Windows PowerShell

Version: Windows PowerShell 3.0 and later

Windows PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language built on the .NET Framework. PowerShell comes in two versions: Console and Integrated Scripting Environment (ISE). Windows Remote Management (WinRM) allows for SSH-like remote shell capability through PowerShell. Netsurion amasses and examines logs generated by PowerShell to help an administrator monitor remote sessions for rogue scripts or commands.

Netsurion Data Source Integration for Windows PowerShell allows you to monitor the following components:-

  • Operations - Script or command execution locally or remotely
  • Security - Script or command execution errors, remote session creation
  • Compliance - Remote session user authentication attempts 

Once Windows PowerShell is configured to deliver events to Netsurion's Open XDR platform; alerts, reports and dashboards can be configured into Netsurion's Open XDR platform.

Some of the Data Source Integrations available in Netsurion are listed below.

Alerts

Type Name Description
Security Windows PowerShell - Command execution failed This alert is generated when command execution on PowerShell fails.
Security Windows PowerShell - Remote session initiated This alert is generated when PowerShell remote session is initialized.
Compliance Windows PowerShell - Remote session user authentication failed This alert is generated when PowerShell user authentication fails.

Reports

Type Name Description
Security Windows PowerShell - Remote session creation details This report provides information related to PowerShell remote session initialization, which includes Computer, User Name and Remote Host fields.
Security Windows PowerShell - Command execution error details This report provides information related to command execution errors by script or CLI on PowerShell, which includes User Name, Host Type, Script Path, Command Executed and Command Parameters fields.            
Operations Windows PowerShell - Command execution details This report provides information related to command execution on PowerShell, which includes User Name, Host Type, Command Executed and Command Parameters fields.
Operations Windows PowerShell - Script execution details This report provides information related to command execution through script on PowerShell, which includes User Name, Host Type, Script Path, Command Executed and Command Parameters fields.
Compliance Windows PowerShell - Remote session authentication success details This report provides information related to successful PowerShell remote session authentication, which includes Computer, Remote User Name and Authentication Method fields.
Compliance Windows PowerShell - Remote session authentication failure details This report provides information related to unsuccessful PowerShell remote session authentication attempts, which includes Computer, Event User and Reason fields.

Documentation

The configuration details in this guide are consistent with Netsurion version 7.X and later, Windows PowerShell 3.0 and later.

Download Integration guide for more information.