For clarification on this.
The Infrastructure agent does capture the installed packages on your system and it sends it up to Inventory which is not queryable at the moment as @RyanVeitch mentioned.
However, and as @philweber says, every change in Inventory is captured by us and creates an event which is recorded in
InfrastructureEvent in Insights.
The way we trigger the creation of those events is simply by comparing the last reported inventory list with the actual one. If something was changed/added/removed we create event for each line that differs from both samples.
So although we don’t have a “Inventory Change” alert feature per se, maybe using the change events will help achieve your goal for now.
If you create a NRQL based alert with a query similar to
SELECT count (*) FROM InfrastructureEvent WHERE changeType IN ('added','removed') AND source='packages/windows_programs'
and trigger an alert when the count is above 0, you will get alerts every time a package is added or removed (in the above case). You can omit the
changeType condition if you want to be alerted every time a change happens, even if it’s a minor upgrade in the version of a package.
You can also add more conditions to narrow down on specific packages if you don’t want to receive alerts for all changes.
The only caveat of such an alert is that we don’t have a continuous feed of the event, like in metrics. It happens once and, for example, if our alert is sampling only the last 5 minutes, after 5 minutes it will clear the alert by itself as the change condition is no longer happening.
But at least this will trigger an alert and send you a notification on the channels of your choice so you are aware changes happened on your servers.
Hope this helps!