A few years back I wanted to create such a script to lock the user (similar functionality can be used to alert) following the EMS message triggered in ONTAP by vSCAN which looks like that (and as you can see, include the user SID) :
Nblade.vscanVirusDetected: Possible virus detected. Vserver: XXXXX, vscan server IP: 10.1.x.x, file path: \XXXX_POC_01\tst01\New folder\New folder\ddd.txt, client IP: 10.1.X.X, SID: S-1-5-X-XXX-XXXX-XXX-XXXXX, vscan engine status: 222200001, vscan engine result string: "An object of type 'EICAR-Test-File' has been detected". This message occurs when a vscan server reports an error to the storage system. Normally this indicates that a virus has been found by the vscan server; however, other error conditions on the vscan server can result in this event. Client access to the file is denied. The vscan server might, depending on its settings and configuration, clean the file, quarantine it, or delete it.
The idea was to subscribe OCUM (today AIUM) to that event and from that trigger a PowerShell script to lock the user based on the following PS OCUM parameter consumption script:
The problem I had at the time - is that the semicolon char in that specific VSCAN message prevented OCUM from triggering the script. For that I opened a NetApp ticket which raised the following bug https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=1137572 , but as we didn't continue with the vSCAN POC I never actually got into testing it, but I assume that if it has actually been resolved, it now can be done..