Reference: Event Rules

Use event rules to specify the heuristic parameters for which the targeted endpoints report performance events.

You can configure these event rules:

Some event rules have multiple parameters, such as CPU Critical. This rule has two rule blocks for Windows endpoints:

  1. CPU Kernel Time, which contains CPU Utilization is greater than your value % and Kernel Time is greater than your value %
  2. DPC Time is greater than your value %

In the CPU Kernel Time rule block, if you choose to monitor for both conditions (CPU Utilization and Kernel Time), they are joined by a Boolean AND, meaning both conditions must meet the specified thresholds to generate an event. Within the CPU Critical rule, if you choose to monitor both CPU Kernel Time and DPC Time, they are joined by a Boolean OR, meaning that an event is generated if either condition meets the specified thresholds.

If you add multiple event rules to a profile, such as CPU Critical and Application Crashes, the event rules are joined by a Boolean OR, meaning that an event occurs if the conditions for any of the event rules are met.

Profiles and the event rules that they contain do not determine what data is collected on endpoints. The same data is monitored on all endpoints that are targeted by a profile. Profiles determine which conditions on the endpoint generate a negative performance event.

After you add an event rule to a profile, select and configure the heuristics that you want to monitor.

CPU Critical

CPU Kernel Time monitoring is supported Windows, macOS, and Linux endpoints. DPC time monitoring is supported only for Windows endpoints. Load Average monitoring is supported only for macOS and Linux endpoints.

If you configure an event rule for CPU Kernel Time, the CPU Utilization and Kernel Time for targeted endpoints are monitored for the specified thresholds. A performance event occurs if the CPU utilization and kernel time are greater than the percentages that you configure in the rule (both conditions must be met for an event to occur).

If you configure an event rule for DPC time, processor DPC for targeted endpoints is monitored. Specify the highest DPC time that is allowed on an endpoint before a performance event occurs. An unusually high amount of time spent on deferred procedure calls on an endpoint could indicate a processor bottleneck or driver problem. For more information about DPC time, see Microsoft: Processor percent DPC time.

If you configure an event rule for Load Average, the load average for targeted endpoints is monitored. Specify the load average that is allowed on an endpoint before a performance event occurs.

In the Duration field, specify the amount of time that the specified conditions must be present to trigger a performance event.

If you choose to monitor both CPU Kernel Time and DPC time (Windows endpoints) or both CPU Kernel Time and Load Average (macOS and Linux endpoints), a performance event occurs if either of the metrics meet the specified conditions for the specified duration.

Application Crashes

You can monitor this event rule only on Windows endpoints.

This event rule monitors the Windows Event Log for targeted endpoints. An event occurs if an application crashes.

Disk Latency

You can monitor this event rule on Windows, macOS, and Linux endpoints.

You can create event rules for Read Latency, Write Latency, or both.

In the Duration field, specify the amount of time that the specified conditions must be present to trigger a performance event.

If you choose to monitor both Read Latency and Write Latency, a performance event occurs if either metric meets the specified condition for the specified duration.

Available Memory

You can monitor this event rule on Windows, macOS, and Linux endpoints.

You can create event rules for available memory by MB, percentage of total memory, or both.

In the Duration field, specify the amount of time that the specified conditions must be present to trigger a performance event.

If you choose to monitor available memory by both MB and percentage of total memory, an event occurs if either metric meets the specified condition for the specified duration.

Disk Capacity

You can monitor this event rule on Windows, macOS, and Linux endpoints.

You can create an event rule for free disk space by MB, percentage of total disk capacity, or both.

If you choose to monitor free disk space by both MB and percentage of total disk capacity, an event occurs if either metric meets the specified conditions.

Last updated: 9/4/2019 9:07 AM | Feedback