelivery, MSExchangeSubmission, MSExchangeRepl, MSExchangeRPC, MSExchangeFastSearch, MSExchangeServiceHost, MSExchangeThrottling, MSExchangeTransport | Down | 3 Minutes |
| Exchange Server 2016 / 2019 - Edge Transport Services | Windows Service | ADAM_MSExchange, MSExchangeEdgeCredential, MSExchangeDiagnostics, MSExchangeHM, MSExchangeHMRecovery, MSExchangeServiceHost, MSExchangeTransport, MSExchangeTransportLogSearch | Down | 3 Minutes |
| SQL Server 2016, 2017, 2019 - Services | Windows Service | MSSQLSERVER, SQLServerAgent, MSSQLServerOLAPService, ReportServer, MSDTSServer100, SQLBrowser, SQLWriter, MSSQLFDLauncher, MSDTC | Down | 3 Minutes |
| Ninja NMS Server | Windows Service | NinjaNetworkManageServer | Down | 3 Minutes |
| VMWare VirtualCenter Server | Windows Service | vpxd | Down | 3 Minutes |
| Veeam: Backup Server Services Down | Windows Service | VeeamBackupSvc, VeeamTransportSvc, VeeamCatalogSvc, VeeamDeploySvc, VeeamMountSvc, VeeamBrokerSvc, VeeamDistributionSvc, VeeamNFSSvc, VeeamGateSvc, VeeamManagementPortalSvc | Down | 3 Minutes |
| Storage Server - Services | Windows Service | DFS, DFSR, MSiSCSi, NtFRs, srmsvc | Down | 3 Minutes |
| HP Insight - Services | Windows Service | CqMgHost, CpqNicMgmt, CqMgServ, CqMgStor, hpqams, CpqRcmc, Cissesrv | Down | 3 Minutes |
| Hyper-V Replication Events | Windows Event | Microsoft-Windows-Hyper-V-VMMS | 32022, 29292, 32088 | |
| Active Directory Server - Services | Windows Service | KPSSVC, Netlogon, lanmanserver, dnscache, rpcss, samss, w32time, ismserv, laNmanworkstation | Down | 3 Minutes |
| Citrix Server - Services | Windows Service | Citrix_GTLicensingProv, Ctx_SMA, CitrixXTEServer, CitrixLicensing | Down | 3 Minutes |
| Exchange 2003 - Services | Windows Service | MSExchangeCoCo, MSExchangeES, IMAP4Svc, MSExchangeIS, MSExchangeMGMT, POP3Svc, RESvc, MSExchangeSRS, MSExchangeSA, MSExchangeMTA | Down | 3 Minutes |
| Exchange 2007 - Services | Windows Service | MSExchangeADTopology, MSExchangeIS, MSExchangeMailSubmission, MSExchangeRepl, MSExchangeTransport, MSExchangeTransportLogSearch, ADAM_MSExchange, EdgeCredentialSvc, MSExchangeEdgeSync, MSExchangeFDS, MSExchangeAntispamUpdate, MSExchangeIMAP4, MSExchangeMailboxAssistants, MSExchangeMonitoring, MSExchangePOP3, MSExchangeSearch, MSExchangeServiceHost, MSSpeechService, MSExchangeSA, MSExchangeUM, MSFTESQL-Exchange | Down | 3 Minutes |
| Exchange 2010 - Services | Windows Service | MSExchangeADTopology, MSExchangeIS, MSExchangeMailSubmission, MSExchangeRepl, MSExchangeTransport, MSExchangeTransportLogSearch, MSExchangeEdgeSync, MSExchangeFDS, MSExchangeAntispamUpdate, MSExchangeIMAP4, MSExchangeMonitoring, MSExchangePOP3, MSExchangeSearch, MSExchangeServiceHost, MSExchangeSA, MSExchange AB, MSExchangeFBA, MSExchangeMailboxAssistants, MSExchangeMailboxReplication, MSExchangeProtectedServiceHost, MSExchangeRPC, wsbexchange, MSExchangeThrottling | Down | 3 Minutes |
| Exchange 2013 - Services | Windows Service | MSExchangeADTopology, MSExchangeIS, MSExchangeRepl, MSExchangeTransport, MSExchangeTransportLogSearch, MSExchangeEdgeSync, MSExchangeAntispamUpdate, MSExchangeIMAP4, MSExchangeMonitoring, MSExchangePOP3, MSExchangeServiceHost, MSExchangeUM, MSExchangeDiagnostics, MSExchangeFrontEndTransport, MSExchangeHM, MSExchangeIMAP4BE, MSEchangeMailboxAssistants, MSExchangeMailboxReplication, MSExchangeDelivery, MSExchangeSubmission, MSExchangePOP3BE, MSExchangeRPC, MSExchangeFastSearch, HostControllerService,wsbexchange, MSExchangeThrottling, MSExchangeUMCR | Down | 3 Minutes |
| Exchange Server - Blacklisted Event ID 1 | Windows Event | msexchange* | 1002, 1003, 1012, 1013, 1113, 1309, 1333, 1400, 2050, 2102, 2103, 8206, 8207, 8213, 9690, 9665, 2060, 4018, 4057, 4114, 4126, 7004 | |
| Exchange Server Store - Blacklisted Event IDs | Windows Event | ExchangeStoreDB | 121, 142 | |
| FTP Server - Services | Windows Service | MSFtpsvc | Down | 3 Minutes |
| IIS Server - Services | Windows Service | W3SVC, iisadmin | Down | 3 Minutes |
| ISA 2004 - Services | Windows Service | fwsrv, isactrl, isasched, isastg, mssql$msfw | Down | 3 Minutes |
| MySQL Server - Services | Windows Service | MYSQL | Down | 3 Minutes |
| OS - Windows Server 2012 R2 Services | Windows Service | winmgmt, WmiApSrv, BFE", MSIServer, LmHosts, ProfSvc, iphlpsvc, gpsvc, BrokerInfrastructure, Dhcp, Power, VSS, Dnscache, PlugPlay, TermService, SessionEnv, Spooler, CertPropSvc, EventLog, MpsSvc, Schedule, server | Down | 3 Minutes |
| OS: Windows 2008/2008 R2 - Services | Windows Service | Browser, CryptSvc, DFSR, MMCSS, PlugPlay, Spooler, ProtectedStorage, seclogon, SensorDataService, dnscache, rpcss, samss, w32time, msdtc, remoteregistry, dcomlaunch, trkwks, ersvc, policyagent, wzcsvc, dhcpserver, wuaUserv, eVentlog, lAnmanserver, lAnmanworkstation, hElpsvc, dMserver | Down | 3 Minutes |
| OS: Windows Time Server - Services | Windows Service | w32time | Down | 3 Minutes |
| SQL Server 2005 - Services | Windows Service | mssqlserver, SQLSERVERAGEBT, MsDtsServer, sqlwriter, dtcmsdtc, MSSQLServerADHelper, MSSQLServerOLAPService, sqlbrowser, msfttesql, reportserver | Down | 3 Minutes |
| SQL Server 2008/2008 R2 - Services | Windows Service | MSFTESQL-Exchange, mssqlserver, SQLSERVERAGEBT, MsDtsServer, sqlwriter, msdtc, MSSQLServerADHelper, MSSQLServerOLAPService, sqlbrowser, ReportServer | Down | 3 Minutes |
| SQL Server 2012 - Services | Windows Service | mssqlserver, sqlserveragent, MSSQLServerOLAPService, sqlbrowser, SQLServerDistributedReplayClient, SQLServerDistributedReplayController, MsDtsServer110, ReportServer, sqlwriter | Down | 3 Minutes |
| SharePoint Server - Services | Windows Service | mssearch, spadmin, sptimerv3, sptrace | Down | 3 Minutes |
| Symantec Backup Exec - Services | Windows Service | BackupExecAgentBrowser, BackupExecDeviceMediaService, BackupExecJobEngine, BackupExecAgentAccelerator, BackupExecRPCService, ENL, RxASA, RxNoService, RxRMS, RxRSA, RxWebApp, RxWRG, rxWriterSvc, SUIR, bedbg, DLOAdminSvcu, DLOMaintenanceSvc, BackupExecNamingService | Down | 3 Minutes |
| Print Server - Services | Windows Service | Spooler | Down | 3 Minutes |
| Terminal Server - Services | Windows Service | TermService | Down | 3 Minutes |
User Behavior
| Template Name | Condition | Process / Service / Source | Up / Down / Event IDs | Time / Text |
|---|---|---|---|---|
| Failed Login Attempts: Event ID 1 | Windows Event | logon/logoff | 4625 | |
| Failed Login Attempts: Event ID 2 | Windows Event | Account Logon | 4777 | |
| User Profile Load Failure - Event IDs | Windows Event | Microsoft-Windows | 1515, 1511, 1500, 6004 | |
Workstation Management
| Template Name | Condition | Process / Service / Source | Up / Down / Event IDs | Time / Text |
|---|---|---|---|---|
| OS - Windows 10 Services | Windows Service | Appinfo, UserManager, EventSystem, LanmanWorkstation, WlanSvc, hidserv,n DPS, BFE, wscsvc, AudioSrv, CoreMessagingRegistrar, LmHosts, ProfSvc, NcbService, iphlpsvc, NlaSvc, WdiServiceHost, SharedAccess, CryptSvc, BrokerInfrastructure, Dhcp, WinDefend, DeviceInstall, Power, Dnscache, Nla, NcdAutoSetup, eventlog, WdiSystemHost, PlugPlay, netprofm, Spooler, LanmanServer, RpcSs, KeyIso, DcomLaunch, DeviceAssociationService, LSM, FDResPub, fdPHost, VaultSvc | Down | 3 Minutes |
| OS: Windows 7 - Services | Windows Service | EventSystem, Eventlog, Netlogon, Power, Spooler, SensorDataService, ShellHWDetection, Schedule, Themes, ProfSvc, audioendpointbuilder, rpcss, samss, w32time, wuaserv, cryptsvc, dcomlaunch, trkwks, dhcpserver, bfe, uxsms, dps, fdrespub, nlasvc, plugplay, rpceptmapper, sysmain, audiosvc, fontcache, wsearch, gPsvc, iPhlpsvc, nSi, wScsvc, lAnmanserver, lAnmanworkstation, lMhosts, wInmgmt | Down | 3 Minutes |
| OS: Windows 8 - Services | Windows Service | Netlogon, schedule, sens, spooler, themes, cRyptsvc, lAnmanworkstation, lAnmanserver, lMhosts, pLugplay, rPcss, sAmss, sHellhwdetection, tRkwks, wInmgmt, wUauserv, w32TIme, audioendpointbuilder, audiosrv, brokerinfrastructure, cscservice, eventsystem, lsm, mmcss, power, profsvc, bFe, dComlaunch, dPs, eVentlog, fDrespub, fOntcache, gPsvc, iPhlpsvc, nLasvc, nSi, rPceptmapper, sYsmain, wScsvc, wSearch | Down | 3 Minutes |
| OS: Windows Vista - Services | Windows Service | EventSystem, Eventlog, Netlogon, Spooler, lAnmanworkstation, pLugplay, sAmss, w32TIme, wUAuserv | Down | 3 Minutes |