This discovery finds computers running the secRMM product by looking in the computers registry for the secRMM event log entry.
This discovery uses the computers registry. It looks for the secRMM event log registry key.
Ensure the secRMM product is installed on the computer where you want to monitor Removable Media activity.
| Target | Microsoft.Windows.Computer |
| Enabled | True |
| Frequency | 86400 |
| Remotable | False |
| Discovered Classes and their attribuets: |
|---|
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| DS | DataSource | Microsoft.Windows.FilteredRegistryDiscoveryProvider | Default |
Home
<Discovery ID="Squadra.secRMM.Event.Discovery" Enabled="true" Target="Windows!Microsoft.Windows.Computer" ConfirmDelivery="false" Remotable="true" Priority="Normal">
<Category>Discovery</Category>
<DiscoveryTypes>
<DiscoveryClass TypeID="Squadra.secRMM.Event"/>
</DiscoveryTypes>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.FilteredRegistryDiscoveryProvider">
<ComputerName>$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<RegistryAttributeDefinitions>
<RegistryAttributeDefinition>
<AttributeName>secRMMExists</AttributeName>
<Path>SYSTEM\CurrentControlSet\services\eventlog\secRMM</Path>
<PathType>0</PathType>
<AttributeType>0</AttributeType>
</RegistryAttributeDefinition>
</RegistryAttributeDefinitions>
<Frequency>86400</Frequency>
<ClassId>$MPElement[Name="Squadra.secRMM.Event"]$</ClassId>
<InstanceSettings>
<Settings>
<Setting>
<Name>$MPElement[Name="Windows!Microsoft.Windows.Computer"]/PrincipalName$</Name>
<Value>$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$</Value>
</Setting>
</Settings>
</InstanceSettings>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="Boolean">Values/secRMMExists</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="Boolean">true</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</DataSource>
</Discovery>