Now that I stepped away and worked on another task I saw I can build out the logic. I was focused on how the information was presented in the console that I thought I couldn't do it, but once I flipped the AND/OR statement it made sense I can do it.
It's now working: [cid:[email protected]] In case it benefits anyone else, here is the Expression you can tweak to suit your use case: <Expression> <And> <Expression> <Or> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="UnsignedInteger">4728</Value> </ValueExpression> </SimpleExpression> </Expression> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="UnsignedInteger">4732</Value> </ValueExpression> </SimpleExpression> </Expression> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="UnsignedInteger">4756</Value> </ValueExpression> </SimpleExpression> </Expression> </Or> </Expression> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="String">PublisherName</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="String">Microsoft-Windows-Security-Auditing</Value> </ValueExpression> </SimpleExpression> </Expression> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="String">Params/Param[3]</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="String">Domain Admins</Value> </ValueExpression> </SimpleExpression> </Expression> </And> </Expression> From: [email protected] [mailto:[email protected]] On Behalf Of Orlebeck, Geoffrey Sent: Wednesday, July 27, 2016 11:42 AM To: '[email protected]' Subject: [msmom] Event Detection Help: I am attempting this for the first time and I'm not sure the best approach: I am writing a rule to alert based on EventSource and Parameter 3 and multiple Event IDs. The part that I'm stumbling on is using AND/OR logic if EventSource and Params/Param[3] are an AND statement while EventID is an 'or' statement within the 'and' expression. The formula would look like this: * ( ( Event Source Equals Microsoft-Windows-Security-Auditing ) AND ( Parameter 3 Equals TestGroup ) AND (( Event ID Equals 1 ) OR ( Event ID Equals 2 ) OR ( Event ID Equals 3 ) )) EventSource and Parameter 3 will always be static, but I want to alert whether the EventID is 1, 2, or 3. When I create a Rule within the SCOM console, it doesn't look like I can do a grouped OR expression within an AND expression. Please correct me if I'm wrong. The other way I thought of accomplishing this is via VSAE defining multiple data sources (one for each Event ID). However, once I filled them out it complained about not have condition detection. I have never worked with Condition Detection, so I referenced this link (https://msdn.microsoft.com/en-us/library/ee533928.aspx<https://urldefense.proofpoint.com/v2/url?u=https-3A__msdn.microsoft.com_en-2Dus_library_ee533928.aspx&d=CwMFAg&c=GtV7VYka8XzFJya76SH24R7OU_QKFTyBlklHoDMCjFY&r=WF1NZuUqAd1bRIxLFT_0wz8npqTRKjPr3_qzGO_dTx_Q3Taym2JWM42n-cKyG-6W&m=k5mReDow8N1mAE6YHPqV_2mYzT7GjgRP7k7WL95FiX4&s=by9aXI3e5wuYkyLazRW1zBtOpkCEbLRMDtJtf6WXfl8&e=>). It now makes sense why a condition detection is needed with multiple data sources. The issue I'm up against is not knowing which Module Type I need for the condition detection. How do you know which one is appropriate? Is MSDN the only resource or are there others out there? I've been looking for examples online but the only examples I find do not match the AND/OR logic above. Are either of these approaches the preferred method? Or is there a better way I am not aware of? Any help is appreciated. Thank you. -Geoff Confidentiality Notice: This is a transmission from Community Hospital of the Monterey Peninsula. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you.
