Skip to content
← Ideas and Feedback

Have an idea for a new feature?

Ideas and Feedback: Alerts

Categories

(thinking…)

Update Preset Threshold Items for Software Installed/Uninstalled Events

The existing preset threshold item for the "Software Installed" event has a description of "Trigger an alert whenever new software is installed based on Event IDs 11707 and 1033"

It does this, but it also catches false positives. Other events that are not software installs can also have Event ID 1033. The exact same scenario also happens for Event ID 1034, which is designed to notify of software uninstalls.

Examples:
Event Log: Application | Event Id: 1033
These policies are being excluded since they are only defined with override-only attribute.
Policy Names=(Security-SPP-Reserved-EnableNotificationMode)
App Id=REDACTED
Sku Id=REDACTED
[Machine Name: REDACTED]

Event Log: Application | Event Id: 1034
Duplicate definition of policy found. Policy name=AAD-BlockAADWorkplaceJoin-Default Priority=100
[Machine Name: REDACTED]

These false positives daily generate a lot of noise.

3 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Ben Richardson shared this idea  ·   ·  Report…  ·  Admin →
How important is this to you?

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Jason Lawrence commented  ·   ·  Report

    It makes the Software Install and Uninstall alerts really noisy and unable to filter out.