PowerShell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework. PowerShell runs on Windows, Linux, and macOS. As a scripting language, PowerShell is commonly used for automating the management of systems. It is also used to build, test, and deploy solutions, often in CI/CD environments. PowerShell Desired State Configuration (DSC) is a management framework in PowerShell that enables you to manage your enterprise infrastructure with configuration as code.
Device Details
|
Device Name |
MS Windows Event Logging XML – PowerShell |
|---|---|
|
Vendor |
MS Windows |
|
Device Type |
PowerShell |
|
Supported Model Name/Number |
Windows Server 2008, 2012, 2016+ |
|
Supported Software Version(s) |
N/A |
|
Collection Method |
MS Windows Event Logging |
|
Configurable Log Output? |
No |
|
Log Source Type |
MS Windows Event Logging XML - PowerShell |
|
Log Processing Policy |
LogRhythm Default v2.0 |
|
Exceptions |
N/A |
|
Additional Information |
https://docs.microsoft.com/en-us/powershell/scripting/overview?view=powershell-7.1 |
Supported Log Messages
(List of LR Tags used to parse the log information for each message type)
|
Type |
Product Version |
Supported Schema Fields |
|---|---|---|
| EVID 200, 300 |
N/A |
<vmid>, <severity>, <vendorinfo>, <dname>, <subject>, <account>, <action>, <objecttype>, <object>, <command> |
| EVID 400, 403, 600 |
N/A |
<vmid>, <severity>, <vendorinfo>, <dname>, <status>, <account>, <command> |
| EVID 500, 501 |
N/A |
<vmid>, <severity>, <vendorinfo>, <dname>, <account>, <action>, <objecttype>, <object>, <command> |
| EVID 800 : PS Pipeline Execution |
N/A |
<vmid>, <severity>. <vendorinfo>, <dname>, <domainorigin>, <login>, <account>, <object>, <command>, <action> |
| EVID 4100, 4101, 4102, 4103 |
N/A |
<vmid>, <severity>, <vendorinfo>, <dname>, <domainorigin>, <login>, <action>, <objecttype>, <object>, <command> |
| EVID 4104 : PS Script Execution |
N/A |
<vmid>, <severity>, <vendorinfo>, <dname>, <domainorigin>, <login>, <quantity>, <command>, <object>, <objectname> |
| EVID 4105, 4106 |
N/A |
<vmid>, <severity>, <vendorinfo>, <dname>, <domainorigin>, <login>, <object> |
| EVID 8193, 24577, 40961, 53249 |
N/A |
<vmid>, <severity>. <vendorinfo>, <dname>, <domainorigin>, <login>, <parentprocesspath> |
| EVID 32784 : PS WinRM Error |
N/A |
<vmid>, <severity>. <vendorinfo>, <dname>, <domainorigin>, <login>, <session> |
| EVID 53504 : PS IPC Listening Started |
N/A |
<vmid>, <severity>, <vendorinfo>, <dname>, <domainorigin>, <login>, <processid>, <object> |
| EVID 53506 : PS IPC Listening Error |
N/A |
<vmid>, <severity>, <vendorinfo>, <dname>, <domainorigin>, <login>, <processid> |
Revision History
|
KB Version |
Log Type |
Change Type |
Details |
|---|---|---|---|
|
KB 7.1.622.0 |
MS Windows Event Logging XML – PowerShell |
New Log Source Type |
New Device Support for MS Windows Event Logging XML - PowerShell |