Hello,
I am running SCOM 2019, and I setup an alert to e-mail me when a certain process is created. The alert is working, however the alert is incomplete. The Event Log shows the path where the executable was created (Ex. New Process Name=C:\Steam\Steam.exe). The e-mail that I get shows "New Process Name=C". How do I get it to show the full path so I can determine if this is a false alert?
Hi,
can you post a couple of screenshots, shwoing your subscription configuration. Are you using HTML enrichment?
Thanks and Regards,
Stoyan
Hello,
This is the alert response for the rule I created. I am monitoring an event that gets logged in the Security log, and I am looking for a specific word in the log. The log entry has a line that says "NewProcessName=C:\Steam\Steam.exe". This is what the e-mail shows: I tried HTML enrichment, and I get the same thing.
Alert: MSSD-Blocked Program Alert-Steam
Source: MyPC
Path: Not Present
Last modified by: System
Last modified time: 3/22/2022 4:43:09 PM Alert description: Event Description: A new process has been created.
Creator Subject:
Security ID: DOMAIN\User
Account Name: User
Account Domain: DOMAIN
Logon ID: 0xbbc6a
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x3330
New Process Name: C
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\Medium Mandatory Level
Creator Process ID: 0x24c4
Creator Process Name: C
Process Command Line:
5 people are following this question.
