Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks.
This is a management pack I wrote for the SCOM security MP. If you have Windows Event Collector's setup in your network, this will discover them and populate a class for you to monitor them. It is worth noting that it discovers the running service. That service is disabled by default, so I'm assuming if it is enabled that you are using it. It does not submit blank discovery data if the service were to be stopped. The main reason for that is that whether by accident or intentionally, someone could stop that service and you would lose visibility into it. There are no health monitors targeted to it in this MP (that will be in the security MP).
I would note that any monitor or rule targeted towards this class will likely need to see some manual XML editing. I have details of the specific issue at this blog article.
There isn’t much to the discovery, it’s a PowerShell script set to run once a day that looks at the wecsvc service and verifies if it is started. If started, it will populate the class.