The ULTIMATE Software Installation/Removal Alert system

DP

As I won't be able to edit this post, I'll start in the following.

DP

This solution can be improved, so let's make it perfect before submitting it to the script library.

Issue: Atera’s software installation/removal threshold item is unusable as it sends all event ID 1033-11707/1034-11724 which are 90% unrelated to installs and removals.

Solution: Create custom threshold items attached to a PS script that has the following benefits:

1. The solution has a script for both software installations and removals
2. Email alerts are generated only when software is install or removed, no more false event IDs
3. The emails are sent from a system context, and therefore will work without a user being logged in capturing all installs that generate these event IDs
4. The script uses the SendinBlue API and sends the email directly from the computer using SSL - all that is required is a free SendInBlue account (all free) > create API – just add SPF records for your domain
5. Filter - The alerts are generated and captured via the Atera agent and recorded in the alerts section and then emailed directly from the client, however, the script has a filter to avoid the products you don’t want email alerts from e.g. no email alerts from *chrome*, *zoom*, *Microsoft .net*, etc
6. Customizable from/to email and subject
7. The email displays the last 10 or X install events to provide context and to capture software installed in rapid succession
8. The email is formatted nicely and includes: Computer name, logged in user, date and time, event ID and product name - events that occurred on the day that the email is sent are underlined

Let's start with the installation alerts - yes it uses the logs so it won't be perfect, but has very much helped with overall visibility on new software added.

• Create a sendinblue or Brevo account - free, and create an API Key (Setup DKIM, SPF, etc)
• Run this powershell script as SYSTEM - it will work if a user is logged in or not

SendinBlue API Configuration

$ApiKey = "INSERT YOUR KEY HERE"

$ApiUrl = "https://api.sendinblue.com/v3/smtp/email"

Email Configuration

$Subject = "Software INSTALLED on $env:COMPUTERNAME" # Message Subject

$From = "[email protected]" # From whom we are sending an e-mail

$To = "[email protected]" # To whom we are sending

Create the email body

$Body = @'

Retrieves the last 10 occurrences of Event ID 1033 or Event ID 11707 from the Application log.
$Events = Get-WinEvent -FilterHashtable @{LogName = "Application"; ID = 1033, 11707} |

Select-Object -First 10 |

Where-Object {

$.Message -like "product" -and

$.Message -notlike "Google Chrome" -and

$.Message -notlike "Microsoft .Net" -and

$.Message -notlike "ASP.NET" -and

$.Message -notlike "Zoom" -and

$.Message -notlike "Intune Management Extension" -and

$.Message -notlike "Windows Desktop Runtime" -and

$.Message -notlike "Bluebeam" -and

$.Message -notlike "AteraAgent"

} |

Select-Object TimeCreated, ID, Message

#allow filtering of common apps

Check if events are found on the current day

if ($Events -and $Events.TimeCreated.Date -contains (Get-Date).Date) {

$EventsHtml = $Events | ForEach-Object {

$eventTime = $.TimeCreated

$eventID = $.ID

$eventMessage = $.Message

$formattedEventTime = $eventTime.ToString("yyyy-MM-dd HH:mm:ss")

$username = $env:USERNAME

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$response = Invoke-RestMethod -Uri $ApiUrl -Method Post -Headers $headers -Body $payload
Check the response from SendinBlue API
if ($response.status -eq "success") {

Write-Host "Email sent successfully."

} else {

Write-Host "Error: $($response.message)"

}} else {

Write-Host "No Recent Software Changes on the current day."

}

• Attach the script to a custom threshold item (below example of install events)

• Continue to adjust the filter section until all erroneous events are gone - Alerts will still show in Atera logs

Let's see what you guys can do with it. I'm more of an ideas man than a coder, but it gets the job done for my use case.

@nathan @dyoder @kim @tanderson

nina

Love the initiative. Let's do this!

slinke

Hi,
thank you for your effort.
Is it also possible to use this script without mail, just as information in Atera?

DP

@slinke

If you don't want email alerts, then don't apply the script, just use the custom threshold item.

slinke

Sorry, then I misunderstood.
Perfect, sorry for my stupid question.