How to write from a Toast Notification in Log Analytics Workspace

It is useful after triggering a remediation action or for simply getting feedback from the user/customer to have a kind of survey. Contacting them by mail usually results in very poor response rates. It is much better to contact him directly via a popup. How you can implement this with the help of a Remediation script and write the response in a Log Analytics workspace I will explain in this blog post.

Create an Log Analytics Workspace

  • Select the Subscription and the Ressource group or create a new one
  • Enter a name for the workspace
  • Select the region
  • Click Next: Tags >
  • Optional: Add Tags
  • Click Next: Review + Create >
  • Click Create

Get Workspace informations

  • Open the new Log Analytics Workspace
  • Navigate to Agent management
  • Here you can find the Workspace ID and the Primary key. You need this information later to insert this in the script

Adapt the script

The script that opens the toast notification and sends the user selection to the log analytics workspace can be found in my git repository. First download the script and open it in a code editor like Visual Studio Code.

  • First you need an Image for the toast header. To add this image into the powershell script you have to encode this to base64. I use the following tool for the encoding: https://www.base64-image.de/
    When the picture is encode you can past the base64 string into the $tostImageBase64 Variable in the script
  • Next we have to adapt the following variables with the content you want to show:

Next we have to insert the $customerId and the $sharedKey. The both information we have copied in the Get Workspace informations section. The $customerId = Workspace ID and the $sharedKey = Primary key. Optional you can change the name of the log analytics table with the $logType Variable.

Deploy Script via Endpoint Analytics

  •  To deploy this toast menu to the clients, we open the MEM portal and navigate to Reports -> Endpoint analytics -> Proactive remediations
  • Click Create script package
  • Enter a name
  • Click Next
  • Upload the script as detection 
  • Select Yes for Run this script using the logged on credentials
  • Click Next
  • Click Next
  • Assign the Script to a group and click on Daily
  • Change the Schedule to Once (You can also select a other schedule like hourly or daily) and click apply
  • Click Next
  • Click Create

How does it work

First a PowerShell script per possible answer is created within the PowerShell script and placed under “C:\Users\Public\Documents”:

($actionScriptPre + "Yes" + $actionScriptPost) | out-file "$scripExecutionPath\ActionYes.ps1" -Force -Encoding ASCII

After that a CMD script is created which has the very complex task to call the PowerShell script. The reason for this is that we have to register an action afterwards and this action can only execute a CMD script. This script is also created in “C:\Users\Public\Documents”:

Powershell.exe -executionpolicy Bypass -File C:\Users\Public\Documents\ActionYes.ps1
$actionScriptCmdPartly | out-file "$scripExecutionPath\ActionPartly.cmd" -Force -Encoding ASCII

After that, as mentioned before, this CMD script is registered as action. The action can be found in the registry under the following path: “HKCU:\SOFTWARE\Classes\$Action_Name”

When these preparations are made, the Toast notification is displayed. The toast notification is assembled through an XML and can also be easily customized and modified. Under the link you can find information on how to design a Toast notification.

Register-NotificationApp -AppID $tostTitle -AppDisplayName $tostTitle
# Create toast
$load = [Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime]
$load = [Windows.Data.Xml.Dom.XmlDocument, Windows.Data.Xml.Dom.XmlDocument, ContentType = WindowsRuntime]
$toastXml = New-Object -TypeName Windows.Data.Xml.Dom.XmlDocument
$toastXml.LoadXml($toast.OuterXml)
# Show the Toast
[Windows.UI.Notifications.ToastNotificationManager]::CreateToastNotifier($tostTitle).Show($toastXml)

When the toast notification is executed and a action is triggered, all scripts generated on the system are destroyed by them self:

Remove-Item C:\Users\Public\Documents\ActionYes.ps1 -Force 
Remove-Item C:\Users\Public\Documents\ActionPartly.ps1 -Force 
Remove-Item C:\Users\Public\Documents\ActionNo.ps1 -Force
Remove-Item C:\Users\Public\Documents\ActionYes.cmd -Force 
Remove-Item C:\Users\Public\Documents\ActionPartly.cmd -Force 
Remove-Item C:\Users\Public\Documents\ActionNo.cmd -Force

Conclusion

For a user it is often more appealing if he can give feedback directly when a problem has occurred or if he can participate in surveys simply by clicking on the popup. This implementation is very simple and can be adapted for many use cases. A shared key to the log analytics workspace must be specified in the script that is temporarily on the system. With this key it is possible to send events to the workspace. If this key gets into the wrong hands, there is a possibility that the workspace will be flooded with events.

Stay healthy, Cheers
Jannik

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s