Hi
This is not true - "the specific event is logged 100 times then 100 alerts will appear in SCOM". You should look to use suppression to prevent this. In fact, there are times though when you would want this.
My guideline for whether to use a rule or monitor is:
1. Does the "issue" affect health. If yes, then try to use a monitor (though see item 3 below). If it does not affect health, then a rule. E.g. you might be using SCOM to monitor users being added to Domain Admins. Do you want your Domain Controllers
going red if a user gets added to domain admins? Probably not. You just want the alert. Another example - if a single backup fails, do you want your backup application going unhealthy. Again, probably not. You want an alert to investigate the failure but it
doesn't mean the system is down or unhealthy.
2. Do you need to know each time something happens. If so, a rule. E.g. If you want to know each time someone gets added to Domain Admins then a monitor will not do this. It will alert you on the first one and that is it until you reset health.
In fact, I would not even use suppression on the rule here. You would (probably) want to know each and every time someone got added to Domain Admins.
3. Is there a healthy as well as an unhealthy "event". Monitors need something that not only shows that something is unhealthy but also that it is health again. You can use timed and reset monitors but neither are a great solution.
There is no single correct answer to this and everyone will have a slightly different response to each question. Experience and personal preference will decide which approach you take.
Regards
Graham