en-US/Posh-SysMon.psm1-Help.xml
|
<?xml version="1.0" encoding="utf-8"?>
<helpItems xmlns="http://msh" schema="maml"> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details><command:name>Get-SysmonHashingAlgorithm</command:name> <command:verb>Get</command:verb> <command:noun>SysmonHashingAlgorithm</command:noun> <maml:description><maml:para>Gets the hashing algorithms enabled for images. </maml:para> </maml:description> </command:details> <maml:description><maml:para>Gets the hashing algorithms enabled for images. </maml:para> </maml:description> <command:syntax><command:syntaxItem><maml:name>Get-SysmonHashingAlgorithm</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem><maml:name>Get-SysmonHashingAlgorithm</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes><command:inputType><dev:type><maml:name>System.Object</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues></command:returnValues> <maml:alertSet><maml:alert><maml:para> </maml:para> </maml:alert> </maml:alertSet> <command:examples><command:example><maml:title>Example 1</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks><maml:para>{{ Add example description here }} </maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks></command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details><command:name>Get-SysmonRule</command:name> <command:verb>Get</command:verb> <command:noun>SysmonRule</command:noun> <maml:description><maml:para>Gets configured rules and their filters on a Sysmon XML configuration file. config file. </maml:para> </maml:description> </command:details> <maml:description><maml:para>Gets configured rules and their filters on a Sysmon XML configuration file. config file for each event type. </maml:para> </maml:description> <command:syntax><command:syntaxItem><maml:name>Get-SysmonRule</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>EventType</maml:name> <maml:Description><maml:para>Event type to parse rules for. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem><maml:name>Get-SysmonRule</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>EventType</maml:name> <maml:Description><maml:para>Event type to parse rules for. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>EventType</maml:name> <maml:Description><maml:para>Event type to parse rules for. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes><command:inputType><dev:type><maml:name>System.Object</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> <command:inputType><dev:type><maml:name>System.String[]</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues></command:returnValues> <maml:alertSet><maml:alert><maml:para> </maml:para> </maml:alert> </maml:alertSet> <command:examples><command:example><maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <dev:code>Get-SysmonConfigOptions -Path .\pc_cofig.xml -Verbose Hashing : SHA1,IMPHASH Network : Enabled ImageLoading : Enabled Comment : Config for helpdesk PCs.</dev:code> <dev:remarks><maml:para> </maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks></command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details><command:name>New-SysmonConfiguration</command:name> <command:verb>New</command:verb> <command:noun>SysmonConfiguration</command:noun> <maml:description><maml:para>Creates a new Sysmon XML configuration file. </maml:para> </maml:description> </command:details> <maml:description><maml:para>Creates a new Sysmon XML configuration file. Configuration options and a descriptive comment can be given when generating the XML config file. </maml:para> </maml:description> <command:syntax><command:syntaxItem><maml:name>New-SysmonConfiguration</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to write XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>HashingAlgorithm</maml:name> <maml:Description><maml:para>Specify one or more hash algorithms used for image identification </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>NetworkConnect</maml:name> <maml:Description><maml:para>Enable all NetworkConnect events. </maml:para> </maml:Description> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>DriverLoad</maml:name> <maml:Description><maml:para>Enable all DrierLoad events. </maml:para> </maml:Description> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>ImageLoad</maml:name> <maml:Description><maml:para>Enable all ImageLoad events. </maml:para> </maml:Description> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>CreateRemoteThread</maml:name> <maml:Description><maml:para>Enable all CreateRemoteThread events. </maml:para> </maml:Description> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="6" aliases="none"><maml:name>FileCreateTime</maml:name> <maml:Description><maml:para>Enable all FileCreateTimeEvents. </maml:para> </maml:Description> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="7" aliases="none"><maml:name>ProcessCreate</maml:name> <maml:Description><maml:para>Enable all ProcessCreate events </maml:para> </maml:Description> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="8" aliases="none"><maml:name>ProcessTerminate</maml:name> <maml:Description><maml:para>Enable all ProcessTerminate events. </maml:para> </maml:Description> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>Comment</maml:name> <maml:Description><maml:para>Comment for purpose of the configuration file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>SchemaVersion</maml:name> <maml:Description><maml:para>Schema Vesion for the configuration file, default is 3.3. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>3.0</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>CheckRevocation</maml:name> <maml:Description><maml:para>Check for signature certificate revocation. </maml:para> </maml:Description> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>FileCreate</maml:name> <maml:Description><maml:para>Log File Creation events. </maml:para> </maml:Description> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>FileCreateStreamHash</maml:name> <maml:Description><maml:para>Log File Creation events. </maml:para> </maml:Description> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>ProcessAccess</maml:name> <maml:Description><maml:para>Log when a running process opens another process. </maml:para> </maml:Description> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>RawAccessRead</maml:name> <maml:Description><maml:para>Log raw access reads of files. </maml:para> </maml:Description> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>RegistryEvent</maml:name> <maml:Description><maml:para>Log Registry events. </maml:para> </maml:Description> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>PipeEvent</maml:name> <maml:Description><maml:para>Log NamedPipes connection and creations events. </maml:para> </maml:Description> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to write XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>HashingAlgorithm</maml:name> <maml:Description><maml:para>Specify one or more hash algorithms used for image identification </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>NetworkConnect</maml:name> <maml:Description><maml:para>Enable all NetworkConnect events. </maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>DriverLoad</maml:name> <maml:Description><maml:para>Enable all DrierLoad events. </maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>ImageLoad</maml:name> <maml:Description><maml:para>Enable all ImageLoad events. </maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>CreateRemoteThread</maml:name> <maml:Description><maml:para>Enable all CreateRemoteThread events. </maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="6" aliases="none"><maml:name>FileCreateTime</maml:name> <maml:Description><maml:para>Enable all FileCreateTimeEvents. </maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="7" aliases="none"><maml:name>ProcessCreate</maml:name> <maml:Description><maml:para>Enable all ProcessCreate events </maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="8" aliases="none"><maml:name>ProcessTerminate</maml:name> <maml:Description><maml:para>Enable all ProcessTerminate events. </maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>Comment</maml:name> <maml:Description><maml:para>Comment for purpose of the configuration file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>SchemaVersion</maml:name> <maml:Description><maml:para>Schema Vesion for the configuration file, default is 3.3. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>3.0</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>CheckRevocation</maml:name> <maml:Description><maml:para>Check for signature certificate revocation. </maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>FileCreate</maml:name> <maml:Description><maml:para>Log File Creation events. </maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>FileCreateStreamHash</maml:name> <maml:Description><maml:para>Log File Creation events. </maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>ProcessAccess</maml:name> <maml:Description><maml:para>Log when a running process opens another process. </maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>RawAccessRead</maml:name> <maml:Description><maml:para>Log raw access reads of files. </maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>RegistryEvent</maml:name> <maml:Description><maml:para>Log Registry events. </maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>PipeEvent</maml:name> <maml:Description><maml:para>Log NamedPipes connection and creations events. </maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type><maml:name>SwitchParameter</maml:name> <maml:uri /></dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes><command:inputType><dev:type><maml:name>System.String</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> <command:inputType><dev:type><maml:name>System.String[]</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> <command:inputType><dev:type><maml:name>System.Management.Automation.SwitchParameter</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues></command:returnValues> <maml:alertSet><maml:alert><maml:para> </maml:para> </maml:alert> </maml:alertSet> <command:examples><command:example><maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <dev:code>New-SysmonConfiguration -ConfigFile .\pc_cofig.xml -HashingAlgorithm SHA1,IMPHASH -Network -ImageLoading -Comment "Config for helpdesk PCs." -Verbose VERBOSE: Enabling hashing algorithms : SHA1,IMPHASH VERBOSE: Enabling network connection logging. VERBOSE: Enabling image loading logging. VERBOSE: Config file created as C:\\pc_cofig.xml</dev:code> <dev:remarks><maml:para>Create a configuration file that will log all network connction, image loading and sets a descriptive comment. </maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks></command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details><command:name>New-SysmonDriverLoadFilter</command:name> <command:verb>New</command:verb> <command:noun>SysmonDriverLoadFilter</command:noun> <maml:description><maml:para>Create a new filter for the logging of loading of a driver by the system. </maml:para> </maml:description> </command:details> <maml:description><maml:para>Create a new filter for the logging of loading of a driver by the system. </maml:para> </maml:description> <command:syntax><command:syntaxItem><maml:name>New-SysmonDriverLoadFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to SysMon rule XML file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>@{Text=} </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition to use for matching the value of an eventfield. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event Field to be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of field that will be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem><maml:name>New-SysmonDriverLoadFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Literal path to SysMon rule XML file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>@{Text=} </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition to use for matching the value of an eventfield. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event Field to be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of field that will be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to SysMon rule XML file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>@{Text=} </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition to use for matching the value of an eventfield. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event Field to be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of field that will be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Literal path to SysMon rule XML file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes><command:inputType><dev:type><maml:name>System.Object</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> <command:inputType><dev:type><maml:name>System.String</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> <command:inputType><dev:type><maml:name>System.String[]</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues></command:returnValues> <maml:alertSet><maml:alert><maml:para> </maml:para> </maml:alert> </maml:alertSet> <command:examples><command:example><maml:title>Example 1</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks><maml:para>{{ Add example description here }} </maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks></command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details><command:name>New-SysmonImageLoadFilter</command:name> <command:verb>New</command:verb> <command:noun>SysmonImageLoadFilter</command:noun> <maml:description><maml:para>Create a new filter for the loading of loading of images (example: DLL, OCX) by processes. </maml:para> </maml:description> </command:details> <maml:description><maml:para>Create a new filter for the loading of loading of images (example: DLL, OCX) by processes under the ImageLoad Rule in a SysMon configuration file. </maml:para> </maml:description> <command:syntax><command:syntaxItem><maml:name>New-SysmonImageLoadFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to SysMon rule XML file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition to use for matching the value of an eventfield. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event Field to be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of field that will be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem><maml:name>New-SysmonImageLoadFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Literal path to SysMon rule XML file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition to use for matching the value of an eventfield. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event Field to be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of field that will be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to SysMon rule XML file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition to use for matching the value of an eventfield. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event Field to be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of field that will be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Literal path to SysMon rule XML file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes><command:inputType><dev:type><maml:name>System.Object</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> <command:inputType><dev:type><maml:name>System.String</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> <command:inputType><dev:type><maml:name>System.String[]</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues></command:returnValues> <maml:alertSet><maml:alert><maml:para> </maml:para> </maml:alert> </maml:alertSet> <command:examples><command:example><maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <dev:code>New-SysmonImageLoadFilter -Path .\sysmon.xml -OnMatch include -Condition Contains -EventField Image -Value wshom.ocx,scrrun.dll,vbscript.dll,mshtml.dll,System.Management.Automation.ni.dll,System.Management.Automation.dll</dev:code> <dev:remarks><maml:para>Create a rule to log the loading of scripting components that can be abused my a malicious process. </maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks></command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details><command:name>New-SysmonNetworkConnectFilter</command:name> <command:verb>New</command:verb> <command:noun>SysmonNetworkConnectFilter</command:noun> <maml:description><maml:para>Create a new filter for the logging of TCP, UDP and ICP network connections by a process. </maml:para> </maml:description> </command:details> <maml:description><maml:para>Create a new filter for the logging of TCP, UDP and ICP network connections by a process. </maml:para> </maml:description> <command:syntax><command:syntaxItem><maml:name>New-SysmonNetworkConnectFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to SysMon rule XML file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition to use for matching the value of an eventfield. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event Field to be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of field that will be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem><maml:name>New-SysmonNetworkConnectFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Literal path to SysMon rule XML file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition to use for matching the value of an eventfield. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event Field to be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of field that will be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to SysMon rule XML file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition to use for matching the value of an eventfield. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event Field to be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of field that will be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Literal path to SysMon rule XML file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes><command:inputType><dev:type><maml:name>System.Object</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> <command:inputType><dev:type><maml:name>System.String</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> <command:inputType><dev:type><maml:name>System.String[]</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues></command:returnValues> <maml:alertSet><maml:alert><maml:para> </maml:para> </maml:alert> </maml:alertSet> <command:examples><command:example><maml:title>Example 1</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks><maml:para>{{ Add example description here }} </maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks></command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details><command:name>New-SysmonProcessCreateFilter</command:name> <command:verb>New</command:verb> <command:noun>SysmonProcessCreateFilter</command:noun> <maml:description><maml:para>Create a new filter for the logging of the creation of new processes. </maml:para> </maml:description> </command:details> <maml:description><maml:para>Create a new filter for the logging of the creation of new processes. </maml:para> </maml:description> <command:syntax><command:syntaxItem><maml:name>New-SysmonProcessCreateFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to SysMon rule XML file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition to use for matching the value of an eventfield. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event Field to be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of field that will be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem><maml:name>New-SysmonProcessCreateFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Literal path to SysMon rule XML file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition to use for matching the value of an eventfield. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event Field to be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of field that will be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to SysMon rule XML file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition to use for matching the value of an eventfield. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event Field to be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of field that will be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Literal path to SysMon rule XML file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes><command:inputType><dev:type><maml:name>System.Object</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> <command:inputType><dev:type><maml:name>System.String</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> <command:inputType><dev:type><maml:name>System.String[]</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues></command:returnValues> <maml:alertSet><maml:alert><maml:para> </maml:para> </maml:alert> </maml:alertSet> <command:examples><command:example><maml:title>Example 1</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks><maml:para>{{ Add example description here }} </maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks></command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details><command:name>New-SysmonProcessTerminateFilter</command:name> <command:verb>New</command:verb> <command:noun>SysmonProcessTerminateFilter</command:noun> <maml:description><maml:para>Create a new filter for the logging of process termination. </maml:para> </maml:description> </command:details> <maml:description><maml:para>Create a new filter for the logging of process termination. </maml:para> </maml:description> <command:syntax><command:syntaxItem><maml:name>New-SysmonProcessTerminateFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to SysMon rule XML file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition to use for matching the value of an eventfield. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event Field to be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of field that will be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem><maml:name>New-SysmonProcessTerminateFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Literal path to SysMon rule XML file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition to use for matching the value of an eventfield. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event Field to be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of field that will be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to SysMon rule XML file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition to use for matching the value of an eventfield. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event Field to be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of field that will be evaluated. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Literal path to SysMon rule XML file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes><command:inputType><dev:type><maml:name>System.Object</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> <command:inputType><dev:type><maml:name>System.String</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> <command:inputType><dev:type><maml:name>System.String[]</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues></command:returnValues> <maml:alertSet><maml:alert><maml:para> </maml:para> </maml:alert> </maml:alertSet> <command:examples><command:example><maml:title>Example 1</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks><maml:para>{{ Add example description here }} </maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks></command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details><command:name>Remove-SysmonRule</command:name> <command:verb>Remove</command:verb> <command:noun>SysmonRule</command:noun> <maml:description><maml:para>Removes on or more rules from a Sysmon XML configuration file. </maml:para> </maml:description> </command:details> <maml:description><maml:para>Removes on or more rules from a Sysmon XML configuration file. </maml:para> </maml:description> <command:syntax><command:syntaxItem><maml:name>Remove-SysmonRule</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>EventType</maml:name> <maml:Description><maml:para>Event type to remove. It is case sensitive. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem><maml:name>Remove-SysmonRule</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>EventType</maml:name> <maml:Description><maml:para>Event type to remove. It is case sensitive. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>EventType</maml:name> <maml:Description><maml:para>Event type to remove. It is case sensitive. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes><command:inputType><dev:type><maml:name>System.Object</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> <command:inputType><dev:type><maml:name>System.String[]</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues></command:returnValues> <maml:alertSet><maml:alert><maml:para> </maml:para> </maml:alert> </maml:alertSet> <command:examples><command:example><maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <dev:code>Remove-SysmonRule -Path .\pc_marketing.xml -EventType ImageLoad,NetworkConnect -Verbose VERBOSE: Removed rule for ImageLoad. VERBOSE: Removed rule for NetworkConnect.</dev:code> <dev:remarks><maml:para> </maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks></command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details><command:name>Remove-SysmonRuleFilter</command:name> <command:verb>Remove</command:verb> <command:noun>SysmonRuleFilter</command:noun> <maml:description><maml:para>Removes a existing SysMon filter rule for a given event type. </maml:para> </maml:description> </command:details> <maml:description><maml:para>Removes a existing SysMon filter rule for a given event type. </maml:para> </maml:description> <command:syntax><command:syntaxItem><maml:name>Remove-SysmonRuleFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>EventType</maml:name> <maml:Description><maml:para>Event type to remove filter rule from. It is case sensitive. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition used against the event field value. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event field for the given event type. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of event field. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem><maml:name>Remove-SysmonRuleFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>EventType</maml:name> <maml:Description><maml:para>Event type to remove filter rule from. It is case sensitive. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition used against the event field value. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event field for the given event type. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of event field. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>EventType</maml:name> <maml:Description><maml:para>Event type to remove filter rule from. It is case sensitive. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition used against the event field value. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event field for the given event type. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of event field. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes><command:inputType><dev:type><maml:name>System.Object</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> <command:inputType><dev:type><maml:name>System.String[]</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> <command:inputType><dev:type><maml:name>System.String</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues></command:returnValues> <maml:alertSet><maml:alert><maml:para> </maml:para> </maml:alert> </maml:alertSet> <command:examples><command:example><maml:title>Example 1</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks><maml:para>{{ Add example description here }} </maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks></command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details><command:name>Set-SysmonHashingAlgorithm</command:name> <command:verb>Set</command:verb> <command:noun>SysmonHashingAlgorithm</command:noun> <maml:description><maml:para>Set the hashing algorithms to use against process, library and driver images. </maml:para> </maml:description> </command:details> <maml:description><maml:para>Set the hashing algorithms to use against process, library and driver images. </maml:para> </maml:description> <command:syntax><command:syntaxItem><maml:name>Set-SysmonHashingAlgorithm</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>HashingAlgorithm</maml:name> <maml:Description><maml:para>Specify one or more hash algorithms used for image identification </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem><maml:name>Set-SysmonHashingAlgorithm</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>HashingAlgorithm</maml:name> <maml:Description><maml:para>Specify one or more hash algorithms used for image identification </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>HashingAlgorithm</maml:name> <maml:Description><maml:para>Specify one or more hash algorithms used for image identification </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes><command:inputType><dev:type><maml:name>System.Object</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> <command:inputType><dev:type><maml:name>System.String[]</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues></command:returnValues> <maml:alertSet><maml:alert><maml:para> </maml:para> </maml:alert> </maml:alertSet> <command:examples><command:example><maml:title>Example 1</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks><maml:para>{{ Add example description here }} </maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks></command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details><command:name>Set-SysmonRule</command:name> <command:verb>Set</command:verb> <command:noun>SysmonRule</command:noun> <maml:description><maml:para>Creates a Rule and sets its default action in a Sysmon configuration XML file. </maml:para> </maml:description> </command:details> <maml:description><maml:para>Creates a rules for a specified Event Type and sets the default action for the rule and filters under it. Ir a rule alreade exists it udates the default action taken by a event type rule if one aready present. The default is exclude. This default is set for event type and affects all filters under it. </maml:para> </maml:description> <command:syntax><command:syntaxItem><maml:name>Set-SysmonRule</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>EventType</maml:name> <maml:Description><maml:para>Event type to update. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>Action</maml:name> <maml:Description><maml:para>@{Text=} </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem><maml:name>Set-SysmonRule</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>EventType</maml:name> <maml:Description><maml:para>Event type to update. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>Action</maml:name> <maml:Description><maml:para>@{Text=} </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>EventType</maml:name> <maml:Description><maml:para>Event type to update. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Rule filter action on a macth of any filter under the rule. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"><maml:name>Action</maml:name> <maml:Description><maml:para>@{Text=} </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes><command:inputType><dev:type><maml:name>System.Object</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> <command:inputType><dev:type><maml:name>System.String[]</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> <command:inputType><dev:type><maml:name>System.String</maml:name> </dev:type> <maml:description><maml:para> </maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues></command:returnValues> <maml:alertSet><maml:alert><maml:para> </maml:para> </maml:alert> </maml:alertSet> <command:examples><command:example><maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <dev:code>Get-GetSysmonRule -Path .\pc_cofig.xml -EventType NetworkConnect -OnMatch Exclude EventType : NetworkConnect Scope : Filtered DefaultAction : Exclude Filters : {@{EventField=image; Condition=Is; Value=iexplorer.exe}} PS C:\> Set-SysmonRulen -Path .\pc_cofig.xml -EventType NetworkConnect -Action Include -Verbose VERBOSE: Setting as default action for NetworkConnect the action of Include. VERBOSE: Action has been set. PS C:\> Get-GetSysmonRule -Path .\pc_cofig.xml -EventType NetworkConnect EventType : NetworkConnect Scope : Filtered DefaultAction : Include Filters : {@{EventField=image; Condition=Is; Value=iexplorer.exe}}</dev:code> <dev:remarks><maml:para>Change default rule action causing the filter to ignore all traffic from iexplorer.exe. </maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks></command:relatedLinks> </command:command> </helpItems> |