Customising SCOM EVENT ID alert message
Hi all I have a rule configured to alert on Domain Admin group membership changes. What I'm hoping for help on is customising the report message so I can cherry pick data to present as this one also goes to a management team. The rule uses Parameter 3 to identify only report on group called "Domain Admins" but how can I push parameter 3 and I assume other parameters to the custom alert fields. I know when I do this stuff in powershell using get-winevent command if I want to grab specific information I'm doing something like the below and I'm essentially wanting to report in the same way so need to extract from the SCOM alert the GroupName affected (I will be doing more the just Domian admins hence wanting this to be dynamic), Account added, Admin making the change without putting in the whole event description so it reads better. $AGG = Get-WinEvent -FilterHashtable @{Path="$securitylog";ID="4728"} -ComputerName $DC -ErrorAction SilentlyContinue foreach($entry in $AGG){ $table += New-Object -TypeName psobject -Property @{ Action = "Added Account to Domain Local Group" Time = get-date $entry.TimeCreated GroupName = $entry.Properties[3].Value+'\'+$entry.Properties[2].Value Admin = $entry.Properties[7].Value+'\'+$entry.Properties[6].Value Account = (New-Object System.Security.Principal.SecurityIdentifier($entry.Properties[1].Value.Value)).Translate([System.Security.Principal.NTAccount]).Value DC = $DC } }