XDRInternals.Format.ps1xml
|
<?xml version="1.0" encoding="utf-8" ?> <Configuration> <ViewDefinitions> <View> <Name>XdrEndpointDevice</Name> <ViewSelectedBy> <TypeName>XdrEndpointDevice</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Label>ComputerDnsName</Label> </TableColumnHeader> <TableColumnHeader> <Label>LastIpAddress</Label> </TableColumnHeader> <TableColumnHeader> <Label>RiskScore</Label> </TableColumnHeader> <TableColumnHeader> <Label>CriticalityLevel</Label> </TableColumnHeader> <TableColumnHeader> <Label>ExposureScore</Label> </TableColumnHeader> <TableColumnHeader> <Label>DeviceType</Label> </TableColumnHeader> <TableColumnHeader> <Label>Domain</Label> </TableColumnHeader> <TableColumnHeader> <Label>ManagedBy</Label> </TableColumnHeader> <TableColumnHeader> <Label>HealthStatus</Label> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>ComputerDnsName</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>LastIpAddress</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>RiskScore</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>CriticalityLevel</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>ExposureScore</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>DeviceType</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>Domain</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>ManagedBy</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>HealthStatus</PropertyName> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrIdentityIdentity</Name> <ViewSelectedBy> <TypeName>XdrIdentityIdentity</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Label>Display name</Label> <Width>25</Width> </TableColumnHeader> <TableColumnHeader> <Label>SID</Label> <Width>47</Width> </TableColumnHeader> <TableColumnHeader> <Label>Domain</Label> <Width>20</Width> </TableColumnHeader> <TableColumnHeader> <Label>Type</Label> <Width>15</Width> </TableColumnHeader> <TableColumnHeader> <Label>Object ID</Label> <Width>36</Width> </TableColumnHeader> <TableColumnHeader> <Label>Identity providers</Label> <Width>25</Width> </TableColumnHeader> <TableColumnHeader> <Label>Identity environment</Label> <Width>20</Width> </TableColumnHeader> <TableColumnHeader> <Label>UPN</Label> <Width>30</Width> </TableColumnHeader> <TableColumnHeader> <Label>Tags</Label> <Width>20</Width> </TableColumnHeader> <TableColumnHeader> <Label>Created time</Label> <Width>20</Width> </TableColumnHeader> <TableColumnHeader> <Label>Criticality level</Label> <Width>17</Width> </TableColumnHeader> <TableColumnHeader> <Label>Account status</Label> <Width>15</Width> </TableColumnHeader> <TableColumnHeader> <Label>Last updated</Label> <Width>20</Width> </TableColumnHeader> <TableColumnHeader> <Label>Entra ID risk level</Label> <Width>20</Width> </TableColumnHeader> <TableColumnHeader> <Label>Entra ID risk level update time</Label> <Width>32</Width> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>displayName</PropertyName> </TableColumnItem> <TableColumnItem> <ScriptBlock>$_.ids.sid</ScriptBlock> </TableColumnItem> <TableColumnItem> <ScriptBlock>$_.ids.accountDomain</ScriptBlock> </TableColumnItem> <TableColumnItem> <PropertyName>type</PropertyName> </TableColumnItem> <TableColumnItem> <ScriptBlock>$_.ids.aad</ScriptBlock> </TableColumnItem> <TableColumnItem> <ScriptBlock>($_.identityProviders | ForEach-Object { if ($_ -eq 'AzureActiveDirectory') { 'EntraID' } else { $_ } }) -join ', '</ScriptBlock> </TableColumnItem> <TableColumnItem> <PropertyName>source</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>userPrincipalName</PropertyName> </TableColumnItem> <TableColumnItem> <ScriptBlock>$_.tags -join ', '</ScriptBlock> </TableColumnItem> <TableColumnItem> <PropertyName>created</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>criticalityLevel</PropertyName> </TableColumnItem> <TableColumnItem> <ScriptBlock> $status = $_.status if ($status) { # Convert to CamelCase $status.Substring(0,1).ToUpper() + $status.Substring(1).ToLower() } </ScriptBlock> </TableColumnItem> <TableColumnItem> <PropertyName>updateTime</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>riskLevel</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>riskLastUpdateTime</PropertyName> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceActionResult</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceActionResult</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Label>Type</Label> </TableColumnHeader> <TableColumnHeader> <Label>DeviceId</Label> </TableColumnHeader> <TableColumnHeader> <Label>Status</Label> </TableColumnHeader> <TableColumnHeader> <Label>Id</Label> </TableColumnHeader> <TableColumnHeader> <Label>RequestorComment</Label> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>Type</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>DeviceId</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>Status</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>Id</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>RequestorComment</PropertyName> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrIdentityUser</Name> <ViewSelectedBy> <TypeName>XdrIdentityUser</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Label>DisplayName</Label> <Width>25</Width> </TableColumnHeader> <TableColumnHeader> <Label>UPN</Label> <Width>30</Width> </TableColumnHeader> <TableColumnHeader> <Label>Status</Label> <Width>10</Width> </TableColumnHeader> <TableColumnHeader> <Label>RiskLevel</Label> <Width>10</Width> </TableColumnHeader> <TableColumnHeader> <Label>Source</Label> <Width>20</Width> </TableColumnHeader> <TableColumnHeader> <Label>Type</Label> <Width>15</Width> </TableColumnHeader> <TableColumnHeader> <Label>AadId</Label> <Width>36</Width> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>displayName</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>userPrincipalName</PropertyName> </TableColumnItem> <TableColumnItem> <ScriptBlock> $status = $_.status if ($status) { $status.Substring(0,1).ToUpper() + $status.Substring(1).ToLower() } </ScriptBlock> </TableColumnItem> <TableColumnItem> <PropertyName>riskLevel</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>source</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>type</PropertyName> </TableColumnItem> <TableColumnItem> <ScriptBlock>$_.ids.aad</ScriptBlock> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceLiveResponseCommand</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceLiveResponseCommand</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Label>Timestamp</Label> <Width>24</Width> </TableColumnHeader> <TableColumnHeader> <Label>DeviceName</Label> <Width>28</Width> </TableColumnHeader> <TableColumnHeader> <Label>Command</Label> <Width>24</Width> </TableColumnHeader> <TableColumnHeader> <Label>Status</Label> <Width>10</Width> </TableColumnHeader> <TableColumnHeader> <Label>Duration</Label> <Width>10</Width> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>Timestamp</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>DeviceName</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>raw_command_line</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>StatusText</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>duration_seconds</PropertyName> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceLiveResponseProcessRow</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceLiveResponseProcessRow</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>DeviceName</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>Name</Label><Width>32</Width></TableColumnHeader> <TableColumnHeader><Label>Pid</Label><Width>8</Width></TableColumnHeader> <TableColumnHeader><Label>UserName</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>Status</Label><Width>14</Width></TableColumnHeader> <TableColumnHeader><Label>MemoryKB</Label><Width>12</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><PropertyName>DeviceName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Name</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Pid</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>UserName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>ProcessStatus</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>MemoryKB</PropertyName></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceLiveResponseServiceRow</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceLiveResponseServiceRow</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>DeviceName</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>DisplayName</Label><Width>34</Width></TableColumnHeader> <TableColumnHeader><Label>ServiceName</Label><Width>24</Width></TableColumnHeader> <TableColumnHeader><Label>State</Label><Width>18</Width></TableColumnHeader> <TableColumnHeader><Label>StartType</Label><Width>18</Width></TableColumnHeader> <TableColumnHeader><Label>StartName</Label><Width>26</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><PropertyName>DeviceName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>DisplayName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>ServiceName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>CurrentState</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>StartType</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>StartName</PropertyName></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceLiveResponseDriverRow</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceLiveResponseDriverRow</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>DeviceName</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>DriverName</Label><Width>26</Width></TableColumnHeader> <TableColumnHeader><Label>ServiceName</Label><Width>22</Width></TableColumnHeader> <TableColumnHeader><Label>State</Label><Width>18</Width></TableColumnHeader> <TableColumnHeader><Label>Loaded</Label><Width>8</Width></TableColumnHeader> <TableColumnHeader><Label>Path</Label><Width>46</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><PropertyName>DeviceName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>DriverName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>ServiceName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>ServiceState</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>DriverLoaded</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Path</PropertyName></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceLiveResponseConnectionRow</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceLiveResponseConnectionRow</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>DeviceName</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>Process</Label><Width>24</Width></TableColumnHeader> <TableColumnHeader><Label>Pid</Label><Width>8</Width></TableColumnHeader> <TableColumnHeader><Label>LocalEndpoint</Label><Width>22</Width></TableColumnHeader> <TableColumnHeader><Label>RemoteEndpoint</Label><Width>22</Width></TableColumnHeader> <TableColumnHeader><Label>State</Label><Width>12</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><PropertyName>DeviceName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>ProcessName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Pid</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>LocalEndpoint</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>RemoteEndpoint</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>ConnectionState</PropertyName></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceLiveResponseScheduledTaskRow</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceLiveResponseScheduledTaskRow</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>DeviceName</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>TaskId</Label><Width>48</Width></TableColumnHeader> <TableColumnHeader><Label>Enabled</Label><Width>8</Width></TableColumnHeader> <TableColumnHeader><Label>Principal</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>Action</Label><Width>44</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><PropertyName>DeviceName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>TaskId</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>IsEnabled</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Principal</PropertyName></TableColumnItem> <TableColumnItem><ScriptBlock>if ($_.Arguments) { '{0} {1}' -f $_.ActionPath, $_.Arguments } else { $_.ActionPath }</ScriptBlock></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceLiveResponseStartupFolderRow</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceLiveResponseStartupFolderRow</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>DeviceName</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>FilePath</Label><Width>54</Width></TableColumnHeader> <TableColumnHeader><Label>ExecutablePath</Label><Width>54</Width></TableColumnHeader> <TableColumnHeader><Label>Category</Label><Width>18</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><PropertyName>DeviceName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>FilePath</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>ExecutablePath</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Category</PropertyName></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceLiveResponseDirectoryRow</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceLiveResponseDirectoryRow</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>DeviceName</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>Path</Label><Width>46</Width></TableColumnHeader> <TableColumnHeader><Label>Type</Label><Width>10</Width></TableColumnHeader> <TableColumnHeader><Label>Size</Label><Width>12</Width></TableColumnHeader> <TableColumnHeader><Label>Modified</Label><Width>22</Width></TableColumnHeader> <TableColumnHeader><Label>Hidden</Label><Width>8</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><PropertyName>DeviceName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Path</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>ItemType</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Size</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Modified</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Hidden</PropertyName></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceLiveResponsePersistenceRow</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceLiveResponsePersistenceRow</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>DeviceName</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>Category</Label><Width>16</Width></TableColumnHeader> <TableColumnHeader><Label>Name</Label><Width>38</Width></TableColumnHeader> <TableColumnHeader><Label>Path</Label><Width>42</Width></TableColumnHeader> <TableColumnHeader><Label>Target</Label><Width>42</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><PropertyName>DeviceName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Category</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Name</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Path</PropertyName></TableColumnItem> <TableColumnItem><ScriptBlock>if ($_.Target) { $_.Target } elseif ($_.Value) { $_.Value } else { $_.CommandLine }</ScriptBlock></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrIdentityUserTimelineEvent</Name> <ViewSelectedBy> <TypeName>XdrIdentityUserTimelineEvent</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Label>Timestamp</Label> <Width>24</Width> </TableColumnHeader> <TableColumnHeader> <Label>ActionType</Label> <Width>30</Width> </TableColumnHeader> <TableColumnHeader> <Label>Application</Label> <Width>25</Width> </TableColumnHeader> <TableColumnHeader> <Label>SourceTable</Label> <Width>20</Width> </TableColumnHeader> <TableColumnHeader> <Label>DeviceName</Label> <Width>25</Width> </TableColumnHeader> <TableColumnHeader> <Label>Ip</Label> <Width>15</Width> </TableColumnHeader> <TableColumnHeader> <Label>Location</Label> <Width>15</Width> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>Timestamp</PropertyName> </TableColumnItem> <TableColumnItem> <ScriptBlock>if ($_.ActionType) { $_.ActionType } elseif ($_.Type) { $_.Type } elseif ($_.EventType) { $_.EventType }</ScriptBlock> </TableColumnItem> <TableColumnItem> <PropertyName>Application</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>SourceTable</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>DeviceName</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>Ip</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>Location</PropertyName> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceLiveResponseTableRow</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceLiveResponseTableRow</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Label>DeviceName</Label> <Width>28</Width> </TableColumnHeader> <TableColumnHeader> <Label>Command</Label> <Width>18</Width> </TableColumnHeader> <TableColumnHeader> <Label>Status</Label> <Width>10</Width> </TableColumnHeader> <TableColumnHeader> <Label>Summary</Label> <Width>60</Width> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>DeviceName</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>Command</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>StatusText</PropertyName> </TableColumnItem> <TableColumnItem> <ScriptBlock> $excluded = @('Timestamp', 'DeviceName', 'DeviceId', 'ShortDeviceId', 'Command', 'Status', 'StatusText', 'DurationSeconds', 'SessionId', 'OutputIndex') @($_.PSObject.Properties | Where-Object { $_.Name -notin $excluded -and $null -ne $_.Value -and "$($_.Value)" -ne '' } | Select-Object -First 3 | ForEach-Object { '{0}={1}' -f $_.Name, $_.Value }) -join '; ' </ScriptBlock> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> </ViewDefinitions> </Configuration> |