Datto RMM · machines (VMs ). In the event of a catastrophic loss, an administrator can failover to...
Transcript of Datto RMM · machines (VMs ). In the event of a catastrophic loss, an administrator can failover to...
Datto RMMComponents by CyberDrain – Usage Document
Build 11www.datto.com
www.cyberdrain.com
INTRODUCTION
All of these sets have been created for Datto RMM. These sets have been tested on:
• Server 2012
• Server 2012R2
• Server 2016
• Server 2019
• Windows 8.1
• Windows 10.
The scripts might function on another version not mentioned above but are not supported. Some scripts
require further setup. Please see the included blog link at the component information tab for details on this
setup.
UNDOCUMENTED SCRIPTS
The documentation only covers monitoring components and remediation. Next to the current monitoring components Cyberdrain.com has also supplied several ease-of-
use scripting components. These are listed here but not documented.
Name Description
Automatically restore Hyper-V replication Automatically restores Hyper-V replication. Related blog:https://www.cyberdrain.com/monitoring-with-powershell-chapter-2-hyper-v-replication-and-remediation/ Required OS: Server 2012R2 or higher.
Runs a backup on event logs, can be used in conjunction with Event logs size monitor. Related blog:https://www.cyberdrain.com/monitoring-with-powershell-chapter-2-hyper-v-replication-and-remediation/ Required OS: Server 2012R2 or higher.
Deploy StorCLI4.exe Deploys StoreCLI64 for MegaRAID controllers to the location given. To be used in conjunction with StoreCLI monitoring set. Related blog:https://www.cyberdrain.com/blog-series-monitoring-using-powershell-part-one-using-powershell-to-monitor-megaraid …
Enable Active Directory Recycle Bin Enables the Active Directory Recycle bin. Can be used as automated recovery in conjunction with Active Directory Recycle bin monitoring script.
Execute Dell Command Updates Executes DCU to update all drivers on a system. Suspends BitLocker for 1 reboot. Related blog:https://www.cyberdrain.com/monitoring-with-powershell-monitoring-dell-device-updates/ Required OS: Server 2012R2 or higher.
Hyper-V: Create Snapshot/Checkpoint Creates a Hyper-V snapshot/checkpoint of the VM name entered. Wildcards are allowed, If multiple VMs match it will create a snapshot for each VM.
Install Office Click2Run Updates Installs updates for Office C2R Related blog: https://www.cyberdrain.com/monitoring-with-powershell-monitoring-office-c2r-updates/ Required OS: W10 and up.
Monitor Active Directory Recycle Bin Monitors if the Active Directory Recycle bin is enabled. If it is not enabled you can run the Automatic restoration component. Related blog: https://www.cyberdrain.com/monitoring-with-powershell-chapter-3-hyper-v-state/ Required OS: Windows 8.1+
Reboot Device - Suspend BitLocker Reboot device forcibly with variable timeout, and suspend BitLocker. Required OS: Windows 8.1+
Shrink VHD(x) of Hyper-V Virtual Machine Automatically shuts down virtual machine, Runs Optimize-VHD to shrink disk, restarts VM when done.Related blog: https://www.cyberdrain.com/monitoring-with-powershell-chapter-2-hyper-v-replication-and-remediation/Required OS: Server 2012R2+
Write Disk type to UDF Writes the type of disk to a UDF stating if its SSD, HDD, and including the Bus type of the drive.Required PowerShell: 4.0+
MONITOR DOCUMENTATION
COMPONENT NAME:
Monitor Cluster Shared Volumes free space
WHY USE THIS MONITORING SET:
If you would like to monitor the cluster shared volume free space.
CSV (Cluster Shared Volumes) is a feature in Windows Server in which shared disks are concurrently accessible
to all nodes within a failover cluster. The feature was first introduced in Windows Server 2008 R2 as a way to
simplify storage with clustered Hyper-V virtual machines (VMs).
HOW DOES IT WORK:
The component executes a PowerShell command that returns the path of the cluster shared volume, together
with a calculation on how much % is still available. When importing this monitoring component, you can set
the Percentage variable to any preferred percentage.
If you would like to alert when there is 10% of disk space left on the cluster shared volume. You should only
enter 10, without the percentage (%) symbol.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• At least one active Cluster Shared Volume.
COMPONENT NAME:
Monitor Cluster Shared Volumes Status
WHY USE THIS MONITORING SET:
If you would like to monitor the status of a cluster shared volume
CSV (Cluster Shared Volumes) is a feature in Windows Server in which shared disks are concurrently accessible
to all nodes within a failover cluster. The feature was first introduced in Windows Server 2008 R2 as a way to
simplify storage with clustered Hyper-V virtual machines (VMs).
HOW DOES IT WORK:
The component executes a PowerShell command that returns all cluster shared volumes, where the status is
NOT online. This means when a Cluster Shared Volume has a disconnect or warning state on one of the hosts,
only that host will generate an alert.
When the Cluster Shared Volume moves into a completely failed state, it will generate an alert on all hosts
when this component is applied.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• At least one active Cluster Shared Volume.
COMPONENT NAME:
Monitor Dell OpenManage Chassis
WHY USE THIS MONITORING SET:
If you would like to monitor the Dell OpenManage Server Administrator hardware state of a Dell Server.
OpenManage Server Administrator allows system administrators to manage individual servers in two ways:
from an integrated, web-browser-based graphical-user-interface (GUI) and from a command-line interface
(CLI) through the operating system. Server Administrator is designed for system administrators to manage
systems locally and remotely on a network.
HOW DOES IT WORK:
The component executes the command “omreport chassis”. This gives a complete overview of the current
chassis state for a Dell server. If everything is OK this script will return “Healthy”. If not. It will return the
current state as diagnostic data.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• Physical Dell Server.
• Dell OpenManage Server Administrator installed.
COMPONENT NAME:
Monitor Dell OpenManage RAID Status
WHY USE THIS MONITORING SET:
If you would like to monitor the Dell OpenManage Server Administrator RAID status of a server.
OpenManage Server Administrator allows system administrators to manage individual servers in two ways:
from an integrated, web-browser-based graphical-user-interface (GUI) and from a command-line interface
(CLI) through the operating system. Server Administrator is designed for system administrators to manage
systems locally and remotely on a network.
HOW DOES IT WORK:
The component executes the command “omreport vdisk status”. This gives a complete overview of the current
RAID status. If everything is OK this script will return “Healthy”. If not. It will return the current state as
diagnostic data, explicitly stating which RAID array is in a unhealthy state.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• Physical Dell Server.
• Dell OpenManage Server Administrator installed.
COMPONENT NAME:
Monitor Dell Physical Disk Status
WHY USE THIS MONITORING SET:
If you would like to monitor the Dell OpenManage Server Administrator Physical Disk state of a Dell Server.
OpenManage Server Administrator allows system administrators to manage individual servers in two ways:
from an integrated, web-browser-based graphical-user-interface (GUI) and from a command-line interface
(CLI) through the operating system. Server Administrator is designed for system administrators to manage
systems locally and remotely on a network.
HOW DOES IT WORK:
The component executes the command “omreport storage pdisk” which gets a list of the physical disks
attached to the system. It then processed this list into a readable format.
When a disk does not have the status online or the state OK the server reports a disk failure. You can find all
information related to the disks in the diagnostics data.
If you are using unsupported disks, and do not want to alert on these follow the following procedure:
• Upgrade Dell OpenManage Server Administrator to 8.5.0 or above, if already installed go to the next
step.
• Open the stsvc.ini file located in either the C:\Program Files\Dell\SysMgt\sm or the C:\Program Files
(x86)\Dell\SysMgt\sm folder depending on if you have installed the 32-bit/64-bit version.
• There should be the following text:
o ;nonDellCertified flag for blocking all non-dell certified alerts.
NonDellCertifiedFlag=yes
• Change this to the following and save the file.
o ;nonDellCertified flag for blocking all non-dell certified alerts.
NonDellCertifiedFlag=no
• If you do not find this line in the file you will need to add it in the following place and save the file.
This is normally when you upgrade from an older version to 8.5.0. It is very important it is added after
the [general] lines or the setting won’t be honored.
• ;General Settings
[general]
;Amount, in seconds, to sleep between each attempt to poll the PV20x, PV21x, and PV22x
enclosure(s).
EnclosurePollingInterval=30
;nonDellCertified flag for blocking all non-dell certified alerts.
NonDellCertifiedFlag=no
• Once you have modified the INI file you need to restart the DSM SA Data Manager service in
services.msc and Dell OMSA should now report that the diskstate is OK.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• Physical Dell Server.
• Dell OpenManage Server Administrator installed
COMPONENT NAME:
Monitor DHCP Bad Lease Status
WHY USE THIS MONITORING SET:
If you would like to monitor the DHCP Bad Leases in a network.
DHCP Bad leases are often caused by devices configured with a static IP inside of the DHCP pool. This could
cause ARP or other network issues that will impact performance.
HOW DOES IT WORK:
The component executes the PowerShell command “Get-DhcpServerv4Scope | Get-DhcpServerv4Lease”. This
gives a complete overview of the current DHCP leases on the network.
Any device that does not match “Active” will generate an alert. This means devices with a ReservationActive or
ReservationInactive do not genereate alerts.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• Microsoft DHCP server installed.
COMPONENT NAME:
Monitor DHCP Lease Count
WHY USE THIS MONITORING SET:
If you would like to monitor the DHCP lease count in a network
When having a small lease scope, and many devices it is best to monitor the DHCP scope in case this runs out.
This monitoring also helps you in the case of a DHCP broadcast storm as the DHCP scope will fill rapidly.
HOW DOES IT WORK:
The component executes the PowerShell command “Get-DhcpServerv4ScopeStatistics” This gives a complete
overview of the current DHCP leases on the network.
Any scope that has less than the number you defined will full the alert text.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• Microsoft DHCP server installed.
COMPONENT NAME:
Monitor Forbidden Users
WHY USE THIS MONITORING SET:
If you would like to monitor which users are logged in, and alert on users that you do not want to be logged in.
Monitoring users is a standard security practice. You never want users such as “Administrator” logged into
servers directly, but always a named account equivalent. You can also use this set to alert on (ex) employees
which are logged into servers directly, and forgot to log out.
HOW DOES IT WORK:
The component executes the PowerShell command to get all users, logged into all sessions. This means this
monitoring set also alerts on any services that have the account configured as their credentials.
You can enter any name as the account to monitor, without domainname, but you cannot use wildcards.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
COMPONENT NAME:
Monitor Hyper-V Replication
WHY USE THIS MONITORING SET:
If you would like to monitor the HYPER-V Replication State, as not monitoring this can cause Disaster recovery
scenarios to fail.
Hyper-V Replica is a free disaster recovery tool in Hyper-V 3.0 that creates and maintains copies of virtual machines (VMs ). In the event of a catastrophic loss, an administrator can failover to the replica VMs and provide business continuity.
HOW DOES IT WORK:
The component executes a PowerShell command that returns the information about the current Hyper-v VMs
with a replication relationship. If the replication relationship is in any state but healthy it will generate an alert.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• Hyper-V role installed
COMPONENT NAME:
Monitor Hyper-V Snapshot status
WHY USE THIS MONITORING SET:
If you would like to monitor the Hyper-V snapshot status. Hyper-v snapshots can be used to quickly move back
to a previous state but running production servers on snapshots is not advised or supported by Microsoft.
HOW DOES IT WORK:
The component executes a PowerShell command that returns the all VM’s with a snapshot. This set alerts only
when a snapshot reaches the age you have defined in days.
If you would like to alert on less than a day, you can enter the value such as 0.5 for 12 hours.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• Hyper-v role installed.
COMPONENT NAME:
Monitor IIS SSL Certificates [WIN]
WHY USE THIS MONITORING SET:
If you would like to monitor the expiry date of SSL certificates attached to a IIS binding.
HOW DOES IT WORK:
The component executes a PowerShell command that only returns the IIS websites with a binding on HTTPS
This component alerts based on the days you’ve set. If the certificate is already expired this set will alert as
well.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• At least one active IIS binding/IIS installed.
COMPONENT NAME:
Monitor Network Location Awareness
WHY USE THIS MONITORING SET:
If you would like to monitor the current network location awareness state of the workstation or server.
Network Windows computers have a system for detecting internet connectivity known as Network Location
Awareness (NLA).
It controls many aspects of how Windows categorizes internet connections, such as whether to assign
networks as private or public, or a domain profile. Network Location awareness issues can result in incorrect
DNS resolution, non-working multi-factor authentication requests and problems with connecting to domain
resources.
HOW DOES IT WORK:
The component executes a PowerShell command that returns the network configuration of the current active
network adapters. The script then checks if these are in a domain environment and if so, if the profile is
Domain Authenticated
SYSTEM REQUIREMENTS:
• Server 2012 or higher
• Windows 8.1 or higher
COMPONENT NAME:
Monitor New Domain Users
WHY USE THIS MONITORING SET:
If you would like to monitor any users created in your domain environment. When a user is created in your
domain(s) you often need to be aware that this user exists, document it, and process possible licensing
requirements, also; in most cases bad actors that have penetrated your systems will create user accounts for
permanent access as soon as they are logged in. Monitoring this prevents further damage from these bad
actors.
HOW DOES IT WORK:
The component executes a PowerShell command that returns all domain users which have been created in the
past day.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• Active Directory Domain Services
COMPONENT NAME:
Monitor Privileged Group Changes
WHY USE THIS MONITORING SET:
If you would like to monitor any users added to any protected or privileged group in your domain.
"Privileged" accounts and groups in Active Directory are those to which powerful rights, privileges, and
permissions are granted that allow them to perform nearly any action in Active Directory and on domain-
joined systems
HOW DOES IT WORK:
The component executes a PowerShell command that returns all groups, and changes made to these groups.
The system will alert both on adding users to these groups and removing them.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• Active Directory Domain Services
COMPONENT NAME:
Monitor RDS Encryption Level
WHY USE THIS MONITORING SET:
If you would like to monitor the encryption level on your Remote Desktop Servers. The RDS Encryption level is
used to define if the client connecting can make a connection without SSL.
HOW DOES IT WORK:
The component executes a PowerShell command that returns all session collection with the encryption level
settings.
The alert is generated when the encryption level is not set to High.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• One Active RDS deployment
COMPONENT NAME:
Monitor RDS License Mode
WHY USE THIS MONITORING SET:
If you would like to monitor the licensing mode used by your Remote Desktop Servers. Monitoring this
prevents issues with users not being able to log on due to licensing server problems.
HOW DOES IT WORK:
The component executes a PowerShell command that returns the licensing mode of the Remote Desktop
Server.
If the Remote Desktop server is not set to the preference set in the alerting options, the server will generate
an alert. E.g. “Per license” has been selected to monitor, but “NotConfigured” is the actual license state, the
component will return the error.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• One Active RDS deployment
COMPONENT NAME:
Monitor RDS Network Level Authentication
WHY USE THIS MONITORING SET:
If you would like to monitor the Network Level Authentication mode on your Remote Desktop Services
deployments.
Network Level Authentication (NLA) is a technology used in Remote Desktop Services (RDP Server) or Remote
Desktop Connection (RDP Client) that requires the connecting user to authenticate themselves before a
session is established with the server.
Originally, if a user opened an RDP (remote desktop) session to a server it would load the login screen from the
server for the user. This would use up resources on the server and was a potential area for denial of service
attacks as well as remote code execution attacks (see BlueKeep). Network Level Authentication delegates the
user's credentials from the client through a client-side Security Support Provider and prompts the user to
authenticate before establishing a session on the server.
Network Level Authentication was introduced in RDP 6.0 and supported initially in Windows Vista. It uses the
new Security Support Provider, CredSSP, which is available through SSPI in Windows Vista. With Windows XP
Service Pack 3, CredSSP was introduced on that platform and the included RDP 6.1 Client supports NLA;
however CredSSP must be enabled in the registry first.[1
HOW DOES IT WORK:
The component executes a PowerShell command that returns all session collection with the NLA checkmark.
The alert is generated when the NLA checkmark is not enabled in the session deployment settings.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• One Active RDS deployment
COMPONENT NAME:
Monitor RDS Security Layer
WHY USE THIS MONITORING SET:
If you would like to monitor the RDS Security Layer mode on your Remote Desktop Services deployments.
The RDS Security layer tells the client and server to only allow connections when connecting through a
complete TLS encrypted connection.
HOW DOES IT WORK:
The component executes a PowerShell command that returns all session collection with the Security Layer
settings set to anything but “Negotiate” or “SSL”
The alert is generated when the SSL settings are set to anything else but above values.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• One Active RDS deployment
COMPONENT NAME:
Monitor Scheduled Task Creation
WHY USE THIS MONITORING SET:
If you would like to monitor the creation of any task in the task scheduler. The task scheduler is used by both
Malware developers and bad actors to keep access to a system after they are discovered.
Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online.
A security researcher who uses the online name SandboxEscaper on August 27 released the source code for exploiting a security bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler.
HOW DOES IT WORK:
The component executes a command that returns all available tasks, with a creation day of today. If any task is
found the content of the tasks is looked at to determine the command line that will be ran by the task
The alert is generated when a task is found and will contain the name of the command that will run.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• Windows 8.1 and higher.
COMPONENT NAME:
Monitor Hyper-V Integration Services State
WHY USE THIS MONITORING SET:
To monitor the status of the Hyper-V integration services. When moving virtual machines across newer or older hosts the Integration services often do not match the exact version of the host. This is strongly advised as the Integration services include not only guest-services such as backup, but all Windows Hyper-V Server Virtual Machine drivers. Having the correct version installed makes sure that the performance of each virtual machine is maximized.
HOW DOES IT WORK:
The component requests all information from the WMI namespace “root\virtualization\v2
Msvm_VirtualSystemManagementService” which contains the current information about all running virtual
machines, including the virtual machine integration services update status.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher
COMPONENT NAME:
Monitor Office Click2Run Channel
WHY USE THIS MONITORING SET:
To monitor which channel of the ClickToRun office version is in. You want to monitor this due to forcing the correct type of updates on every client machine. Users or applications can sometimes force your office installation to be in the incorrect channel, causing instability.
HOW DOES IT WORK:
The component requests all information from the registry key
"HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration”. This key contains all data regarding the
currently installed version of Office ClickToRun. If the key is not found, it most likely means that the correct
Office version is an MSI based version and does not support channel switching. In this case the component will
alert that no C2R is installed.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher
• Windows 8.1 and higher
COMPONENT NAME:
Monitor Office Click2Run Version
WHY USE THIS MONITORING SET:
To monitor which version of the ClickToRun office version is currently installed, Windows Updates do not perform updates for ClickToRun version of office, and as such you must monitor this separately if you would like to be able to react on an out of date installation.
HOW DOES IT WORK:
The component requests all information from the registry key
"HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration”. This key contains all data regarding the
currently installed version of Office ClickToRun. If the key is not found, it most likely means that the correct
Office version is an MSI based version and will be updated via Windows Updates.
If the current installation is lower than the minimum set, it will alert. If it is higher the component will not
alert.
The information for office versions can be found at https://docs.microsoft.com/en-us/officeupdates/update-
history-office365-proplus-by-date
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher
• Windows 8.1 and higher
COMPONENT NAME:
Monitor UPS Status
WHY USE THIS MONITORING SET:
To monitor USB connected UPS devices and see the current status of them.
HOW DOES IT WORK:
This component checks the WMI battery status and alerts when the status changes to “Running on battery”.
The complete diagnostic data also contains information about the battery state.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher
• Windows 8.1 and higher
COMPONENT NAME:
Monitor VSS Logs
WHY USE THIS MONITORING SET:
To monitor the event log for VSS error states. VSS can error out causing backups to fail or generate warnings without the backup application triggering an alert status. Keeping VSS in a healthy state is key for consistent backups
HOW DOES IT WORK:
This component checks the eventlog for any events relating to the VSS state in the last 2 hours. This
component will trigger an alert when a VSS error is found, or a warning in generated.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher
• Windows 8.1 and higher
COMPONENT NAME:
Monitor Windows 10 Feature Release ID
WHY USE THIS MONITORING SET:
To monitor and control which version of the Windows 10 Release is currently installed at clients. Often installing large releases requires some form of intervention and as such it is good to monitor which clients are not up to date on the latest feature pack.
HOW DOES IT WORK:
This component checks the registry for the current releaseID and alerts if this ID is lower than the value given
during creating of this component.
SYSTEM REQUIREMENTS:
• Server 2016 and higher
• Windows 10 and higher
COMPONENT NAME:
Monitor Windows Search Database Size
WHY USE THIS MONITORING SET:
To monitor the current size of the Windows Search database. The Windows Search database on both servers and clients can grow to obscene sizes due to a bug in the way the database is created. The Windows Search database can also cause performance issues when the size increases exponentially.
This set can be applied to RDS server as well, that often suffer from Windows Search issues due to thedifficulties in handling a multiuser search database.
HOW DOES IT WORK:
This component checks the registry for the current location of the Windows Search database, it then monitors
this file for the size given during creation of this component.
SYSTEM REQUIREMENTS:
• Server 2016 and higher
• Windows 10 and higher
COMPONENT NAME:
Monitor SolarWinds MSP Backup
WHY USE THIS MONITORING SET:
To monitor the last backups created by SolarWinds MSP backup.
HOW DOES IT WORK:
This component checks the logs folder of the SolarWinds MSP backup solution and grabs the latest log of the
day. If no log for this day can be found, it will alert.
If the log for this day contains “[e]” for error or if the backup window has been missed the component will
generate an alert.
SYSTEM REQUIREMENTS:
• Server 2016 and higher
• Windows 10 and higher
COMPONENT NAME:
Monitor iSCSI Connection Status
WHY USE THIS MONITORING SET:
To monitor the status of the currently configured iSCSI connections to the server.
The iSCSI protocol allows clients (called initiators) to send SCSI commands (CDBs) to storage devices (targets)
on remote servers. It is a storage area network (SAN) protocol, allowing organizations to consolidate storage
into storage arrays while providing clients (such as database and web servers) with the illusion of locally
attached SCSI disks.
HOW DOES IT WORK:
This component checks the current state of the iSCSI connection by running the iSCSI cmdlets. Any session that
is an error state such as “Reconnecting” or “error” or “Disconnected” will generate an alert. If the session is in
a clean state such as “Not Connected” it will not generate an alert.
SYSTEM REQUIREMENTS:
• Server 2016 and higher
• Windows 10 and higher
COMPONENT NAME:
Monitor Windows License Status
WHY USE THIS MONITORING SET:
To monitor the status of the activation of the windows license on the monitored machine. When using Microsoft 365 in some cases computers will lose their authentication token and no longer be activated using the Windows 10 Enterprise M365 license, also when upgrading client computers the license may no longer be valid and will need to be replaced.
HOW DOES IT WORK:
This component checks the current licensing server status by querying this from the computer, the component
will alert whenever this state does not state the computer is activated.
SYSTEM REQUIREMENTS:
• Server 2016 and higher
• Windows 10 and higher
COMPONENT NAME:
Unifi Status Monitoring
• Monitor Unifi Device Health [WIN]
• Monitor Unifi Device status [WIN]
• Monitor Unifi STP status [WIN]
• Monitor Unifi upgrade status [WIN]
• Monitor Unifi WAN status [WIN]
WHY USE THIS MONITORING SET:
If you would like to monitor Ubiquiti Unifi services.
• Monitor Unifi Device Health [WIN]
o Monitors the health of devices, CPU/Memory/Temperature
• Monitor Unifi Device status [WIN]
o Monitors uptime status and online/offline status of all devices
• Monitor Unifi STP status [WIN]
o Monitors STP port loops on switches.
• Monitor Unifi upgrade status [WIN]
o Monitors if the device has an upgrade available
• Monitor Unifi WAN status [WIN]
o Monitors if all configured WAN ports are online.
HOW DOES IT WORK:
The component connects to the Unifi API and does not monitor on the devices, but on the controller side. It
creates API requests for each device. Due to API rate limiting it is advised to set the monitoring for these sets
between 5 and 10 minutes. This set can only run on one device per client.
SETUP
• Enter all variables
• Enter the hostname of the device that will monitor the API. This feature has been built in to make
sure not all devices alert at the same time causing many tickets to be created.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• Windows 10 and higher
• Unifi controller accessible from agent.
• Unifi read only user.
COMPONENT NAME:
Monitor Active Directory Recycle Bin
WHY USE THIS MONITORING SET:
If you would like to monitor Active Directory Recycle Bin
Active Directory now implements a true recycle bin. No longer will you need an authoritative restore to
recover deleted users, groups, OU’s, or other objects. Instead, it is now possible to use PowerShell commands
to bring back objects with all their attributes, backlinks, group memberships, and metadata. AD Recycle Bin
(ADRB) is disabled on domains by default and will need to be manually activated.
HOW DOES IT WORK:
The component executes a PowerShell command that returns if the forest has the active directory recycle bin
enabled. If not, the set will generate an alert.
REMEDIATION
• Automatic remediation is available. Remediation script is called “Enable Active Directory
Recyclebin [WIN]” and can be found in the comstore.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• Windows 10 and higher
• Domain Controller
COMPONENT NAME:
Monitor MegaRAID Physical Disk Status
WHY USE THIS MONITORING SET:
If you would like to monitor the MegaRAID Physical Disk status of a server.
LSI Corporation was an American company based in San Jose, California which designed semiconductors and
software that accelerate storage and networking in data centers, mobile networks and client computing.
On May 6, 2014, LSI Corporation was acquired by Avago Technologies (now known as Broadcom Inc. Due to
this takeover Megaraid works on 3ware, LSI, and avago RAID cards.
SETUP
• Execute Deploy StorCLi64.exe [WIN] before adding monitoring set
• Set parameters to correct path
HOW DOES IT WORK:
The component executes the commands to check the physical disk status of the RAID array and alerts if
anything is not stated to be OK or supported. If unsupported disks are found this component will return as an
error. If you want unsupported disks to list as supported change the support setting in the MegaRAID cli.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
COMPONENT NAME:
Monitor Azure MFA Server
WHY USE THIS MONITORING SET:
If you would like to monitor Azure MFA server
The set will alert if users do not have MFA enabled and are allowed to pass authentication without MFA.
HOW DOES IT WORK:
The component executes a PowerShell command that returns the current status of the MFA server, it lists all
users and checks if MFA is enabled.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• Windows 10 and higher
• MFA server
COMPONENT NAME:
Monitor BitLocker status
WHY USE THIS MONITORING SET:
If you would like to monitor the BitLocker status of a device. The monitoring set will alert whenever BitLocker
is not activated or enabled.
HOW DOES IT WORK:
Uses the Get-BitLockerVolume PowerShell command to list all volumes with BitLocker enabled. If no volumes
are found the component will generate an alert. If protection is suspended or disabled it will also generate an
alert.
SYSTEM REQUIREMENTS:
• Windows 10 and higher
• BitLocker
Component NAME:
Monitor Breached Passwords
WHY USE THIS MONITORING SET:
If you would like to monitor passwords if they have been breached. The password entered will not be sent to
any location, but a generated hash of the password will.
HOW DOES IT WORK:
Connects to the “Have I Been Pwned?” API and compares the list of given passwords and alerts if a password
hash matches one found in a former breach.
To use this set you will have to enter passwords in plain text. It is strongly advised to only use this monitoring
set on internal machines at the MSP and only use passwords that are related to service accounts or suspected
of leaks.
SYSTEM REQUIREMENTS:
• Windows 10 and higher
• Access to “Have I Been Pwned?” API.
COMPONENT NAME:
Monitor Cipher State
WHY USE THIS MONITORING SET:
If you would like to monitor if the server or workstation allows outdated cipher states. Cipher states are used
for TLS/SSL connections and using the most modern encryption prevents attacks such as Shellshock,
Heartbleed, and MITM attacks.
HOW DOES IT WORK:
Checks if TLS/SSL is enabled by registry and alerts if older versions are enabled. Also checks used ciphers with
PowerShell and alerts if they are not up to current standards.
SYSTEM REQUIREMENTS:
• Windows 10 and higher
• Server 2012R2 and higher.
COMPONENT NAME:
Monitor Dell Driver Updates
WHY USE THIS MONITORING SET:
If you would like to monitor if Dell updates are available for your device. Uses the Dell DCU.
SETUP:
• Host the Dell DCU file on a webserver of choice. For examples see
https://www.cyberdrain.com/monitoring-with-powershell-monitoring-dell-device-updates/
HOW DOES IT WORK:
Uses the Dell Command Update utility to check if updates are available, if updates are available DCU will
generate an alert.
SYSTEM REQUIREMENTS:
• Windows 10 and higher
• Dell system
COMPONENT NAME:
Monitor Event log size
WHY USE THIS MONITORING SET:
If you would like to monitor the size of event logs.
Event logs are local files recording all the 'happenings' on the system and it includes accessing, deleting, adding
a file or an application, modifying the system's date, shutting down the system, changing the system
configuration, etc.
HOW DOES IT WORK:
Monitors the Application, System, and Setup event log, if there is less than 10% available it will generate an
alert.
REMEDIATION:
• Automatic remediation is available. Remediation script is called “Back-up Event Logs [WIN]”and
can be found in the ComStore.
SYSTEM REQUIREMENTS:
• Windows 10 and higher
• Server 2012R2 and higher.
COMPONENT NAME:
Monitor External Open Ports
WHY USE THIS MONITORING SET:
If you would like to monitor the open ports on your external IP address
The problem with most port-scan utilities, and the PowerShell Test-NetConnection cmdlet is that they always
scan the internal network. In the case that you do enter the external IP whitelisting might allow you to connect
anyway and give you some false positives.
HOW DOES IT WORK:
Uses an external port scan utility hosted by yourself to scan all given ports.
SETUP
• Upload PHP file example from https://www.cyberdrain.com/monitoring-with-powershell-
external-port-scanning/ to a host of choice.
• Enter correct URL in parameters of component.
SYSTEM REQUIREMENTS:
• Windows 10 and higher
• Server 2012R2 and higher.
COMPONENT NAME:
Monitor Local Administrator Password Changes
WHY USE THIS MONITORING SET:
If you would like to monitor local administrator password resets in the previous 24 hours.
In Windows, a local administrator account is a user account that can manage a local computer. Generally, a
local administrator can do anything to the local system.
HOW DOES IT WORK:
Checks the LastPasswordSet date of all local administrator accounts.
SYSTEM REQUIREMENTS:
• Windows 10 and higher
• Server 2012R2 and higher.
COMPONENT NAME:
Monitor MegaRAID RAID Status
WHY USE THIS MONITORING SET:
If you would like to monitor the MegaRAID RAID status of a server.
LSI Corporation was an American company based in San Jose, California which designed semiconductors and
software that accelerate storage and networking in data centres, mobile networks and client computing.
On May 6, 2014, LSI Corporation was acquired by Avago Technologies (now known as Broadcom Inc. Due to
this takeover MegaRAID works on 3ware, LSI, and Avago RAID cards.
SETUP
• Execute Deploy StorCLi64.exe [WIN] before adding monitoring set
• Set parameters to correct path
HOW DOES IT WORK:
The component executes the commands to check the current status of the RAID array and alerts if anything is
not stated to be OK.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
COMPONENT NAME:
Monitor Print Servers and queues
WHY USE THIS MONITORING SET:
If you need to alert on Printers on servers not being available or jobs getting stuck in queues.
HOW DOES IT WORK:
Uses the Get-Printer PowerShell command to retrieve the health status and alerts if a job is stuck, or a printer
is not online.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
COMPONENT NAME:
Monitor RDS UPD State
WHY USE THIS MONITORING SET:
If you need to alert on disks that are almost full when using RDS User Profile Disks.
User profile disks store user and application data on a single virtual disk that is dedicated to one user's profile.
User profile disks provide an easy way to store the user settings and data on a separate virtual disk that is
reattached at logon, so the user data isn't discarded when the virtual machine rolls back
HOW DOES IT WORK:
Checks all VHDX files attached to the system and alerts if less than 10% space is available inside of that disk.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
COMPONENT NAME:
Monitor RRAS Status
WHY USE THIS MONITORING SET:
If you need to alert on any component of RRAS that fails.
Routing and remote access service (RRAS) is a suite of network services in the Windows Server family that
enables a server to perform the services of a conventional router. RRAS includes an application programming
interface (API) that facilitates the development of applications and processes for administering a range of
network services.
HOW DOES IT WORK:
Checks all current RRAS status by executing the RRAS health monitoring via PowerShell. Alerts if any service is
not healthy.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
COMPONENT NAME:
Monitor Windows Firewall State
WHY USE THIS MONITORING SET:
If you need to alert on any part of the Windows Firewall allowing traffic where it should not be.
The set monitors both the activity of the Windows Firewall and the state of the current policies if they have
been set to allow all traffic or not.
HOW DOES IT WORK:
Checks the current state of the Windows Firewall and alerts if the firewall is disabled for any profile. Also
checks the state of the Default Inbound Action and alerts if this has been set to “allow”
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
COMPONENT NAME:
Monitor Shodan results – Dark web scan
WHY USE THIS MONITORING SET:
If you need to alert on your services being added to Shodan.
Shodan is a search engine that lets the user find any device connected to the internet using a variety of filters.
Some have also described it as a search engine of service banners, which are metadata that the server sends
back to the client.
This can be information about the server software, what options the service supports, a welcome message or
anything else that the client can find out before interacting with the server. Shodan collects data on each
known port and as thus can be used to find devices that have open ports you would not like to have open to
the internet such as RDP.
HOW DOES IT WORK:
This component connects to the Shodan API and downloads all results for the IP it is currently running from.
SYSTEM REQUIREMENTS:
• Server 2012R2 and higher.
• Windows 8.1 and higher.
COMPONENT NAME:
Monitor OneDrive Sync Status
WHY USE THIS MONITORING SET:
If you need to monitor the status of the OneDrive Sync for the currently logged on user. Onedrive sync reports
several statuses to the client OS and these are evaluated and processed by the script.
HOW DOES IT WORK:
This component runs a specialized “run as user” script, and then checks the status for the Onedrive sync by
executing the PowerShell module for Onedrive sync.
SYSTEM REQUIREMENTS:
• Server 2016 and higher.
• Windows 10 and higher.
COMPONENT NAME:
Monitor Active Directory User/Computer Age
WHY USE THIS MONITORING SET:
If you need to monitor how long devices or users have not logged on to the network. This set is often used in
conjunction with an automatic removal/disable script for older user and computer accounts.
HOW DOES IT WORK:
This component runs the get-aduser and get-adcomputer cmdlets that are included on server 2012+. It then
filters the devices based on age and returns this in the diagnostic data.
The diagnostic data contains only the fields required to find the device in the Active Directory.
SYSTEM REQUIREMENTS:
• Server 2012 and higher
• Domain Controller
COMPONENT NAME:
Monitor SQL Server Databases [win]
WHY USE THIS MONITORING SET:
If you need to monitor the current state of SQL databases. The following items are monitored for each
database:
• Database state must be Normal
• Recovery model must be Simple
• Filegroups must not have a max size set
• File groups are not allowed to be on the C: drive.
• Excluded database from monitoring are: ("Master","Model","ReportServer","SLDModel.SLDData")
HOW DOES IT WORK:
This component runs the PSSQL cmdlets to retrieve all databases and settings. Please note that for SQLPS to
function correctly the NT AUTHORITY\SYSTEM account needs access to the databases.
When monitoring fails the diagnostic information will contain the exact status.
SYSTEM REQUIREMENTS:
• Server 2012 and higher
• SQL server installed
• SYSTEM must have access to all DBs.
COMPONENT NAME:
Monitor Internet Speed [WIN]
WHY USE THIS MONITORING SET:
If you need to monitor and compare the internet speeds to preset values, and the value of the last run of the
script.
HOW DOES IT WORK:
This component uses the Speedtest CLi from Ookla. The script allows you to monior the following items:
• It returns the external IP & the internal IP for the interface used.
• The current ISP.
• The download and upload speed.
• The Jitter,Latency, and packet loss of the connection.
• and the server it uses, plus the actual speedtest.net URL so you can compare the results by hand.
The script has two measuring methods, one is absolute and based and based on the values you’ve entered.
The other is a percentage-based monitor that alerts if the difference between the current speedtest and the
previous one is more than 20%.
SYSTEM REQUIREMENTS:
• Server 2012 and higher
• Windows 8.1 and higher
COMPONENT NAME:
Monitor Competitor RMM
WHY USE THIS MONITORING SET:
If you need to monitor the installation of a competing RMM product. Can be used during onboarding, or when
there is worry of a secondary service provider installation a RMM package. HOW DOES IT WORK:
This component queries the registry for all installed applications, and matches based on the name of the name
of RMM products.
SYSTEM REQUIREMENTS:
• Server 2012 and higher
• Windows 8.1 and higher
COMPONENT NAME:
Monitor SMB connections on clients
WHY USE THIS MONITORING SET:
If you need to monitor the current open session on client machines for SMB. Clients should not host any file
shares, often the administrative file shares such as ADMIN$ are used for lateral movement by bad actors. This
monitoring component allows you to have an early warning based on that. HOW DOES IT WORK:
This component queries all open smb sessions on a client machine by running get-smbsession in PowerShell.
This gives us all information such as the user who is connecting and from what specific IP address.
SYSTEM REQUIREMENTS:
• Windows 10 and up
OFFICE365 MONITORING COMPONENTS
The Office365 monitoring components require a preload of PowerShell Modules and set up of the Secure
Application Model. Each of the Office365 monitoring components require the use of these credentials.
The Office365 monitoring components are suggested to run on a dedicated virtual machine for this specific
purpose. Do not run these components on client machines as these often do not meet the security
requirements for connecting to Office365 APIs securely.
To prepare your environment you must run the “Prepare for O365 monitoring [WIN]” component.
This component pre-downloads all modules and sets up the virtual machine to work securely with the
Office365 credentials. This component must finish without any errors.
After this component has run, you must use the Secure Application Model to collect your credentials. To
collect these credentials please check the Microsoft documentation here:
https://www.microsoftpartnercommunity.com/t5/Secure-Application-Model/bd-
p/PC_Security_Guidance_Secure_Application
Or use the CyberDrain documentation here: https://www.cyberdrain.com/connect-to-exchange-online-
automated-when-mfa-is-enabled-using-the-secureapp-model/
These credentials need to be entered as site variables. An example is included in the screenshot below. You
must setup the following site variables:
Name Value Masked
O365ApplicationId Application ID No
O365ApplicationSecret Application Secret Yes
O365ExchangeRefreshToken Exchange Refresh Token Yes
O365RefreshToken Refresh Token Yes
O365TenantID Your TenantID No
O365UPN The UPN used to generate tokens. No
The screenshot demonstrates how this will look in Datto RMM.
See the list below for what monitoring components are currently available. Its recommended to run the
components with a minimum runtime of 10 minutes. Some components require you to add permissions to the
Secure Application Model. Please reference the related blog to find instruction on how to perform this.
Component Name Component Description Related blog Extra permissions required
Monitor Office365 ADConnect
Synchronization [WIN]
This component checks whether the Password Sync AND Active Directory Sync has not occurred for 24 hours and alerts if it has not.
https://www.cyberdrain.com/monitoring-with-powershell-monitoring-office365-azure-ad-sync/
No. Default Secure App Model Permissions
Monitor Office365 Admin Password Changes [WIN]
Alerts when admin password is changed in any tenants controlled by partner. This is useful to discover if documentation needs to be updated or if a account has been compromised.
https://www.cyberdrain.com/monitoring-with-powershell-monitoring-office365-admin-password-changes
No. Default Secure App Model Permissions
Monitor Office365 Blocked Users [WIN] Alerts when O365 users enter a blocked state. This monitors all disabled users. Can be used for reporting purposes.
https://www.cyberdrain.com/monitoring-with-powershell-monitoring-users-that-are-blocked-for-login/
No. Default Secure App Model Permissions
Monitor Office365 Breakglass logon [WIN] Alerts when a Break glass user has logged on, This could be a IoC (indicator of compromise)
https://www.cyberdrain.com/monitoring-with-powershell-monitoring-o365-azure-breakglass-account-logon
No. Default Secure App Model Permissions
Monitor Office365 Deleted users [WIN] Alerts when a deleted user is found in the recycle bin. Can be used to create a ticket to resume offboarding of confirm if the user actually needed to be deleted.
https://www.cyberdrain.com/monitoring-with-powershell-monitoring-mfa-server-and-office365-mfa-status/
No. Default Secure App Model Permissions
Monitor Office365 Mailbox sizes [WIN] Alerts when the mailbox size of a user is over a set size. https://www.cyberdrain.com/documenting-with-powershell-documenting-office-365-usage-reports/
Yes. Reports.Read.All
Monitor Office365 MFA Type [WIN] Alerts when a user has an insecure MFA type enabled such as SMS based MFA
https://www.cyberdrain.com/monitoring-with-powershell-monitoring-the-used-mfa-type-for-o365-azure/
No. Default Secure App Model Permissions
Monitor Office365 Modern Authentication [WIN]
Alerts when Modern Authentication is not enabled for a tenant. When Modern Authentication is not set the tenant uses legacy authentication
https://www.cyberdrain.com/monitoring-with-powershell-chapter-3-monitoring-modern-authentication/
No. Default Secure App Model Permissions
Monitor Office365 Users Pending Permanent Deletion [WIN]
Alerts when a deleted user is found in the recycle bin, and it is about to be permanently deleted.
https://www.cyberdrain.com/monitoring-with-powershell-monitoring-office-365-deleted-users-license-usage/
No. Default Secure App Model Permissions
Monitor Office365 New created teams [WIN]
Alerts when a new team has been created in the last day. Related blog: Required OS: Windows 8.1 and up.
https://www.cyberdrain.com/monitoring-with-powershell-monitoring-the-creation-of-new-teams/
No. Default Secure App Model Permissions
Monitor Office365 Non-MFA users [WIN] Alerts when a user does not have MFA enabled. https://www.cyberdrain.com/monitoring-with-powershell-monitoring-the-used-mfa-type-for-o365-azure/
No. Default Secure App Model Permissions
Monitor Office365 OneDrive and SharePoint Sync Limits[WIN]
Alerts when a OneDrive or SharePoint site is reaching the synchronisation limitations. Related blog: Required OS: Windows 8.1 and up.
https://www.cyberdrain.com/monitoring-with-powershell-monitoring-onedrive-and-sharepoint-file-limits/
Yes. Reports.Read.All
Monitor Office365 Suspicious LoginLocation [WIN]
Alerts when a user is logged on from an unexpected location. Uses the third party https://ip2c.org IP location database. This checks only IPv4 IP addresses. This is useful when the tenant does not have a P1 subscription.
https://www.cyberdrain.com/monitoring-with-powershell-o365-location-alerts/
No. Default Secure App Model Permissions
Monitor Office365 Unified Audit Log [WIN] Alerts when the O365 Unified audit log has not been enabled. https://www.cyberdrain.com/monitoring-with-powershell-chapter-3-monitoring-modern-authentication/
No. Default Secure App Model Permissions
Monitor Office365 Unused Licenses [WIN] Alerts when there are unused licenses in the Office365 portal. https://www.cyberdrain.com/monitoring-with-powershell-monitoring-office-365-deleted-users-license-usage/
No. Default Secure App Model Permissions
Prepare Office365 monitoring [WIN] Prepares a computer for Office365 monitoring. Please read the CyberDrain documentation (this document) before executing this. Required OS: Server 2016 or Windows 10 or higher.
No related blog No permissions required.