ClientInspectorV2: Unleashing the power of Azure LogAnalytics, Azure Data Collection Rules, Log Ingestion API

by do son ·

Azure Log Analytics

ClientInspector

Are you in control? – or are some of your core infrastructure processes like patching, antivirus, and bitlocker enablement drifting? Or would you like to do advanced inventory, where you can look up your warranty state against Lenovo or Dell warranty, then keep reading?

Check out ClientInspector, which can help you get great insight into your complete client environment.

ClientInspector is free to the community – built to be a cool showcase of how you can bring back data from your clients using Azure Log Ingestion PipelineAzure Data Collection Rules, and Azure LogAnalytics; view them with Azure Monitor & Azure Dashboards – and get “drift-alerts” using Microsoft Sentinel.

Architecture & flow of ClientInspector

ClientInspector (v2) is uploading the collected data into custom logs in Azure LogAnalytics workspace – using Log ingestion APIAzure Data Collection Rules (DCR), and Azure Data Collection Endpoints (DCE).

What data is being collected?

ClientInspector can be used to collect lots of great information of from your Windows clients – and send the data to Azure LogAnalytics Custom Tables.

The script collects the following information (settings, information, configuration, state):

  1. User Logged On to Client
  2. Computer information – bios, processor, hardware info, Windows OS info, OS information, last restart
  3. Installed applications, both using WMI and registry
  4. Antivirus Security Center from Windows – default antivirus, state, configuration
  5. Microsoft Defender Antivirus – all settings including ASR, exclusions, realtime protection, etc
  6. Office – version, update channel config, SKUs
  7. VPN client – version, product
  8. LAPS – version
  9. Admin By Request (3rd party) – version
  10. Windows Update – last result (when), windows update source information (where), pending updates, last installations (what)
  11. Bitlocker – configuration
  12. Eventlog – look for specific events including logon events, blue screens, etc.
  13. Network adapters – configuration, installed adapters
  14. IP information for all adapters
  15. Local administrators group membership
  16. Windows firewall – settings for all 3 modes
  17. Group Policy – last refresh
  18. TPM information – relavant to detect machines with/without TPM

Install & Use

Copyright (c) 2023 Morten Knudsen

Tags: Azure LogAnalytics