At IT/Dev Connections 2015, Maarten Goet provided an excellent demo where he showcased how you can gather information in OMS for intrusion detection and send an email when the condition occurs in his session “Operations Management Suite for the System Center Operations Manager Administrator“. This was a very interesting set of functionality to see demonstrated on OMS as OMS is functions very differently than Operations Manager. As an example, in Operations Manager you can detect a low disk space condition and then send a notification via email to an administrator that the low disk space condition had occurred. Currently OMS does not provide a method to send a notification when a condition occurs. So to use this same example, if you collected information on low disk space conditions there is no built-in method to alert when they occur through OMS.
Maarten’s demo showcased an example of how Azure Automation could be used to send an email when a particular condition was detected in OMS (in this case an account breach attempt). His demo showed how to get information into OMS and how to take the next logical step to provide a rudimentary form of notification for OMS.
When I communicated with Maarten on this topic he referred me to a couple of Tiander Turpijn’s blog posts which are available at: https://azure.microsoft.com/en-us/blog/leveraging-the-oms-search-api-in-an-azure-automation-runbook/ and https://azure.microsoft.com/en-us/blog/powershell-module-for-the-oms-search-api/. This first blog post shows an example of sending an email when a condition is matched in OMS. The process involves the installation of an Azure Hybrid Runbook worker, the ARM client and creation of an OMS Search API runbook among other steps but having seen this in action it is pretty darn cool when it is all working!
If you are interested in send email based upon information in OMS, I highly recommend taking a look into the blog posts above.
Update: Stanislav (https://cloudadministrator.wordpress.com/) provided feedback recommending a different module for these types of actions:
“This module offers better options btw powershellgallery.com/packages/OMSSe… and it is available in PowerShell Gallery “