Windows PowerShell
Version: Windows PowerShell 3.0 and later
Windows PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language built on the .NET Framework. PowerShell comes in two versions: Console and Integrated Scripting Environment (ISE). Windows Remote Management (WinRM) allows for SSH-like remote shell capability through PowerShell. Netsurion Open XDR amasses and examines logs generated by PowerShell to help an administrator monitor remote sessions for rogue scripts or commands.
Netsurion Data Source Integration for Windows PowerShell allows you to monitor the following components:-
- Operations – Script or command execution locally or remotely
- Security – Script or command execution errors, remote session creation
- Compliance – Remote session user authentication attempts
Once Windows PowerShell is configured to deliver events to Netsurion Open XDR; alerts, reports and dashboards can be configured into Netsurion Open XDR.
The following are the key Data Source Integration available in Netsurion Open XDR.
Alerts
| Type | Name | Description |
|---|---|---|
| Security | Windows PowerShell – Command execution failed | This alert is generated when command execution on PowerShell fails. |
| Security | Windows PowerShell – Remote session initiated | This alert is generated when PowerShell remote session is initialized. |
| Compliance | Windows PowerShell – Remote session user authentication failed | This alert is generated when PowerShell user authentication fails. |
Reports
| Type | Name | Description |
|---|---|---|
| Security | Windows PowerShell – Remote session creation details | This report provides information related to PowerShell remote session initialization, which includes Computer, User Name and Remote Host fields. |
| Security | Windows PowerShell – Command execution error details | This report provides information related to command execution errors by script or CLI on PowerShell, which includes User Name, Host Type, Script Path, Command Executed and Command Parameters fields. |
| Operations | Windows PowerShell – Command execution details | This report provides information related to command execution on PowerShell, which includes User Name, Host Type, Command Executed and Command Parameters fields. |
| Operations | Windows PowerShell – Script execution details | This report provides information related to command execution through script on PowerShell, which includes User Name, Host Type, Script Path, Command Executed and Command Parameters fields. |
| Compliance | Windows PowerShell – Remote session authentication success details | This report provides information related to successful PowerShell remote session authentication, which includes Computer, Remote User Name and Authentication Method fields. |
| Compliance | Windows PowerShell – Remote session authentication failure details | This report provides information related to unsuccessful PowerShell remote session authentication attempts, which includes Computer, Event User and Reason fields. |
Documentation
The configuration details are consistent with Netsurion Open XDR 9.x and later, Windows PowerShell.
Download Integration Guide for configuration instructions and more information.