MS Windows Event Logging XML - PowerShell
PowerShell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework. PowerShell runs on Windows, Linux, and macOS. As a scripting language, PowerShell is commonly used for automating the management of systems. It is also used to build, test, and deploy solutions, often in CI/CD environments. PowerShell Desired State Configuration (DSC) is a management framework in PowerShell that enables you to manage your enterprise infrastructure with configuration as code.
Device Details
| Device Name | MS Windows Event Logging XML – PowerShell |
|---|---|
Vendor | MS Windows |
Device Type | PowerShell |
Supported Model Name/Number | Windows Server 2008, 2012, 2016+ |
Supported Software Version(s) | N/A |
Collection Method | MS Windows Event Logging |
Configurable Log Output? | No |
Log Source Type | MS Windows Event Logging XML - PowerShell |
Log Processing Policy | LogRhythm Default v2.0 |
Exceptions | N/A |
Additional Information | https://docs.microsoft.com/en-us/powershell/scripting/overview?view=powershell-7.1 |
Supported Log Messages
(List of LR Tags used to parse the log information for each message type)
| Type | Product Version | Supported Schema Fields |
|---|---|---|
| EVID 200, 300 | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <subject>, <account>, <action>, <objecttype>, <object>, <command> |
| EVID 400, 403, 600 | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <status>, <account>, <command> |
| EVID 500, 501 | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <account>, <action>, <objecttype>, <object>, <command> |
| EVID 800 : PS Pipeline Execution | N/A | <vmid>, <severity>. <vendorinfo>, <dname>, <domainorigin>, <login>, <account>, <object>, <command>, <action> |
| EVID 4100, 4101, 4102, 4103 | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <domainorigin>, <login>, <action>, <objecttype>, <object>, <command> |
| EVID 4104 : PS Script Execution | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <domainorigin>, <login>, <quantity>, <command>, <object>, <objectname> |
| EVID 4105, 4106 | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <domainorigin>, <login>, <object> |
| EVID 8193, 24577, 40961, 53249 | N/A | <vmid>, <severity>. <vendorinfo>, <dname>, <domainorigin>, <login> |
| EVID 32784 : PS WinRM Error | N/A | <vmid>, <severity>. <vendorinfo>, <dname>, <domainorigin>, <login>, <session> |
| EVID 53504 : PS IPC Listening Started | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <domainorigin>, <login>, <processid> |
| EVID 53506 : PS IPC Listening Error | N/A | <vmid>, <severity>, <vendorinfo>, <dname>, <domainorigin>, <login>, <processid> |
Revision History
KB Version | Log Type | Change Type | Details |
|---|---|---|---|
| KB 7.1.622.0 | MS Windows Event Logging XML – PowerShell | New Log Source Type | New Device Support for MS Windows Event Logging XML - PowerShell |