EventLog/ConvertTo-SysmonRule.ps1
|
function ConvertTo-SysmonRule { <# .SYNOPSIS Turn Sysmon Event objects in to Rules or RuleGroups for use in configuration files. .DESCRIPTION Funtion for creationg Rules or RuleGroups depending on the number of properties from Sysmon Event Objects. When more than 1 property select will be turned in to RuleGroups, if only one property is present they are turned in to Rules. RuleGroups have a Group Relation of 'and'. For rules since exact matches are used the conditions supported for selectio are 'is', 'is not', "excludes", "begin with" and "image". Default consition id none specified is "is" .EXAMPLE PS C:\> Get-SysmonProcessCreateEvent -Path C:\bootevents.evtx -Image "c:\windows\system32\svchost.exe" | select parentimage,commandline | ConvertTo-SysmonRule Create rule groups to filter on svchost.exe pararent process and command line. .INPUTS System.Management.Automation.PSCustomObject System.String .OUTPUTS System.String .NOTES General notes #> [CmdletBinding()] param ( # Sysmon Event Object [Parameter(Mandatory = $true, ValueFromPipeline = $true)] [pscustomobject[]] $SysmonEvent, # Rule condition. [Parameter(Mandatory=$false)] [ValidateSet('is', 'is not',"excludes", "begin with","image")] [string] $Condition = "is" ) begin { } process { foreach($event in $SysmonEvent) { $propCount = (Get-Member -InputObject $event -MemberType Properties).count if ($propCount -eq 1){ $event.PSObject.Properties | ForEach-Object { "<$($_.name) condition='$($Condition)'>$($_.value)</$($_.name)>" } } elseif ($propCount -gt 1) { $RuleGroup = "<Rule groupRelation=`"and`">`n" $event.PSObject.Properties | ForEach-Object { $RuleGroup += " <$($_.name) condition='$($Condition)'>$($_.value)</$($_.name)>`n" } $RuleGroup += "</Rule>" $RuleGroup } } } end {} } |