en-US/Posh-SysMon.psm1-Help.xml
|
<?xml version="1.0" encoding="utf-8" ?>
<helpItems xmlns="http://msh" schema="maml"> <!--Edited with: SAPIEN PowerShell HelpWriter 2015 v1.0.15--> <!--Generated by: SAPIEN PowerShell HelpWriter 2015 v1.0.15--> <!--All Commands--> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-SysmonHashingAlgorithm</command:name> <maml:description> <maml:para>Gets the hashing algorithms enabled for images.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>SysmonHashingAlgorithm</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Gets the hashing algorithms enabled for images.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-SysmonHashingAlgorithm</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-SysmonHashingAlgorithm</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-SysmonRule</command:name> <maml:description> <maml:para>Gets configured rules and their filters on a Sysmon XML configuration file. config file.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>SysmonRule</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Gets configured rules and their filters on a Sysmon XML configuration file. config file for each event type.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-SysmonRule</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to parse rules for.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-SysmonRule</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to parse rules for.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to parse rules for.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>C:\PS></maml:para> </maml:introduction> <dev:code>Get-SysmonConfigOptions -Path .\pc_cofig.xml -Verbose Hashing : SHA1,IMPHASH Network : Enabled ImageLoading : Enabled Comment : Config for helpdesk PCs.</dev:code> <dev:remarks> <maml:para> </maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>New-SysmonConfiguration</command:name> <maml:description> <maml:para>Creates a new Sysmon XML configuration file.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>New</command:verb> <command:noun>SysmonConfiguration</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Creates a new Sysmon XML configuration file. Configuration options and a descriptive comment can be given when generating the XML config file.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>New-SysmonConfiguration</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to write XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>HashingAlgorithm</maml:name> <maml:description> <maml:para>Specify one or more hash algorithms used for image identification</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2"> <maml:name>NetworkConnect</maml:name> <maml:description> <maml:para>Enable all NetworkConnect events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>DriverLoad</maml:name> <maml:description> <maml:para>Enable all DrierLoad events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>ImageLoad</maml:name> <maml:description> <maml:para>Enable all ImageLoad events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="5"> <maml:name>CreateRemoteThread</maml:name> <maml:description> <maml:para>Enable all CreateRemoteThread events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="6"> <maml:name>FileCreateTime</maml:name> <maml:description> <maml:para>Enable all FileCreateTimeEvents.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="7"> <maml:name>ProcessCreate</maml:name> <maml:description> <maml:para>Enable all ProcessCreate events</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="8"> <maml:name>ProcessTerminate</maml:name> <maml:description> <maml:para>Enable all ProcessTerminate events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named"> <maml:name>Comment</maml:name> <maml:description> <maml:para>Comment for purpose of the configuration file.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""> <maml:name>SchemaVersion</maml:name> <maml:description> <maml:para>Schema version for the configuration file. - SysMon 3.0 uses 2.0 - SysMon 4.0 uses 3.0</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue>3.0</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to write XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>HashingAlgorithm</maml:name> <maml:description> <maml:para>Specify one or more hash algorithms used for image identification</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2"> <maml:name>NetworkConnect</maml:name> <maml:description> <maml:para>Enable all NetworkConnect events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>DriverLoad</maml:name> <maml:description> <maml:para>Enable all DrierLoad events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>ImageLoad</maml:name> <maml:description> <maml:para>Enable all ImageLoad events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="5"> <maml:name>CreateRemoteThread</maml:name> <maml:description> <maml:para>Enable all CreateRemoteThread events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="6"> <maml:name>FileCreateTime</maml:name> <maml:description> <maml:para>Enable all FileCreateTimeEvents.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="7"> <maml:name>ProcessCreate</maml:name> <maml:description> <maml:para>Enable all ProcessCreate events</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="8"> <maml:name>ProcessTerminate</maml:name> <maml:description> <maml:para>Enable all ProcessTerminate events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named"> <maml:name>Comment</maml:name> <maml:description> <maml:para>Comment for purpose of the configuration file.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases=""> <maml:name>SchemaVersion</maml:name> <maml:description> <maml:para>Schema version for the configuration file. - SysMon 3.0 uses 2.0 - SysMon 4.0 uses 3.0</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>3.0</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.Management.Automation.SwitchParameter</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>C:\PS></maml:para> </maml:introduction> <dev:code>New-SysmonConfiguration -ConfigFile .\pc_cofig.xml -HashingAlgorithm SHA1,IMPHASH -Network -ImageLoading -Comment "Config for helpdesk PCs." -Verbose VERBOSE: Enabling hashing algorithms : SHA1,IMPHASH VERBOSE: Enabling network connection logging. VERBOSE: Enabling image loading logging. VERBOSE: Config file created as C:\\pc_cofig.xml</dev:code> <dev:remarks> <maml:para>Create a configuration file that will log all network connction, image loading and sets a descriptive comment.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>New-SysmonDriverLoadFilter</command:name> <maml:description> <maml:para>Create a new filter for the logging of loading of a driver by the system.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>New</command:verb> <command:noun>SysmonDriverLoadFilter</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Create a new filter for the logging of loading of a driver by the system.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>New-SysmonDriverLoadFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>OnMatch</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonDriverLoadFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>OnMatch</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>OnMatch</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>New-SysmonFileCreateFilter</command:name> <maml:description> <maml:para>Create a new filter for the logging of of the modification of a File Create time attribute.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>New</command:verb> <command:noun>SysmonFileCreateFilter</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Create a new filter for the logging of of the modification of a File Create time attribute.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>New-SysmonFileCreateFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>OnMatch</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonFileCreateFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>OnMatch</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>OnMatch</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>New-SysmonImageLoadFilter</command:name> <maml:description> <maml:para>Create a new filter for the loading of loading of images (example: DLL, OCX) by processes.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>New</command:verb> <command:noun>SysmonImageLoadFilter</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Create a new filter for the loading of loading of images (example: DLL, OCX) by processes under the ImageLoad Rule in a SysMon configuration file.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>New-SysmonImageLoadFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonImageLoadFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>PS C:\></maml:para> </maml:introduction> <dev:code>New-SysmonImageLoadFilter -Path .\sysmon.xml -OnMatch include -Condition Contains -EventField Image -Value wshom.ocx,scrrun.dll,vbscript.dll,mshtml.dll,System.Management.Automation.ni.dll,System.Management.Automation.dll</dev:code> <dev:remarks> <maml:para>Create a rule to log the loading of scripting components that can be abused my a malicious process.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>New-SysmonNetworkConnectFilter</command:name> <maml:description> <maml:para>Create a new filter for the logging of TCP, UDP and ICP network connections by a process.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>New</command:verb> <command:noun>SysmonNetworkConnectFilter</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Create a new filter for the logging of TCP, UDP and ICP network connections by a process.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>New-SysmonNetworkConnectFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonNetworkConnectFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>New-SysmonProcessCreateFilter</command:name> <maml:description> <maml:para>Create a new filter for the logging of the creation of new processes.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>New</command:verb> <command:noun>SysmonProcessCreateFilter</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Create a new filter for the logging of the creation of new processes.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>New-SysmonProcessCreateFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonProcessCreateFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>New-SysmonProcessTerminateFilter</command:name> <maml:description> <maml:para>Create a new filter for the logging of process termination.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>New</command:verb> <command:noun>SysmonProcessTerminateFilter</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Create a new filter for the logging of process termination.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>New-SysmonProcessTerminateFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonProcessTerminateFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Remove-SysmonRule</command:name> <maml:description> <maml:para>Removes on or more rules from a Sysmon XML configuration file.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Remove</command:verb> <command:noun>SysmonRule</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Removes on or more rules from a Sysmon XML configuration file.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Remove-SysmonRule</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to remove. It is case sensitive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Remove-SysmonRule</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to remove. It is case sensitive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to remove. It is case sensitive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>PS C:\></maml:para> </maml:introduction> <dev:code>Remove-SysmonRule -Path .\pc_marketing.xml -EventType ImageLoad,NetworkConnect -Verbose VERBOSE: Removed rule for ImageLoad. VERBOSE: Removed rule for NetworkConnect.</dev:code> <dev:remarks> <maml:para> </maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Remove-SysmonRuleFilter</command:name> <maml:description> <maml:para>Removes a existing SysMon filter rule for a given event type.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Remove</command:verb> <command:noun>SysmonRuleFilter</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Removes a existing SysMon filter rule for a given event type.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Remove-SysmonRuleFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to remove filter rule from. It is case sensitive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition used against the event field value.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event field for the given event type.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="5"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of event field.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Remove-SysmonRuleFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to remove filter rule from. It is case sensitive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition used against the event field value.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event field for the given event type.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="5"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of event field.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to remove filter rule from. It is case sensitive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3"> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition used against the event field value.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4"> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event field for the given event type.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="5"> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of event field.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Set-SysmonHashingAlgorithm</command:name> <maml:description> <maml:para>Set the hashing algorithms to use against process, library and driver images.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Set</command:verb> <command:noun>SysmonHashingAlgorithm</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Set the hashing algorithms to use against process, library and driver images.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Set-SysmonHashingAlgorithm</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>HashingAlgorithm</maml:name> <maml:description> <maml:para>Specify one or more hash algorithms used for image identification</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Set-SysmonHashingAlgorithm</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>HashingAlgorithm</maml:name> <maml:description> <maml:para>Specify one or more hash algorithms used for image identification</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>HashingAlgorithm</maml:name> <maml:description> <maml:para>Specify one or more hash algorithms used for image identification</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Set-SysmonRule</command:name> <maml:description> <maml:para>Creates a Rule and sets its default action in a Sysmon configuration XML file.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Set</command:verb> <command:noun>SysmonRule</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Creates a rules for a specified Event Type and sets the default action for the rule and filters under it. Ir a rule alreade exists it udates the default action taken by a event type rule if one aready present. The default is exclude. This default is set for event type and affects all filters under it.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Set-SysmonRule</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to update.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named"> <maml:name>Action</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Set-SysmonRule</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to update.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named"> <maml:name>Action</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to update.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named"> <maml:name>Action</maml:name> <maml:description> <maml:para/> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> <maml:para/> <maml:para/> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>C:\PS></maml:para> </maml:introduction> <dev:code>Get-GetSysmonRule -Path .\pc_cofig.xml -EventType NetworkConnect -OnMatch Exclude EventType : NetworkConnect Scope : Filtered DefaultAction : Exclude Filters : {@{EventField=image; Condition=Is; Value=iexplorer.exe}} PS C:\> Set-SysmonRulen -Path .\pc_cofig.xml -EventType NetworkConnect -Action Include -Verbose VERBOSE: Setting as default action for NetworkConnect the action of Include. VERBOSE: Action has been set. PS C:\> Get-GetSysmonRule -Path .\pc_cofig.xml -EventType NetworkConnect EventType : NetworkConnect Scope : Filtered DefaultAction : Include Filters : {@{EventField=image; Condition=Is; Value=iexplorer.exe}}</dev:code> <dev:remarks> <maml:para>Change default rule action causing the filter to ignore all traffic from iexplorer.exe.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-SysmonEventData</command:name> <maml:description> <maml:para>Searches for specified SysMon Events and retunrs the Event Data as a custom object.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>SysmonEventData</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Searches for specified SysMon Events and retunrs the Event Data as a custom object.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-SysmonEventData</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>EventId</maml:name> <maml:description> <maml:para>Sysmon Event ID of records to show</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>MaxEvents</maml:name> <maml:description> <maml:para>Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named"> <maml:name>Path</maml:name> <maml:description> <maml:para>Specifies a path to one or more exported SysMon events in evtx format.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>StartTime</maml:name> <maml:description> <maml:para>Start Date to get all event going forward.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">DateTime</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>EndTime</maml:name> <maml:description> <maml:para>End data for searching events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">DateTime</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-SysmonEventData</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>EventType</maml:name> <maml:description> <maml:para>EventType that a Rule can be written against.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>MaxEvents</maml:name> <maml:description> <maml:para>Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named"> <maml:name>Path</maml:name> <maml:description> <maml:para>Specifies a path to one or more exported SysMon events in evtx format.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>StartTime</maml:name> <maml:description> <maml:para>Start Date to get all event going forward.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">DateTime</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>EndTime</maml:name> <maml:description> <maml:para>End data for searching events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">DateTime</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>EventId</maml:name> <maml:description> <maml:para>Sysmon Event ID of records to show</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32[]</command:parameterValue> <dev:type> <maml:name>Int32[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>MaxEvents</maml:name> <maml:description> <maml:para>Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>0</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named"> <maml:name>Path</maml:name> <maml:description> <maml:para>Specifies a path to one or more exported SysMon events in evtx format.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>StartTime</maml:name> <maml:description> <maml:para>Start Date to get all event going forward.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">DateTime</command:parameterValue> <dev:type> <maml:name>DateTime</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>EndTime</maml:name> <maml:description> <maml:para>End data for searching events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">DateTime</command:parameterValue> <dev:type> <maml:name>DateTime</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>EventType</maml:name> <maml:description> <maml:para>EventType that a Rule can be written against.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Int32[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.Int32</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>PS C:\></maml:para> </maml:introduction> <dev:code>Get-SysMonEventData -EventId 1 -MaxEvents 10 -EndTime (Get-Date) -StartTime (Get-Date).AddDays(-1)</dev:code> <dev:remarks> <maml:para>All process creation events in the last 24hr</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <maml:introduction> <maml:para>PS C:\></maml:para> </maml:introduction> <dev:code>Get-SysMonEventData -EventId 3 -MaxEvents 20 -Path .\export.evtx</dev:code> <dev:remarks> <maml:para>last 20 network connection events from a exported SysMon log.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-SysmonRuleFilter</command:name> <maml:description> <maml:para>Get the configured filters for a specified Event Type Rule in a Sysmon configuration file.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>SysmonRuleFilter</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Get the configured filters for a specified Event Type Rule in a Sysmon configuration file.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-SysmonRuleFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type rule to get filter for.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-SysmonRuleFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type rule to get filter for.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>Rule filter action on a macth of any filter under the rule.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>C:\PS></maml:para> </maml:introduction> <dev:code>Get-SysmonRuleFilter -Path C:\sysmon.xml -EventType ProcessCreate -OnMatch exclude</dev:code> <dev:remarks> <maml:para>Get the filter under the ProcessCreate Rule.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <!--Generated by: SAPIEN PowerShell HelpWriter 2015 v1.0.15--> </helpItems> |