Skip to content

PowerShell

PowerShell

About

PowerShell is a task automation and configuration management program from Microsoft, consisting of a command-line shell and the associated scripting language. Initially a Windows component only, known as Windows PowerShell, it was made open-source and cross-platform on 18 August 2016 with the introduction of PowerShell Core. The former is built on the .NET Framework, the latter on .NET Core.

In PowerShell, administrative tasks are generally performed by cmdlets (pronounced command-lets), which are specialized .NET classes implementing a particular operation. These work by accessing data in different data stores, like the file system or registry, which are made available to PowerShell via providers. Third-party developers can add cmdlets and providers to PowerShell. Cmdlets may be used by scripts, which may in turn be packaged into modules.

Product Details

Vendor URL: PowerShell Documentation

Product Type: Console

Product Tier: n/a

Integration Method: Syslog

Integration URL: n/a

Log Guide: n/a

Parser Details

Log Format: Syslog/JSON (depending on NXLog output configuration)

Expected Normalization Rate: near 100%

Data Label: POWERSHELL

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field UDM Event Type
description metadata.description metadata
event_type metadata.event_type metadata
product_event_type metadata.product_event_type metadata
product_log_id metadata.product_log_id metadata
product_name metadata.product_name metadata
product_version metadata.product_version metadata
vendor_name metadata.vendor_name metadata
Domain principal.administrative_domain principal
Hostname principal.hostname principal
AccountName principal.user.userid principal
UserID principal.user.windows_sid principal
security_result security_result security_result
powershell.Host_Application target.process.command_line target
powershell.Script_Name target.process.file.full_path target

Product Event Types

Description metadata.event_type
Defaults GENERIC_EVENT
if [EventID] == "4103" PROCESS_LAUNCH
if [EventID] == "4104" PROCESS_LAUNCH
if [EventID] == "403" PROCESS_TERMINATION

Log Sample

{"EventTime":1633032153,"Hostname":"host","Keywords":"0","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":4103,"SourceName":"Microsoft-Windows-PowerShell","ProviderGuid":"{guid}","Version":1,"TaskValue":106,"OpcodeValue":20,"RecordNumber":logid,"ActivityID":"{actid}","ExecutionProcessID":11012,"ExecutionThreadID":14124,"Channel":"Microsoft-Windows-PowerShell/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"sid","AccountType":"Group","Category":"Executing Pipeline","Opcode":"To be used when operation is just executing a method","Payload":"CommandInvocation(Add-Type): \"Add-Type\"\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.IO.Compression.FileSystem\"\n","EventReceivedTime":1633032155,"SourceModuleName":"powershell_modules_logs","SourceModuleType":"im_msvistalog","ContextInfo_Severity":"Informational","ContextInfo_Host Name":"Default Host","ContextInfo_Host Version":"5.1.14393.4583","ContextInfo_Host ID":"hostid","ContextInfo_Host Application":"ConfigSyncRun.exe","ContextInfo_Engine Version":"5.1.14393.4583","ContextInfo_Runspace ID":"runid","ContextInfo_Pipeline ID":1,"ContextInfo_Command Name":"Add-Type","ContextInfo_Command Type":"Cmdlet","ContextInfo_Script Name":"C:\\Program Files\\Citrix\\ConfigSync.ps1","ContextInfo_Command Path":null,"ContextInfo_Sequence Number":20,"ContextInfo_User":"ORG\\HOST$","ContextInfo_Connected User":null,"ContextInfo_Shell ID":"Microsoft.PowerShell"}

Sample Parsing

metadata.event_timestamp "2021-09-30T08:02:33"
metadata.event_type "PROCESS_LAUNCH"
metadata.vendor_name "Microsoft"
metadata.product_name "PowerShell"
metadata.product_event_type "Executing Pipeline"
metadata.product_log_id "logid"
metadata.description "To be used when operation is just executing a method"
metadata.ingested_timestamp "2021-09-30T08:02:33"
principal.hostname "host"
principal.user.userid "NETWORK SERVICE"
principal.user.windows_sid "sid"
principal.administrative_domain "NT AUTHORITY"
target.process.file.full_path "C:\\Program Files\\Citrix\\ConfigSync.ps1"
target.process.command_line "ConfigSyncRun.exe"
security_result.rule_name "EventID: 4103"
security_result.action "ALLOW"
security_result.severity "LOW"
security_result.severity_details "INFO"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming soon