en-US/Posh-SysMon.psm1-Help.xml
|
<?xml version="1.0" encoding="utf-8" ?> <!--Generated by: SAPIEN PowerShell Help Writer 2015 v1.0.9--> <!--Edited with: SAPIEN PowerShell Help Writer 2015 v1.0.9--> <helpItems xmlns="http://msh" schema="maml"> <!--All Commands--> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-SysmonHashingAlgorithm</command:name> <maml:description> <maml:para>Gets the hashing algorithms enabled for images.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>SysmonHashingAlgorithm</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Gets the hashing algorithms enabled for images.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-SysmonHashingAlgorithm</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-SysmonHashingAlgorithm</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Get-SysmonRule</command:name> <maml:description> <maml:para>Gets configured rules and their filters on a Sysmon XML configuration file. config file.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Get</command:verb> <command:noun>SysmonRule</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Gets configured rules and their filters on a Sysmon XML configuration file. config file for each event type.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Get-SysmonRule</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to parse rules for.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-SysmonRule</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to parse rules for.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to parse rules for.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>C:\PS></maml:para> </maml:introduction> <dev:code>Get-SysmonConfigOptions -Path .\pc_cofig.xml -Verbose Hashing : SHA1,IMPHASH Network : Enabled ImageLoading : Enabled Comment : Config for helpdesk PCs.</dev:code> <dev:remarks/> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>New-SysmonConfiguration</command:name> <maml:description> <maml:para>Creates a new Sysmon XML configuration file.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>New</command:verb> <command:noun>SysmonConfiguration</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Creates a new Sysmon XML configuration file. Configuration options and a descriptive comment can be given when generating the XML config file.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>New-SysmonConfiguration</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to write XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>HashingAlgorithm</maml:name> <maml:description> <maml:para>Specify one or more hash algorithms used for image identification</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>NetworkConnect</maml:name> <maml:description> <maml:para>Enable all NetworkConnect events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>DriverLoad</maml:name> <maml:description> <maml:para>Enable all DrierLoad events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>ImageLoad</maml:name> <maml:description> <maml:para>Enable all ImageLoad events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases=""> <maml:name>CreateRemoteThread</maml:name> <maml:description> <maml:para>Enable all CreateRemoteThread events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="6" aliases=""> <maml:name>FileCreateTime</maml:name> <maml:description> <maml:para>Enable all FileCreateTimeEvents.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="7" aliases=""> <maml:name>ProcessCreate</maml:name> <maml:description> <maml:para>Enable all ProcessCreate events</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="8" aliases=""> <maml:name>ProcessTerminate</maml:name> <maml:description> <maml:para>Enable all ProcessTerminate events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named"> <maml:name>Comment</maml:name> <maml:description> <maml:para>Comment for purpose of the configuration file.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to write XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>HashingAlgorithm</maml:name> <maml:description> <maml:para>Specify one or more hash algorithms used for image identification</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>NetworkConnect</maml:name> <maml:description> <maml:para>Enable all NetworkConnect events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>DriverLoad</maml:name> <maml:description> <maml:para>Enable all DrierLoad events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>ImageLoad</maml:name> <maml:description> <maml:para>Enable all ImageLoad events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases=""> <maml:name>CreateRemoteThread</maml:name> <maml:description> <maml:para>Enable all CreateRemoteThread events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="6" aliases=""> <maml:name>FileCreateTime</maml:name> <maml:description> <maml:para>Enable all FileCreateTimeEvents.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="7" aliases=""> <maml:name>ProcessCreate</maml:name> <maml:description> <maml:para>Enable all ProcessCreate events</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="8" aliases=""> <maml:name>ProcessTerminate</maml:name> <maml:description> <maml:para>Enable all ProcessTerminate events.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="named"> <maml:name>Comment</maml:name> <maml:description> <maml:para>Comment for purpose of the configuration file.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.Management.Automation.SwitchParameter</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>C:\PS></maml:para> </maml:introduction> <dev:code>New-SysmonConfiguration -ConfigFile .\pc_cofig.xml -HashingAlgorithm SHA1,IMPHASH -Network -ImageLoading -Comment "Config for helpdesk PCs." -Verbose VERBOSE: Enabling hashing algorithms : SHA1,IMPHASH VERBOSE: Enabling network connection logging. VERBOSE: Enabling image loading logging. VERBOSE: Config file created as C:\\pc_cofig.xml</dev:code> <dev:remarks> <maml:para>Create a configuration file that will log all network connction, image loading and sets a descriptive comment.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>New-SysmonDriverLoadFilter</command:name> <maml:description> <maml:para>New-SysmonDriverLoadFilter [-Path] <Object> [-Condition] <string> [-EventField] <string> [-Value] <string[]> [<CommonParameters>] New-SysmonDriverLoadFilter [-LiteralPath] <Object> [-Condition] <string> [-EventField] <string> [-Value] <string[]> [<CommonParameters>]</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>New</command:verb> <command:noun>SysmonDriverLoadFilter</command:noun> <dev:version/> </command:details> <maml:description> <maml:para/> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>New-SysmonDriverLoadFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonDriverLoadFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>New-SysmonFileCreateFilter</command:name> <maml:description> <maml:para>New-SysmonFileCreateFilter [-Path] <Object> [-Condition] <string> [-EventField] <string> [-Value] <string[]> [<CommonParameters>] New-SysmonFileCreateFilter [-LiteralPath] <Object> [-Condition] <string> [-EventField] <string> [-Value] <string[]> [<CommonParameters>]</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>New</command:verb> <command:noun>SysmonFileCreateFilter</command:noun> <dev:version/> </command:details> <maml:description> <maml:para/> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>New-SysmonFileCreateFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonFileCreateFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>New-SysmonImageLoadFilter</command:name> <maml:description> <maml:para>New-SysmonImageLoadFilter [-Path] <Object> [-Condition] <string> [-EventField] <string> [-Value] <string[]> [<CommonParameters>] New-SysmonImageLoadFilter [-LiteralPath] <Object> [-Condition] <string> [-EventField] <string> [-Value] <string[]> [<CommonParameters>]</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>New</command:verb> <command:noun>SysmonImageLoadFilter</command:noun> <dev:version/> </command:details> <maml:description> <maml:para/> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>New-SysmonImageLoadFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonImageLoadFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>New-SysmonNetworkConnectFilter</command:name> <maml:description> <maml:para>New-SysmonNetworkConnectFilter [-Path] <Object> [-Condition] <string> [-EventField] <string> [-Value] <string[]> [<CommonParameters>] New-SysmonNetworkConnectFilter [-LiteralPath] <Object> [-Condition] <string> [-EventField] <string> [-Value] <string[]> [<CommonParameters>]</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>New</command:verb> <command:noun>SysmonNetworkConnectFilter</command:noun> <dev:version/> </command:details> <maml:description> <maml:para/> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>New-SysmonNetworkConnectFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonNetworkConnectFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>New-SysmonProcessCreateFilter</command:name> <maml:description> <maml:para>New-SysmonProcessCreateFilter [-Path] <Object> [-Condition] <string> [-EventField] <string> [-Value] <string[]> [<CommonParameters>] New-SysmonProcessCreateFilter [-LiteralPath] <Object> [-Condition] <string> [-EventField] <string> [-Value] <string[]> [<CommonParameters>]</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>New</command:verb> <command:noun>SysmonProcessCreateFilter</command:noun> <dev:version/> </command:details> <maml:description> <maml:para/> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>New-SysmonProcessCreateFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonProcessCreateFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>New-SysmonProcessTerminateFilter</command:name> <maml:description> <maml:para>New-SysmonProcessTerminateFilter [-Path] <Object> [-Condition] <string> [-EventField] <string> [-Value] <string[]> [<CommonParameters>] New-SysmonProcessTerminateFilter [-LiteralPath] <Object> [-Condition] <string> [-EventField] <string> [-Value] <string[]> [<CommonParameters>]</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>New</command:verb> <command:noun>SysmonProcessTerminateFilter</command:noun> <dev:version/> </command:details> <maml:description> <maml:para/> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>New-SysmonProcessTerminateFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonProcessTerminateFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition to use for matching the value of an eventfield.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event Field to be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of field that will be evaluated.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Literal path to SysMon rule XML file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Remove-SysmonRule</command:name> <maml:description> <maml:para>Removes on or more rules from a Sysmon XML configuration file.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Remove</command:verb> <command:noun>SysmonRule</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Removes on or more rules from a Sysmon XML configuration file.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Remove-SysmonRule</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to remove. It is case sensitive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Remove-SysmonRule</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to remove. It is case sensitive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to remove. It is case sensitive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>PS C:\></maml:para> </maml:introduction> <dev:code>Remove-SysmonRule -Path .\pc_marketing.xml -EventType ImageLoad,NetworkConnect -Verbose VERBOSE: Removed rule for ImageLoad. VERBOSE: Removed rule for NetworkConnect.</dev:code> <dev:remarks/> </command:example> </command:examples> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Remove-SysmonRuleFilter</command:name> <maml:description> <maml:para>Removes a existing SysMon filter rule for a given event type.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Remove</command:verb> <command:noun>SysmonRuleFilter</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Removes a existing SysMon filter rule for a given event type.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Remove-SysmonRuleFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to remove filter rule from. It is case sensitive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition used against the event field value.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event field for the given event type.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of event field.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Remove-SysmonRuleFilter</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to remove filter rule from. It is case sensitive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition used against the event field value.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event field for the given event type.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of event field.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases=""> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to remove filter rule from. It is case sensitive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>Condition</maml:name> <maml:description> <maml:para>Condition used against the event field value.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases=""> <maml:name>EventField</maml:name> <maml:description> <maml:para>Event field for the given event type.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases=""> <maml:name>Value</maml:name> <maml:description> <maml:para>Value of event field.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases=""> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Set-SysmonHashingAlgorithm</command:name> <maml:description> <maml:para>Set the hashing algorithms to use against process, library and driver images.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Set</command:verb> <command:noun>SysmonHashingAlgorithm</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Set the hashing algorithms to use against process, library and driver images.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Set-SysmonHashingAlgorithm</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>HashingAlgorithm</maml:name> <maml:description> <maml:para>Specify one or more hash algorithms used for image identification</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Set-SysmonHashingAlgorithm</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>HashingAlgorithm</maml:name> <maml:description> <maml:para>Specify one or more hash algorithms used for image identification</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>HashingAlgorithm</maml:name> <maml:description> <maml:para>Specify one or more hash algorithms used for image identification</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"> <!--Command--> <command:details> <command:name>Set-SysmonRule</command:name> <maml:description> <maml:para>Creates a Rule and sets its default action in a Sysmon configuration XML file.</maml:para> </maml:description> <maml:copyright> <maml:para/> </maml:copyright> <command:verb>Set</command:verb> <command:noun>SysmonRule</command:noun> <dev:version/> </command:details> <maml:description> <maml:para>Creates a rules for a specified Event Type and sets the default action for the rule and filters under it. Ir a rule alreade exists it udates the default action taken by a event type rule if one aready present. The default is exclude. This default is set for event type and affects all filters under it.</maml:para> </maml:description> <command:syntax> <!--Parameter Sets--> <command:syntaxItem> <maml:name>Set-SysmonRule</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to update.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>How rules will be handled when matched.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Set-SysmonRule</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to update.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>How rules will be handled when matched.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:defaultValue> </dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <!--All Parameters--> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>Path</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="1"> <maml:name>EventType</maml:name> <maml:description> <maml:para>Event type to update.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases=""> <maml:name>OnMatch</maml:name> <maml:description> <maml:para>How rules will be handled when matched.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue> </dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="True (ByPropertyName)" position="0"> <maml:name>LiteralPath</maml:name> <maml:description> <maml:para>Path to XML config file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue/> </command:parameter> </command:parameters> <command:inputTypes> <!--Inputs--> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> <maml:uri/> </dev:type> <maml:description> <maml:para/> </maml:description> </command:inputType> </command:inputTypes> <command:examples> <!--Examples--> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <maml:introduction> <maml:para>C:\PS></maml:para> </maml:introduction> <dev:code>Get-GetSysmonRule -Path .\pc_cofig.xml -EventType NetworkConnect EventType : NetworkConnect Scope : Filtered DefaultAction : Exclude Filters : {@{EventField=image; Condition=Is; Value=iexplorer.exe}} PS C:\> Set-SysmonRulen -Path .\pc_cofig.xml -EventType NetworkConnect -Action Include -Verbose VERBOSE: Setting as default action for NetworkConnect the action of Include. VERBOSE: Action has been set. PS C:\> Get-GetSysmonRule -Path .\pc_cofig.xml -EventType NetworkConnect EventType : NetworkConnect Scope : Filtered DefaultAction : Include Filters : {@{EventField=image; Condition=Is; Value=iexplorer.exe}}</dev:code> <dev:remarks> <maml:para>Change default rule action causing the filter to ignore all traffic from iexplorer.exe.</maml:para> </dev:remarks> </command:example> </command:examples> </command:command> </helpItems> <!--Generated by: SAPIEN PowerShell Help Writer 2015 v1.0.9--> <!--Edited with: SAPIEN PowerShell Help Writer 2015 v1.0.9--> |