
Create a new filter for the logging of file raw access read actions.
Create a new filter for the logging of file raw access read actions.
C:\PS> New-SysmonRawAccessReadFilter -Path .\testver31.xml -OnMatch include -Condition Contains -EventField Image NTDS.dit
Log any raw access read of the file NTDS.dit.

function New-SysmonRawAccessReadFilter {
    [CmdletBinding(DefaultParameterSetName = 'Path',
    HelpUri = '')]
    Param (
        # Path to XML config file.
        [ValidateScript({Test-Path -Path $_})]

        # Path to XML config file.
        [ValidateScript({Test-Path -Path $_})]

        # Event type on match action.
        [ValidateSet('include', 'exclude')]

        # Condition for filtering against and event field.
        [ValidateSet('Is', 'IsNot', 'Contains', 'Excludes', 'Image',
            'BeginWith', 'EndWith', 'LessThan', 'MoreThan')]

        # Event field to filter on.
        [ValidateSet('UtcTime', 'ProcessGuid', 'ProcessId',
            'Image', 'Device')]

        # Value of Event Field to filter on.

        # Rule Name for the filter.

    Begin {}
    Process {
        $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]
        $cmdoptions = @{
            'EventType' =  'RawAccessRead'
            'Condition' = $Condition
            'EventField' = $FieldString
            'Value' = $Value
            'OnMatch' = $OnMatch


        if($RuleName) {

        switch ($PSCmdlet.ParameterSetName) {
            'Path' {
                New-RuleFilter @cmdOptions

            'LiteralPath' {
                New-RuleFilter @cmdOptions
    End {}