I'm trying to use the existing eventlog check to notify of software installs (App log, Source=MsiInstaller, Event 11707). This works, but there is no way to exclude legitimate common installs such as Adobe or Java updates.

So I'm looking for a way to fail a check when an 11707 is found, unless the product detail for that event includes the text "X" or "Y" or "Z", which would be hard-coded in the script and modifyable.

Any PS guru's willing to take a whack at a script with a modifyable whitelist?

