How to retrieve the current state of an Alert in Azure using Powershell - powershell

I'm writing a Powershell runbook that will scale up a VM ScaleSet until an Application Insights alert is resolved.
To do this, I need to query the status of the alert in my Powershell script, ie no if an alert has been triggered or resolved.
I have tried to use Get-AzureRmAlertRule and Get-AzureRmAlertHistory, but this only gives me respectively the disabled/enabled state of the alert rule, or the actions that were perform on the rule itself (ie updating the rule, or deleting the alert, etc).
Is there any way to simply know if an alert is currently being triggered or resolved?

So I'm actively working through this issue too and thought I would share what I found.
The following was pulled from Microsoft documentation:
The Get-AzureRmAlertHistory cmdlet gets the history of alerts as they are enabled, disabled, fired, resolved, and so on.
While messing around with this command, I found that if you don't give it any parameters, it will only return history for the current day; however, when you use the -StartTime and -EndTime parameters you can obtain details of alerts from further in the past.
While this doesn't give you the current status of an alert in a single command, can throw together some logic that will grab the latest alert within a given time range and check the status there.
For my purposes, this code with check the status of a sibling alert from within a runbook that was called from the alert webhook. So I can gather the time ranges based on the data provided in the webhook. I know this isn't a perfect solution for all cases, but at least it could be used as a starting point.
Note: The version of the AzureRM.Insights module I'm working with is 3.2.1 behavior may differ depending on the version of this module you're using.
As I continued to work on the code, I found that there are some issues with filtering with the -ResourceId parameter. When you provide the ResourceId for the alert that you want to find history on, it won't return any result. From what I can tell, the ResourceId isn't populated when the alert objects are returned when using the Get-AzureRmAlertHistory cmdlet with just the -ResourceId parameter. I did manage to find two ways to get this to work though.
Pass the -DetailedOutput parameter in before the -ResourceId parameter. It turns out that the ResourceId is populated in the DetailedOutput and can be matched there; however, if you pass the -ResourceId in first, the cmdlet acts as though it evaluates that first prior to bringing back the detailed output.
Get-AzureRmAlertHistory -StartTime 2018-01-16 -EndTime 2018-01-17 -DetailedOutput -ResourceId $AlertResourceID
The property CorrelationId contains within it the ResourceId. Using the Where-Object syntax, you can match on your ResourceId using Regex.
Get-AzureRmAlertHistory -StartTime 2018-01-16 -EndTime 2018-01-17 | Where-Object {$_.CorrelationId -Match "$AlertResourceID/incidents/.*"}
Now that you have the records you want, you can use a simple Sort-Object on the -EventTimestamp property and assign the results to a variable. Then if you reference the -1 index of the variable you assigned your results to, it should give you the latest alert instance along with the alert Status.
$AlertHistory = Get-AzureRmAlertHistory -StartTime 2018-01-16 -EndTime 2018-01-17 | Where-Object {$_.CorrelationId -Match "$AlertResourceID/incidents/.*"} | Sort-Object -Property EventTimestamp;


Get AD user by providing fullName and manager full name

It might look silly but I'm struggling with finding user with Powershell by providing his full name and his manager full name. Purpose of script is to get SamAccountName and Email Address by using mentioned values which are provided by other team (these are the only unique values I get - getting user by Full Name is not any kind of problem, but it's possible that it'll return multiple results, and that's why Manager Full Name would determine appropriate result).
First I was using simple command
Get-ADUser -server $gc -Filter { (CN -eq $uFullName) -and (extensionAttribute4 -eq $mFullName) }
It worked great, but unfortunately I noticed that not all accounts use extensionAttribute4 to hold manager full name. I thought of using Filter on manager property but when I tried to use (Manager -like "*value*") it returned that like operator isn't supported by this attribute.
I'm still trying to find solution for this but maybe someone will have some solution to this situation.
Thank you in advance.

Setting a DateTime to $null/empty using PowerShell and the SCSM cmdlets

I'm currently trying to sync additional attributes from the AD (Active Directory) for user objects in SCSM (System Center Service Manager) using a PowerShell script.
The extension I wrote for this, includes an attribute for the expiration date of a AD user account (DateTime value, named DateTimeAttribute in the example) if the user account doesn't expire it should be empty/null.
Using Import-SCSMInstance, which should be similar to a CSV import, it kind of works by passing "null" for the field. The problem is that Import-SCSMInstance seems to be quite unreliable and it doesn't offer any kind of information of why it works or doesn't work. Using Update-SCSMClassInstance seems to work a lot better but I can't figure out a way to clear the field using this and even using [DateTime]::MinValue will result in an error, stating that it's an invalid value.
So would anyone have an idea on how to clear the value using Update-SCSMClassInstance or figure out why Import-SCSMInstance might or might not work?
A simple example for this could look like the following:
$server = "<ServerName>"
$extensionGuid = "<GUID>"
Import-Module 'C:\Program Files\System Center 2012 R2\Service Manager\Powershell\System.Center.Service.Manager.psd1'
New-SCManagementGroupConnection -ComputerName $server
$extensionClass = Get-SCSMClass -Id $extensionGuid
$scsmUserObject = Get-SCSMClassInstance -Class $extensionClass -Filter 'UserName -eq "<User>"'
# Error
$scsmUserObject.DateTimeAttribute = ""
# Works but fails on Update-SCSMClassInstance
$scsmUserObject.DateTimeAttribute = $null
$scsmUserObject.DateTimeAttribute = [DateTime]::MinValue
# Works
$scsmUserObject.DateTimeAttribute = "01-01-1970"
Update-SCSMClassInstance -Instance $scsmUserObject
It seems that you can't clear a date once it's filled. When you write $null, it sets the date to 1-1-0001 01:00:00, which is an invalid date causing the update-scsmclassinstance to fail.
What we have set as a user's AD property when we don't want something to expire, is 2999-12-31 (yyyy-MM-dd). Perhaps this could help, although it's not directly what you asked for...
Also, you can use the pipeline to update a property in SCSM:
Get-SCSMClassInstance -Class $extensionClass -Filter 'UserName -eq "<User>"' | % {$_.DateTimeAttribute = <date>; $_} | update-scsmclassinstance
It doesn't look like it's currently possible to clear custom date attributes using the PowerShell cmdlets.

Sitecore powershell console not displaying state field

I've a sitecore template with field name state. Where a state field has a drop link field which displays the country states from "Country State" node.
I'm trying to write a query which shows all the courses with given states.
But when I run the query below it shows "Sitecore.Data.Items.ItemState".
gci -recurse | format-table state
Any idea on why it's not displaying the state GUID value instead?
I understand this is long overdue and you have probably dealt with it long time ago, but for the sake of anyone who would run into it in the future, let me explain why and how.
The reason why State returns the Sitecore.Data.Items.ItemState text is that the Sitecore items contains a property named State on the Item object.
Sitecore PowerShell Extensions attaches additional dynamic properties on to the object that expose your item fields. Those however cannot collide with the existing item properties which would be the case here. To avoid the collision SPE will detect it and prepend the dynamic property with an underscore. In your case the one liner that would give you the expected results would be:
gci -recurse | format-table _state
or if you wanted to display the property as State still rather than _state you could use the following syntax:
gci master:\content | format-table #{Name="State"; Expression={$_._state } }
Hope this still helps someone.

Powershell -get-eventdata

I am trying to create a script that pulls failed log on attempts for certain events in the past 24 hours but I cant figure out how to pull the account information out. User is Null all the time so info is blank BUT when I look in the general tab I can see "Account Information".
I would like to pull and add what it shows in the XML view under "event data" which is TargetUserName. How can I get this done? What I have so far works fine but I need the username info and what my script pulls is always blank.
System - windows server 2008 R2
Log I am pulling from is security log with event ID's 4625,4768,4771,4772 for the past 24 hours.
My code:
get-eventlog Security 4625,4768,4771,4772 -after ((get-date).addDays(-1))| export-csv
I think you'll have to change this around because each event has different messages, but if I try to fail a login, I can get the username from event 4776 like this:
# Get the most recent event 4776
$event = Get-EventLog -LogName Security -InstanceId 4776 -newest 1
# Pull the "Logon Account: testuser" text from the event log message
$usernameMatch = $event.Message -match 'Logon Account:\s+(?<account>.*)'
# Use the magic variable $matches which gets created by -match
if ($usernameMatch) {
write-output "Someone tried to logon as the user $matches['account']"
Otherwise, I think you can get the XML message using this:
$event = Get-WinEvent -FilterHashtable #{id=4776} -LogName Security -maxevent 1
#Peter-core appears to know how to accomplish this without needing to parse and search the message body and without converting to XML.
Use the following to find that the extended fields (part of template?) for each event:
(Get-WinEvent -ListProvider Microsoft-Windows-Security-Auditing).Events|Where-object{#(4625,4768,4771,4772) -contains $_.Id}
Use get-winevent to get the events, you can use xpath to filter data more quick (only return events you are interested in to start with), or you can filter them after they return using where-object. Xpath is better option for larger number of devices, eventlogs, or events, but I hate trying to write one.
Get-WinEvent -log Security|Where-object{$_.TimeCreated -gt ((get-date).addDays(-1)) -and #(4625,4768,4771,4772) -contains $_.Id}
From there you can try and implemnt what #Peter-Core wrote. I can't make it work for myself, but the coding looks sound.

Using WMI to get printer logs

I'm trying to use WMI to get printer system logs from several servers. A week ago I made the following code which for some reason only works sometimes:
wmic /node:<servername> NTEvent WHERE "logfile='System' AND SourceName='Print' AND TimeGenerated > '20130219'" get EventCode,TimeGenerated,Message
This line of code sometimes will work, but the majority of the time I'm getting the following error whenever I've tried running it to get logs:
Code = 0x80020009
Description = Exception occurred.
Facility = Dispatch
I was wondering if anyone may know why this is occurring and if there would be a better method to rewrite my code. I've considered using the get-wmiobject cmdlet, however I'm not sure how to filter and get the same logs that I'm trying to get.
There are two ways to do this. Neither uses Get-WMIObject.
Option 1: Get the whole event log, then filter.
Get-EventLog -LogName System -Source Print|where-object{$_.timeGenerated -gt (get-date "2013-02-19")}|select-object eventid, timegenerated,message | Export-csv -path r:\log.csv -notypeinfo;
Option 2: Filter at the source
Get-WinEvent -FilterHashtable #{logname='system';source='print';StartTime=(get-date "2013-02-19").date;}|select-object id,timecreated,message;
Best practice is to filter as close to the source of the data as possible (Filter Left, Format Right), which would be option 2 in this case.