The ULTIMATE Software Installation/Removal Alert system
As I won't be able to edit this post, I'll start in the following.
Comments
-
This solution can be improved, so let's make it perfect before submitting it to the script library.
Issue: Atera’s software installation/removal threshold item is unusable as it sends all event ID 1033-11707/1034-11724 which are 90% unrelated to installs and removals.
Solution: Create custom threshold items attached to a PS script that has the following benefits:
- The solution has a script for both software installations and removals
- Email alerts are generated only when software is install or removed, no more false event IDs
- The emails are sent from a system context, and therefore will work without a user being logged in capturing all installs that generate these event IDs
- The script uses the SendinBlue API and sends the email directly from the computer using SSL - all that is required is a free SendInBlue account (all free) > create API – just add SPF records for your domain
- Filter - The alerts are generated and captured via the Atera agent and recorded in the alerts section and then emailed directly from the client, however, the script has a filter to avoid the products you don’t want email alerts from e.g. no email alerts from *chrome*, *zoom*, *Microsoft .net*, etc
- Customizable from/to email and subject
- The email displays the last 10 or X install events to provide context and to capture software installed in rapid succession
- The email is formatted nicely and includes: Computer name, logged in user, date and time, event ID and product name - events that occurred on the day that the email is sent are underlined
Let's start with the installation alerts - yes it uses the logs so it won't be perfect, but has very much helped with overall visibility on new software added.- Create a sendinblue or Brevo account - free, and create an API Key (Setup DKIM, SPF, etc)
- Run this powershell script as SYSTEM - it will work if a user is logged in or not
SendinBlue API Configuration
$ApiKey = "INSERT YOUR KEY HERE"
$ApiUrl = "https://api.sendinblue.com/v3/smtp/email"
Email Configuration
$Subject = "Software INSTALLED on $env:COMPUTERNAME" # Message Subject
$From = "Atera_Software@EDITDOMAIN.com" # From whom we are sending an e-mail
$To = "support@EDITDOMAIN.com" # To whom we are sending
Create the email body
$Body = @'
Retrieves the last 10 occurrences of Event ID 1033 or Event ID 11707 from the Application log. $Events = Get-WinEvent -FilterHashtable @{LogName = "Application"; ID = 1033, 11707} |
Select-Object -First 10 |
Where-Object {
$.Message -like "product" -and
$.Message -notlike "Google Chrome" -and
$.Message -notlike "Microsoft .Net" -and
$.Message -notlike "ASP.NET" -and
$.Message -notlike "Zoom" -and
$.Message -notlike "Intune Management Extension" -and
$.Message -notlike "Windows Desktop Runtime" -and
$.Message -notlike "Bluebeam" -and
$.Message -notlike "AteraAgent"
} |
Select-Object TimeCreated, ID, Message
#allow filtering of common apps
Check if events are found on the current day
if ($Events -and $Events.TimeCreated.Date -contains (Get-Date).Date) {
$EventsHtml = $Events | ForEach-Object {
$eventTime = $.TimeCreated
$eventID = $.ID
$eventMessage = $.Message
$formattedEventTime = $eventTime.ToString("yyyy-MM-dd HH:mm:ss")
$username = $env:USERNAME
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$response = Invoke-RestMethod -Uri $ApiUrl -Method Post -Headers $headers -Body $payload Check the response from SendinBlue API if ($response.status -eq "success") {
Write-Host "Email sent successfully."
} else {
Write-Host "Error: $($response.message)"
}} else {
Write-Host "No Recent Software Changes on the current day."
}- Attach the script to a custom threshold item (below example of install events)
- Continue to adjust the filter section until all erroneous events are gone - Alerts will still show in Atera logs
Let's see what you guys can do with it. I'm more of an ideas man than a coder, but it gets the job done for my use case.
5 -
Love the initiative. Let's do this!
0 -
Hi,
thank you for your effort.
Is it also possible to use this script without mail, just as information in Atera?0 -
Sorry, then I misunderstood.
Perfect, sorry for my stupid question.1
Topics
- All Topics
- 42 Getting started
- 26 Read before posting
- 8 Meet and greet
- 257 General
- 71 News and announcements
- 2 Swag
- 1 Roadmap updates
- 83 Resources
- 12 Knowledge Base
- 17 Webinars
- 1 Shared Script Library
- 2 Blog
- 21 Pro Tips
- 28 Got an idea?
- 3 Atera Academy
- 2 ActionAI
- 1 Copilot
- 142 Remote Monitoring and Management
- 85 Remote Monitoring
- 28 Patch Management
- 107 Professional Services Automation
- 65 Helpdesk
- 17 Billing
- 22 Reporting
- 41 Integrations & add-ons
- 22 Integrations
- 11 Add-ons
- 108 Scripting and automations
- 62 Scripts
- 32 Automations