Datto RMM · machines (VMs ). In the event of a catastrophic loss, an administrator can failover to...

Datto RMMComponents by CyberDrain – Usage Document

Build 11www.datto.com

www.cyberdrain.com

http://www.datto.com/

http://www.cyberdrain.com/

INTRODUCTION

All of these sets have been created for Datto RMM. These sets have been tested on:

• Server 2012

• Server 2012R2

• Server 2016

• Server 2019

• Windows 8.1

• Windows 10.

The scripts might function on another version not mentioned above but are not supported. Some scripts

require further setup. Please see the included blog link at the component information tab for details on this

setup.

UNDOCUMENTED SCRIPTS

The documentation only covers monitoring components and remediation. Next to the current monitoring components Cyberdrain.com has also supplied several ease-of-

use scripting components. These are listed here but not documented.

Name Description

Automatically restore Hyper-V replication Automatically restores Hyper-V replication. Related blog:https://www.cyberdrain.com/monitoring-with-powershell-chapter-2-hyper-v-replication-and-remediation/ Required OS: Server 2012R2 or higher.

Runs a backup on event logs, can be used in conjunction with Event logs size monitor. Related blog:https://www.cyberdrain.com/monitoring-with-powershell-chapter-2-hyper-v-replication-and-remediation/ Required OS: Server 2012R2 or higher.

Deploy StorCLI4.exe Deploys StoreCLI64 for MegaRAID controllers to the location given. To be used in conjunction with StoreCLI monitoring set. Related blog:https://www.cyberdrain.com/blog-series-monitoring-using-powershell-part-one-using-powershell-to-monitor-megaraid …

Enable Active Directory Recycle Bin Enables the Active Directory Recycle bin. Can be used as automated recovery in conjunction with Active Directory Recycle bin monitoring script.

Execute Dell Command Updates Executes DCU to update all drivers on a system. Suspends BitLocker for 1 reboot. Related blog:https://www.cyberdrain.com/monitoring-with-powershell-monitoring-dell-device-updates/ Required OS: Server 2012R2 or higher.

Hyper-V: Create Snapshot/Checkpoint Creates a Hyper-V snapshot/checkpoint of the VM name entered. Wildcards are allowed, If multiple VMs match it will create a snapshot for each VM.

Install Office Click2Run Updates Installs updates for Office C2R Related blog: https://www.cyberdrain.com/monitoring-with-powershell-monitoring-office-c2r-updates/ Required OS: W10 and up.

Monitor Active Directory Recycle Bin Monitors if the Active Directory Recycle bin is enabled. If it is not enabled you can run the Automatic restoration component. Related blog: https://www.cyberdrain.com/monitoring-with-powershell-chapter-3-hyper-v-state/ Required OS: Windows 8.1+

Reboot Device - Suspend BitLocker Reboot device forcibly with variable timeout, and suspend BitLocker. Required OS: Windows 8.1+

Shrink VHD(x) of Hyper-V Virtual Machine Automatically shuts down virtual machine, Runs Optimize-VHD to shrink disk, restarts VM when done.Related blog: https://www.cyberdrain.com/monitoring-with-powershell-chapter-2-hyper-v-replication-and-remediation/Required OS: Server 2012R2+

Write Disk type to UDF Writes the type of disk to a UDF stating if its SSD, HDD, and including the Bus type of the drive.Required PowerShell: 4.0+

MONITOR DOCUMENTATION

COMPONENT NAME:

Monitor Cluster Shared Volumes free space

WHY USE THIS MONITORING SET:

If you would like to monitor the cluster shared volume free space.

CSV (Cluster Shared Volumes) is a feature in Windows Server in which shared disks are concurrently accessible

to all nodes within a failover cluster. The feature was first introduced in Windows Server 2008 R2 as a way to

simplify storage with clustered Hyper-V virtual machines (VMs).

HOW DOES IT WORK:

The component executes a PowerShell command that returns the path of the cluster shared volume, together

with a calculation on how much % is still available. When importing this monitoring component, you can set

the Percentage variable to any preferred percentage.

If you would like to alert when there is 10% of disk space left on the cluster shared volume. You should only

enter 10, without the percentage (%) symbol.

SYSTEM REQUIREMENTS:

• Server 2012R2 and higher.

• At least one active Cluster Shared Volume.

COMPONENT NAME:

Monitor Cluster Shared Volumes Status


If you would like to monitor the status of a cluster shared volume

CSV (Cluster Shared Volumes) is a feature in Windows Server in which shared disks are concurrently accessible

to all nodes within a failover cluster. The feature was first introduced in Windows Server 2008 R2 as a way to

simplify storage with clustered Hyper-V virtual machines (VMs).

HOW DOES IT WORK:

The component executes a PowerShell command that returns all cluster shared volumes, where the status is

NOT online. This means when a Cluster Shared Volume has a disconnect or warning state on one of the hosts,

only that host will generate an alert.

When the Cluster Shared Volume moves into a completely failed state, it will generate an alert on all hosts

when this component is applied.



• At least one active Cluster Shared Volume.

COMPONENT NAME:

Monitor Dell OpenManage Chassis


If you would like to monitor the Dell OpenManage Server Administrator hardware state of a Dell Server.

OpenManage Server Administrator allows system administrators to manage individual servers in two ways:

from an integrated, web-browser-based graphical-user-interface (GUI) and from a command-line interface

(CLI) through the operating system. Server Administrator is designed for system administrators to manage

systems locally and remotely on a network.

HOW DOES IT WORK:

The component executes the command “omreport chassis”. This gives a complete overview of the current

chassis state for a Dell server. If everything is OK this script will return “Healthy”. If not. It will return the

current state as diagnostic data.



• Physical Dell Server.

• Dell OpenManage Server Administrator installed.

COMPONENT NAME:

Monitor Dell OpenManage RAID Status


If you would like to monitor the Dell OpenManage Server Administrator RAID status of a server.





HOW DOES IT WORK:

The component executes the command “omreport vdisk status”. This gives a complete overview of the current

RAID status. If everything is OK this script will return “Healthy”. If not. It will return the current state as

diagnostic data, explicitly stating which RAID array is in a unhealthy state.




• Dell OpenManage Server Administrator installed.

COMPONENT NAME:

Monitor Dell Physical Disk Status


If you would like to monitor the Dell OpenManage Server Administrator Physical Disk state of a Dell Server.





HOW DOES IT WORK:

The component executes the command “omreport storage pdisk” which gets a list of the physical disks

attached to the system. It then processed this list into a readable format.

When a disk does not have the status online or the state OK the server reports a disk failure. You can find all

information related to the disks in the diagnostics data.

If you are using unsupported disks, and do not want to alert on these follow the following procedure:

• Upgrade Dell OpenManage Server Administrator to 8.5.0 or above, if already installed go to the next

step.

• Open the stsvc.ini file located in either the C:\Program Files\Dell\SysMgt\sm or the C:\Program Files

(x86)\Dell\SysMgt\sm folder depending on if you have installed the 32-bit/64-bit version.

• There should be the following text:

o ;nonDellCertified flag for blocking all non-dell certified alerts.

NonDellCertifiedFlag=yes

• Change this to the following and save the file.

o ;nonDellCertified flag for blocking all non-dell certified alerts.

NonDellCertifiedFlag=no

• If you do not find this line in the file you will need to add it in the following place and save the file.

This is normally when you upgrade from an older version to 8.5.0. It is very important it is added after

the [general] lines or the setting won’t be honored.

• ;General Settings

[general]

;Amount, in seconds, to sleep between each attempt to poll the PV20x, PV21x, and PV22x

enclosure(s).

EnclosurePollingInterval=30

;nonDellCertified flag for blocking all non-dell certified alerts.

NonDellCertifiedFlag=no

• Once you have modified the INI file you need to restart the DSM SA Data Manager service in

services.msc and Dell OMSA should now report that the diskstate is OK.




• Dell OpenManage Server Administrator installed

COMPONENT NAME:

Monitor DHCP Bad Lease Status


If you would like to monitor the DHCP Bad Leases in a network.

DHCP Bad leases are often caused by devices configured with a static IP inside of the DHCP pool. This could

cause ARP or other network issues that will impact performance.

HOW DOES IT WORK:

The component executes the PowerShell command “Get-DhcpServerv4Scope | Get-DhcpServerv4Lease”. This

gives a complete overview of the current DHCP leases on the network.

Any device that does not match “Active” will generate an alert. This means devices with a ReservationActive or

ReservationInactive do not genereate alerts.



• Microsoft DHCP server installed.

COMPONENT NAME:

Monitor DHCP Lease Count


If you would like to monitor the DHCP lease count in a network

When having a small lease scope, and many devices it is best to monitor the DHCP scope in case this runs out.

This monitoring also helps you in the case of a DHCP broadcast storm as the DHCP scope will fill rapidly.

HOW DOES IT WORK:

The component executes the PowerShell command “Get-DhcpServerv4ScopeStatistics” This gives a complete

overview of the current DHCP leases on the network.

Any scope that has less than the number you defined will full the alert text.



• Microsoft DHCP server installed.

COMPONENT NAME:

Monitor Forbidden Users


If you would like to monitor which users are logged in, and alert on users that you do not want to be logged in.

Monitoring users is a standard security practice. You never want users such as “Administrator” logged into

servers directly, but always a named account equivalent. You can also use this set to alert on (ex) employees

which are logged into servers directly, and forgot to log out.

HOW DOES IT WORK:

The component executes the PowerShell command to get all users, logged into all sessions. This means this

monitoring set also alerts on any services that have the account configured as their credentials.

You can enter any name as the account to monitor, without domainname, but you cannot use wildcards.



COMPONENT NAME:

Monitor Hyper-V Replication


If you would like to monitor the HYPER-V Replication State, as not monitoring this can cause Disaster recovery

scenarios to fail.

Hyper-V Replica is a free disaster recovery tool in Hyper-V 3.0 that creates and maintains copies of virtual machines (VMs ). In the event of a catastrophic loss, an administrator can failover to the replica VMs and provide business continuity.

HOW DOES IT WORK:

The component executes a PowerShell command that returns the information about the current Hyper-v VMs

with a replication relationship. If the replication relationship is in any state but healthy it will generate an alert.



• Hyper-V role installed

COMPONENT NAME:

Monitor Hyper-V Snapshot status


If you would like to monitor the Hyper-V snapshot status. Hyper-v snapshots can be used to quickly move back

to a previous state but running production servers on snapshots is not advised or supported by Microsoft.

HOW DOES IT WORK:

The component executes a PowerShell command that returns the all VM’s with a snapshot. This set alerts only

when a snapshot reaches the age you have defined in days.

If you would like to alert on less than a day, you can enter the value such as 0.5 for 12 hours.



• Hyper-v role installed.

COMPONENT NAME:

Monitor IIS SSL Certificates [WIN]


If you would like to monitor the expiry date of SSL certificates attached to a IIS binding.

HOW DOES IT WORK:

The component executes a PowerShell command that only returns the IIS websites with a binding on HTTPS

This component alerts based on the days you’ve set. If the certificate is already expired this set will alert as

well.



• At least one active IIS binding/IIS installed.

COMPONENT NAME:

Monitor Network Location Awareness


If you would like to monitor the current network location awareness state of the workstation or server.

Network Windows computers have a system for detecting internet connectivity known as Network Location

Awareness (NLA).

It controls many aspects of how Windows categorizes internet connections, such as whether to assign

networks as private or public, or a domain profile. Network Location awareness issues can result in incorrect

DNS resolution, non-working multi-factor authentication requests and problems with connecting to domain

resources.

HOW DOES IT WORK:

The component executes a PowerShell command that returns the network configuration of the current active

network adapters. The script then checks if these are in a domain environment and if so, if the profile is

Domain Authenticated


• Server 2012 or higher

• Windows 8.1 or higher

COMPONENT NAME:

Monitor New Domain Users


If you would like to monitor any users created in your domain environment. When a user is created in your

domain(s) you often need to be aware that this user exists, document it, and process possible licensing

requirements, also; in most cases bad actors that have penetrated your systems will create user accounts for

permanent access as soon as they are logged in. Monitoring this prevents further damage from these bad

actors.

HOW DOES IT WORK:

The component executes a PowerShell command that returns all domain users which have been created in the

past day.



• Active Directory Domain Services

COMPONENT NAME:

Monitor Privileged Group Changes


If you would like to monitor any users added to any protected or privileged group in your domain.

"Privileged" accounts and groups in Active Directory are those to which powerful rights, privileges, and

permissions are granted that allow them to perform nearly any action in Active Directory and on domain-

joined systems

HOW DOES IT WORK:

The component executes a PowerShell command that returns all groups, and changes made to these groups.

The system will alert both on adding users to these groups and removing them.



• Active Directory Domain Services

COMPONENT NAME:

Monitor RDS Encryption Level


If you would like to monitor the encryption level on your Remote Desktop Servers. The RDS Encryption level is

used to define if the client connecting can make a connection without SSL.

HOW DOES IT WORK:

The component executes a PowerShell command that returns all session collection with the encryption level

settings.

The alert is generated when the encryption level is not set to High.



• One Active RDS deployment

COMPONENT NAME:

Monitor RDS License Mode


If you would like to monitor the licensing mode used by your Remote Desktop Servers. Monitoring this

prevents issues with users not being able to log on due to licensing server problems.

HOW DOES IT WORK:

The component executes a PowerShell command that returns the licensing mode of the Remote Desktop

Server.

If the Remote Desktop server is not set to the preference set in the alerting options, the server will generate

an alert. E.g. “Per license” has been selected to monitor, but “NotConfigured” is the actual license state, the

component will return the error.




COMPONENT NAME:

Monitor RDS Network Level Authentication


If you would like to monitor the Network Level Authentication mode on your Remote Desktop Services

deployments.

Network Level Authentication (NLA) is a technology used in Remote Desktop Services (RDP Server) or Remote

Desktop Connection (RDP Client) that requires the connecting user to authenticate themselves before a

session is established with the server.

Originally, if a user opened an RDP (remote desktop) session to a server it would load the login screen from the

server for the user. This would use up resources on the server and was a potential area for denial of service

attacks as well as remote code execution attacks (see BlueKeep). Network Level Authentication delegates the

user's credentials from the client through a client-side Security Support Provider and prompts the user to

authenticate before establishing a session on the server.

Network Level Authentication was introduced in RDP 6.0 and supported initially in Windows Vista. It uses the

new Security Support Provider, CredSSP, which is available through SSPI in Windows Vista. With Windows XP

Service Pack 3, CredSSP was introduced on that platform and the included RDP 6.1 Client supports NLA;

however CredSSP must be enabled in the registry first.[1

HOW DOES IT WORK:

The component executes a PowerShell command that returns all session collection with the NLA checkmark.

The alert is generated when the NLA checkmark is not enabled in the session deployment settings.




COMPONENT NAME:

Monitor RDS Security Layer


If you would like to monitor the RDS Security Layer mode on your Remote Desktop Services deployments.

The RDS Security layer tells the client and server to only allow connections when connecting through a

complete TLS encrypted connection.

HOW DOES IT WORK:

The component executes a PowerShell command that returns all session collection with the Security Layer

settings set to anything but “Negotiate” or “SSL”

The alert is generated when the SSL settings are set to anything else but above values.




COMPONENT NAME:

Monitor Scheduled Task Creation


If you would like to monitor the creation of any task in the task scheduler. The task scheduler is used by both

Malware developers and bad actors to keep access to a system after they are discovered.

Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online.

A security researcher who uses the online name SandboxEscaper on August 27 released the source code for exploiting a security bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler.

HOW DOES IT WORK:

The component executes a command that returns all available tasks, with a creation day of today. If any task is

found the content of the tasks is looked at to determine the command line that will be ran by the task

The alert is generated when a task is found and will contain the name of the command that will run.



• Windows 8.1 and higher.

COMPONENT NAME:

Monitor Hyper-V Integration Services State


To monitor the status of the Hyper-V integration services. When moving virtual machines across newer or older hosts the Integration services often do not match the exact version of the host. This is strongly advised as the Integration services include not only guest-services such as backup, but all Windows Hyper-V Server Virtual Machine drivers. Having the correct version installed makes sure that the performance of each virtual machine is maximized.

HOW DOES IT WORK:

The component requests all information from the WMI namespace “root\virtualization\v2

Msvm_VirtualSystemManagementService” which contains the current information about all running virtual

machines, including the virtual machine integration services update status.


• Server 2012R2 and higher

COMPONENT NAME:

Monitor Office Click2Run Channel


To monitor which channel of the ClickToRun office version is in. You want to monitor this due to forcing the correct type of updates on every client machine. Users or applications can sometimes force your office installation to be in the incorrect channel, causing instability.

HOW DOES IT WORK:

The component requests all information from the registry key

"HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration”. This key contains all data regarding the

currently installed version of Office ClickToRun. If the key is not found, it most likely means that the correct

Office version is an MSI based version and does not support channel switching. In this case the component will

alert that no C2R is installed.



• Windows 8.1 and higher

COMPONENT NAME:

Monitor Office Click2Run Version


To monitor which version of the ClickToRun office version is currently installed, Windows Updates do not perform updates for ClickToRun version of office, and as such you must monitor this separately if you would like to be able to react on an out of date installation.

HOW DOES IT WORK:

The component requests all information from the registry key

"HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration”. This key contains all data regarding the

currently installed version of Office ClickToRun. If the key is not found, it most likely means that the correct

Office version is an MSI based version and will be updated via Windows Updates.

If the current installation is lower than the minimum set, it will alert. If it is higher the component will not

alert.

The information for office versions can be found at https://docs.microsoft.com/en-us/officeupdates/update-

history-office365-proplus-by-date




https://docs.microsoft.com/en-us/officeupdates/update-history-office365-proplus-by-date

https://docs.microsoft.com/en-us/officeupdates/update-history-office365-proplus-by-date

COMPONENT NAME:

Monitor UPS Status


To monitor USB connected UPS devices and see the current status of them.

HOW DOES IT WORK:

This component checks the WMI battery status and alerts when the status changes to “Running on battery”.

The complete diagnostic data also contains information about the battery state.




COMPONENT NAME:

Monitor VSS Logs


To monitor the event log for VSS error states. VSS can error out causing backups to fail or generate warnings without the backup application triggering an alert status. Keeping VSS in a healthy state is key for consistent backups

HOW DOES IT WORK:

This component checks the eventlog for any events relating to the VSS state in the last 2 hours. This

component will trigger an alert when a VSS error is found, or a warning in generated.




COMPONENT NAME:

Monitor Windows 10 Feature Release ID


To monitor and control which version of the Windows 10 Release is currently installed at clients. Often installing large releases requires some form of intervention and as such it is good to monitor which clients are not up to date on the latest feature pack.

HOW DOES IT WORK:

This component checks the registry for the current releaseID and alerts if this ID is lower than the value given

during creating of this component.


• Server 2016 and higher

• Windows 10 and higher

COMPONENT NAME:

Monitor Windows Search Database Size


To monitor the current size of the Windows Search database. The Windows Search database on both servers and clients can grow to obscene sizes due to a bug in the way the database is created. The Windows Search database can also cause performance issues when the size increases exponentially.

This set can be applied to RDS server as well, that often suffer from Windows Search issues due to thedifficulties in handling a multiuser search database.

HOW DOES IT WORK:

This component checks the registry for the current location of the Windows Search database, it then monitors

this file for the size given during creation of this component.




COMPONENT NAME:

Monitor SolarWinds MSP Backup


To monitor the last backups created by SolarWinds MSP backup.

HOW DOES IT WORK:

This component checks the logs folder of the SolarWinds MSP backup solution and grabs the latest log of the

day. If no log for this day can be found, it will alert.

If the log for this day contains “[e]” for error or if the backup window has been missed the component will

generate an alert.




COMPONENT NAME:

Monitor iSCSI Connection Status


To monitor the status of the currently configured iSCSI connections to the server.

The iSCSI protocol allows clients (called initiators) to send SCSI commands (CDBs) to storage devices (targets)

on remote servers. It is a storage area network (SAN) protocol, allowing organizations to consolidate storage

into storage arrays while providing clients (such as database and web servers) with the illusion of locally

attached SCSI disks.

HOW DOES IT WORK:

This component checks the current state of the iSCSI connection by running the iSCSI cmdlets. Any session that

is an error state such as “Reconnecting” or “error” or “Disconnected” will generate an alert. If the session is in

a clean state such as “Not Connected” it will not generate an alert.




COMPONENT NAME:

Monitor Windows License Status


To monitor the status of the activation of the windows license on the monitored machine. When using Microsoft 365 in some cases computers will lose their authentication token and no longer be activated using the Windows 10 Enterprise M365 license, also when upgrading client computers the license may no longer be valid and will need to be replaced.

HOW DOES IT WORK:

This component checks the current licensing server status by querying this from the computer, the component

will alert whenever this state does not state the computer is activated.




COMPONENT NAME:

Unifi Status Monitoring

• Monitor Unifi Device Health [WIN]

• Monitor Unifi Device status [WIN]

• Monitor Unifi STP status [WIN]

• Monitor Unifi upgrade status [WIN]

• Monitor Unifi WAN status [WIN]


If you would like to monitor Ubiquiti Unifi services.

• Monitor Unifi Device Health [WIN]

o Monitors the health of devices, CPU/Memory/Temperature

• Monitor Unifi Device status [WIN]

o Monitors uptime status and online/offline status of all devices

• Monitor Unifi STP status [WIN]

o Monitors STP port loops on switches.

• Monitor Unifi upgrade status [WIN]

o Monitors if the device has an upgrade available

• Monitor Unifi WAN status [WIN]

o Monitors if all configured WAN ports are online.

HOW DOES IT WORK:

The component connects to the Unifi API and does not monitor on the devices, but on the controller side. It

creates API requests for each device. Due to API rate limiting it is advised to set the monitoring for these sets

between 5 and 10 minutes. This set can only run on one device per client.

SETUP

• Enter all variables

• Enter the hostname of the device that will monitor the API. This feature has been built in to make

sure not all devices alert at the same time causing many tickets to be created.




• Unifi controller accessible from agent.

• Unifi read only user.

COMPONENT NAME:

Monitor Active Directory Recycle Bin


If you would like to monitor Active Directory Recycle Bin

Active Directory now implements a true recycle bin. No longer will you need an authoritative restore to

recover deleted users, groups, OU’s, or other objects. Instead, it is now possible to use PowerShell commands

to bring back objects with all their attributes, backlinks, group memberships, and metadata. AD Recycle Bin

(ADRB) is disabled on domains by default and will need to be manually activated.

HOW DOES IT WORK:

The component executes a PowerShell command that returns if the forest has the active directory recycle bin

enabled. If not, the set will generate an alert.

REMEDIATION

• Automatic remediation is available. Remediation script is called “Enable Active Directory

Recyclebin [WIN]” and can be found in the comstore.




• Domain Controller

COMPONENT NAME:

Monitor MegaRAID Physical Disk Status


If you would like to monitor the MegaRAID Physical Disk status of a server.

LSI Corporation was an American company based in San Jose, California which designed semiconductors and

software that accelerate storage and networking in data centers, mobile networks and client computing.

On May 6, 2014, LSI Corporation was acquired by Avago Technologies (now known as Broadcom Inc. Due to

this takeover Megaraid works on 3ware, LSI, and avago RAID cards.

SETUP

• Execute Deploy StorCLi64.exe [WIN] before adding monitoring set

• Set parameters to correct path

HOW DOES IT WORK:

The component executes the commands to check the physical disk status of the RAID array and alerts if

anything is not stated to be OK or supported. If unsupported disks are found this component will return as an

error. If you want unsupported disks to list as supported change the support setting in the MegaRAID cli.



COMPONENT NAME:

Monitor Azure MFA Server


If you would like to monitor Azure MFA server

The set will alert if users do not have MFA enabled and are allowed to pass authentication without MFA.

HOW DOES IT WORK:

The component executes a PowerShell command that returns the current status of the MFA server, it lists all

users and checks if MFA is enabled.




• MFA server

COMPONENT NAME:

Monitor BitLocker status


If you would like to monitor the BitLocker status of a device. The monitoring set will alert whenever BitLocker

is not activated or enabled.

HOW DOES IT WORK:

Uses the Get-BitLockerVolume PowerShell command to list all volumes with BitLocker enabled. If no volumes

are found the component will generate an alert. If protection is suspended or disabled it will also generate an

alert.



• BitLocker

Component NAME:

Monitor Breached Passwords


If you would like to monitor passwords if they have been breached. The password entered will not be sent to

any location, but a generated hash of the password will.

HOW DOES IT WORK:

Connects to the “Have I Been Pwned?” API and compares the list of given passwords and alerts if a password

hash matches one found in a former breach.

To use this set you will have to enter passwords in plain text. It is strongly advised to only use this monitoring

set on internal machines at the MSP and only use passwords that are related to service accounts or suspected

of leaks.



• Access to “Have I Been Pwned?” API.

COMPONENT NAME:

Monitor Cipher State


If you would like to monitor if the server or workstation allows outdated cipher states. Cipher states are used

for TLS/SSL connections and using the most modern encryption prevents attacks such as Shellshock,

Heartbleed, and MITM attacks.

HOW DOES IT WORK:

Checks if TLS/SSL is enabled by registry and alerts if older versions are enabled. Also checks used ciphers with

PowerShell and alerts if they are not up to current standards.




COMPONENT NAME:

Monitor Dell Driver Updates


If you would like to monitor if Dell updates are available for your device. Uses the Dell DCU.

SETUP:

• Host the Dell DCU file on a webserver of choice. For examples see

https://www.cyberdrain.com/monitoring-with-powershell-monitoring-dell-device-updates/

HOW DOES IT WORK:

Uses the Dell Command Update utility to check if updates are available, if updates are available DCU will

generate an alert.



• Dell system

https://www.cyberdrain.com/monitoring-with-powershell-monitoring-dell-device-updates/

COMPONENT NAME:

Monitor Event log size


If you would like to monitor the size of event logs.

Event logs are local files recording all the 'happenings' on the system and it includes accessing, deleting, adding

a file or an application, modifying the system's date, shutting down the system, changing the system

configuration, etc.

HOW DOES IT WORK:

Monitors the Application, System, and Setup event log, if there is less than 10% available it will generate an

alert.

REMEDIATION:

• Automatic remediation is available. Remediation script is called “Back-up Event Logs [WIN]”and

can be found in the ComStore.




COMPONENT NAME:

Monitor External Open Ports


If you would like to monitor the open ports on your external IP address

The problem with most port-scan utilities, and the PowerShell Test-NetConnection cmdlet is that they always

scan the internal network. In the case that you do enter the external IP whitelisting might allow you to connect

anyway and give you some false positives.

HOW DOES IT WORK:

Uses an external port scan utility hosted by yourself to scan all given ports.

SETUP

• Upload PHP file example from https://www.cyberdrain.com/monitoring-with-powershell-

external-port-scanning/ to a host of choice.

• Enter correct URL in parameters of component.




https://www.cyberdrain.com/monitoring-with-powershell-external-port-scanning/

https://www.cyberdrain.com/monitoring-with-powershell-external-port-scanning/

COMPONENT NAME:

Monitor Local Administrator Password Changes


If you would like to monitor local administrator password resets in the previous 24 hours.

In Windows, a local administrator account is a user account that can manage a local computer. Generally, a

local administrator can do anything to the local system.

HOW DOES IT WORK:

Checks the LastPasswordSet date of all local administrator accounts.




COMPONENT NAME:

Monitor MegaRAID RAID Status


If you would like to monitor the MegaRAID RAID status of a server.

LSI Corporation was an American company based in San Jose, California which designed semiconductors and

software that accelerate storage and networking in data centres, mobile networks and client computing.

On May 6, 2014, LSI Corporation was acquired by Avago Technologies (now known as Broadcom Inc. Due to

this takeover MegaRAID works on 3ware, LSI, and Avago RAID cards.

SETUP

• Execute Deploy StorCLi64.exe [WIN] before adding monitoring set

• Set parameters to correct path

HOW DOES IT WORK:

The component executes the commands to check the current status of the RAID array and alerts if anything is

not stated to be OK.



COMPONENT NAME:

Monitor Print Servers and queues


If you need to alert on Printers on servers not being available or jobs getting stuck in queues.

HOW DOES IT WORK:

Uses the Get-Printer PowerShell command to retrieve the health status and alerts if a job is stuck, or a printer

is not online.



COMPONENT NAME:

Monitor RDS UPD State


If you need to alert on disks that are almost full when using RDS User Profile Disks.

User profile disks store user and application data on a single virtual disk that is dedicated to one user's profile.

User profile disks provide an easy way to store the user settings and data on a separate virtual disk that is

reattached at logon, so the user data isn't discarded when the virtual machine rolls back

HOW DOES IT WORK:

Checks all VHDX files attached to the system and alerts if less than 10% space is available inside of that disk.



COMPONENT NAME:

Monitor RRAS Status


If you need to alert on any component of RRAS that fails.

Routing and remote access service (RRAS) is a suite of network services in the Windows Server family that

enables a server to perform the services of a conventional router. RRAS includes an application programming

interface (API) that facilitates the development of applications and processes for administering a range of

network services.

HOW DOES IT WORK:

Checks all current RRAS status by executing the RRAS health monitoring via PowerShell. Alerts if any service is

not healthy.



COMPONENT NAME:

Monitor Windows Firewall State


If you need to alert on any part of the Windows Firewall allowing traffic where it should not be.

The set monitors both the activity of the Windows Firewall and the state of the current policies if they have

been set to allow all traffic or not.

HOW DOES IT WORK:

Checks the current state of the Windows Firewall and alerts if the firewall is disabled for any profile. Also

checks the state of the Default Inbound Action and alerts if this has been set to “allow”



COMPONENT NAME:

Monitor Shodan results – Dark web scan


If you need to alert on your services being added to Shodan.

Shodan is a search engine that lets the user find any device connected to the internet using a variety of filters.

Some have also described it as a search engine of service banners, which are metadata that the server sends

back to the client.

This can be information about the server software, what options the service supports, a welcome message or

anything else that the client can find out before interacting with the server. Shodan collects data on each

known port and as thus can be used to find devices that have open ports you would not like to have open to

the internet such as RDP.

HOW DOES IT WORK:

This component connects to the Shodan API and downloads all results for the IP it is currently running from.



• Windows 8.1 and higher.

COMPONENT NAME:

Monitor OneDrive Sync Status


If you need to monitor the status of the OneDrive Sync for the currently logged on user. Onedrive sync reports

several statuses to the client OS and these are evaluated and processed by the script.

HOW DOES IT WORK:

This component runs a specialized “run as user” script, and then checks the status for the Onedrive sync by

executing the PowerShell module for Onedrive sync.


• Server 2016 and higher.

• Windows 10 and higher.

COMPONENT NAME:

Monitor Active Directory User/Computer Age


If you need to monitor how long devices or users have not logged on to the network. This set is often used in

conjunction with an automatic removal/disable script for older user and computer accounts.

HOW DOES IT WORK:

This component runs the get-aduser and get-adcomputer cmdlets that are included on server 2012+. It then

filters the devices based on age and returns this in the diagnostic data.

The diagnostic data contains only the fields required to find the device in the Active Directory.



• Domain Controller

COMPONENT NAME:

Monitor SQL Server Databases [win]


If you need to monitor the current state of SQL databases. The following items are monitored for each

database:

• Database state must be Normal

• Recovery model must be Simple

• Filegroups must not have a max size set

• File groups are not allowed to be on the C: drive.

• Excluded database from monitoring are: ("Master","Model","ReportServer","SLDModel.SLDData")

HOW DOES IT WORK:

This component runs the PSSQL cmdlets to retrieve all databases and settings. Please note that for SQLPS to

function correctly the NT AUTHORITY\SYSTEM account needs access to the databases.

When monitoring fails the diagnostic information will contain the exact status.



• SQL server installed

• SYSTEM must have access to all DBs.

COMPONENT NAME:

Monitor Internet Speed [WIN]


If you need to monitor and compare the internet speeds to preset values, and the value of the last run of the

script.

HOW DOES IT WORK:

This component uses the Speedtest CLi from Ookla. The script allows you to monior the following items:

• It returns the external IP & the internal IP for the interface used.

• The current ISP.

• The download and upload speed.

• The Jitter,Latency, and packet loss of the connection.

• and the server it uses, plus the actual speedtest.net URL so you can compare the results by hand.

The script has two measuring methods, one is absolute and based and based on the values you’ve entered.

The other is a percentage-based monitor that alerts if the difference between the current speedtest and the

previous one is more than 20%.




COMPONENT NAME:

Monitor Competitor RMM


If you need to monitor the installation of a competing RMM product. Can be used during onboarding, or when

there is worry of a secondary service provider installation a RMM package. HOW DOES IT WORK:

This component queries the registry for all installed applications, and matches based on the name of the name

of RMM products.




COMPONENT NAME:

Monitor SMB connections on clients


If you need to monitor the current open session on client machines for SMB. Clients should not host any file

shares, often the administrative file shares such as ADMIN$ are used for lateral movement by bad actors. This

monitoring component allows you to have an early warning based on that. HOW DOES IT WORK:

This component queries all open smb sessions on a client machine by running get-smbsession in PowerShell.

This gives us all information such as the user who is connecting and from what specific IP address.


• Windows 10 and up

OFFICE365 MONITORING COMPONENTS

The Office365 monitoring components require a preload of PowerShell Modules and set up of the Secure

Application Model. Each of the Office365 monitoring components require the use of these credentials.

The Office365 monitoring components are suggested to run on a dedicated virtual machine for this specific

purpose. Do not run these components on client machines as these often do not meet the security

requirements for connecting to Office365 APIs securely.

To prepare your environment you must run the “Prepare for O365 monitoring [WIN]” component.

This component pre-downloads all modules and sets up the virtual machine to work securely with the

Office365 credentials. This component must finish without any errors.

After this component has run, you must use the Secure Application Model to collect your credentials. To

collect these credentials please check the Microsoft documentation here:

https://www.microsoftpartnercommunity.com/t5/Secure-Application-Model/bd-

p/PC_Security_Guidance_Secure_Application

Or use the CyberDrain documentation here: https://www.cyberdrain.com/connect-to-exchange-online-

automated-when-mfa-is-enabled-using-the-secureapp-model/

These credentials need to be entered as site variables. An example is included in the screenshot below. You

must setup the following site variables:

Name Value Masked

O365ApplicationId Application ID No

O365ApplicationSecret Application Secret Yes

O365ExchangeRefreshToken Exchange Refresh Token Yes

O365RefreshToken Refresh Token Yes

O365TenantID Your TenantID No

O365UPN The UPN used to generate tokens. No

The screenshot demonstrates how this will look in Datto RMM.

See the list below for what monitoring components are currently available. Its recommended to run the

components with a minimum runtime of 10 minutes. Some components require you to add permissions to the

Secure Application Model. Please reference the related blog to find instruction on how to perform this.

https://www.microsoftpartnercommunity.com/t5/Secure-Application-Model/bd-p/PC_Security_Guidance_Secure_Application

https://www.microsoftpartnercommunity.com/t5/Secure-Application-Model/bd-p/PC_Security_Guidance_Secure_Application

https://www.cyberdrain.com/connect-to-exchange-online-automated-when-mfa-is-enabled-using-the-secureapp-model/

https://www.cyberdrain.com/connect-to-exchange-online-automated-when-mfa-is-enabled-using-the-secureapp-model/

Component Name Component Description Related blog Extra permissions required

Monitor Office365 ADConnect

Synchronization [WIN]

This component checks whether the Password Sync AND Active Directory Sync has not occurred for 24 hours and alerts if it has not.

https://www.cyberdrain.com/monitoring-with-powershell-monitoring-office365-azure-ad-sync/

No. Default Secure App Model Permissions

Monitor Office365 Admin Password Changes [WIN]

Alerts when admin password is changed in any tenants controlled by partner. This is useful to discover if documentation needs to be updated or if a account has been compromised.

https://www.cyberdrain.com/monitoring-with-powershell-monitoring-office365-admin-password-changes


Monitor Office365 Blocked Users [WIN] Alerts when O365 users enter a blocked state. This monitors all disabled users. Can be used for reporting purposes.

https://www.cyberdrain.com/monitoring-with-powershell-monitoring-users-that-are-blocked-for-login/


Monitor Office365 Breakglass logon [WIN] Alerts when a Break glass user has logged on, This could be a IoC (indicator of compromise)

https://www.cyberdrain.com/monitoring-with-powershell-monitoring-o365-azure-breakglass-account-logon


Monitor Office365 Deleted users [WIN] Alerts when a deleted user is found in the recycle bin. Can be used to create a ticket to resume offboarding of confirm if the user actually needed to be deleted.

https://www.cyberdrain.com/monitoring-with-powershell-monitoring-mfa-server-and-office365-mfa-status/


Monitor Office365 Mailbox sizes [WIN] Alerts when the mailbox size of a user is over a set size. https://www.cyberdrain.com/documenting-with-powershell-documenting-office-365-usage-reports/

Yes. Reports.Read.All

Monitor Office365 MFA Type [WIN] Alerts when a user has an insecure MFA type enabled such as SMS based MFA

https://www.cyberdrain.com/monitoring-with-powershell-monitoring-the-used-mfa-type-for-o365-azure/


Monitor Office365 Modern Authentication [WIN]

Alerts when Modern Authentication is not enabled for a tenant. When Modern Authentication is not set the tenant uses legacy authentication

https://www.cyberdrain.com/monitoring-with-powershell-chapter-3-monitoring-modern-authentication/


Monitor Office365 Users Pending Permanent Deletion [WIN]

Alerts when a deleted user is found in the recycle bin, and it is about to be permanently deleted.

https://www.cyberdrain.com/monitoring-with-powershell-monitoring-office-365-deleted-users-license-usage/


Monitor Office365 New created teams [WIN]

Alerts when a new team has been created in the last day. Related blog: Required OS: Windows 8.1 and up.

https://www.cyberdrain.com/monitoring-with-powershell-monitoring-the-creation-of-new-teams/


Monitor Office365 Non-MFA users [WIN] Alerts when a user does not have MFA enabled. https://www.cyberdrain.com/monitoring-with-powershell-monitoring-the-used-mfa-type-for-o365-azure/














https://www.cyberdrain.com/documenting-with-powershell-documenting-office-365-usage-reports/















https://merlot.centrastage.net/csm/component/show/189144
















































































































































































































































Monitor Office365 OneDrive and SharePoint Sync Limits[WIN]

Alerts when a OneDrive or SharePoint site is reaching the synchronisation limitations. Related blog: Required OS: Windows 8.1 and up.

https://www.cyberdrain.com/monitoring-with-powershell-monitoring-onedrive-and-sharepoint-file-limits/

Yes. Reports.Read.All

Monitor Office365 Suspicious LoginLocation [WIN]

Alerts when a user is logged on from an unexpected location. Uses the third party https://ip2c.org IP location database. This checks only IPv4 IP addresses. This is useful when the tenant does not have a P1 subscription.

https://www.cyberdrain.com/monitoring-with-powershell-o365-location-alerts/


Monitor Office365 Unified Audit Log [WIN] Alerts when the O365 Unified audit log has not been enabled. https://www.cyberdrain.com/monitoring-with-powershell-chapter-3-monitoring-modern-authentication/


Monitor Office365 Unused Licenses [WIN] Alerts when there are unused licenses in the Office365 portal. https://www.cyberdrain.com/monitoring-with-powershell-monitoring-office-365-deleted-users-license-usage/


Prepare Office365 monitoring [WIN] Prepares a computer for Office365 monitoring. Please read the CyberDrain documentation (this document) before executing this. Required OS: Server 2016 or Windows 10 or higher.

No related blog No permissions required.












Datto RMM · machines (VMs ). In the event of a catastrophic loss, an administrator can failover to...

Documents

Transcript of Datto RMM · machines (VMs ). In the event of a catastrophic loss, an administrator can failover to...