Windows PowerShell

Version: Windows PowerShell 3.0 and later

Windows PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language built on the .NET Framework. PowerShell comes in two versions: Console and Integrated Scripting Environment (ISE). Windows Remote Management (WinRM) allows for SSH-like remote shell capability through PowerShell. Netsurion Open XDR amasses and examines logs generated by PowerShell to help an administrator monitor remote sessions for rogue scripts or commands.

Netsurion Data Source Integration for Windows PowerShell allows you to monitor the following components:-

  • Operations – Script or command execution locally or remotely
  • Security – Script or command execution errors, remote session creation
  • Compliance – Remote session user authentication attempts 

Once Windows PowerShell is configured to deliver events to Netsurion Open XDR; alerts, reports and dashboards can be configured into Netsurion Open XDR.

The following are the key Data Source Integration available in Netsurion Open XDR.

Alerts

Type Name Description
Security Windows PowerShell – Command execution failed This alert is generated when command execution on PowerShell fails.
Security Windows PowerShell – Remote session initiated This alert is generated when PowerShell remote session is initialized.
Compliance Windows PowerShell – Remote session user authentication failed This alert is generated when PowerShell user authentication fails.

Reports

Type Name Description
Security Windows PowerShell – Remote session creation details This report provides information related to PowerShell remote session initialization, which includes Computer, User Name and Remote Host fields.
Security Windows PowerShell – Command execution error details This report provides information related to command execution errors by script or CLI on PowerShell, which includes User Name, Host Type, Script Path, Command Executed and Command Parameters fields.            
Operations Windows PowerShell – Command execution details This report provides information related to command execution on PowerShell, which includes User Name, Host Type, Command Executed and Command Parameters fields.
Operations Windows PowerShell – Script execution details This report provides information related to command execution through script on PowerShell, which includes User Name, Host Type, Script Path, Command Executed and Command Parameters fields.
Compliance Windows PowerShell – Remote session authentication success details This report provides information related to successful PowerShell remote session authentication, which includes Computer, Remote User Name and Authentication Method fields.
Compliance Windows PowerShell – Remote session authentication failure details This report provides information related to unsuccessful PowerShell remote session authentication attempts, which includes Computer, Event User and Reason fields.

Documentation

The configuration details are consistent with Netsurion Open XDR 9.x and later, Windows PowerShell.

Download Integration Guide for configuration instructions and more information.