en-US/Posh-SysMon-help.xml

<?xml version="1.0" encoding="utf-8"?>
<helpItems schema="maml">
 
<command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp">
<command:details><command:name>Get-SysmonEventData</command:name>
<command:verb>Get</command:verb>
<command:noun>SysmonEventData</command:noun>
<maml:description><maml:para>Searches for specified SysMon Events and retunrs the Event Data as a custom object.
</maml:para>
</maml:description>
</command:details>
<maml:description><maml:para>Searches for specified SysMon Events and retunrs the Event Data as a custom object.
</maml:para>
</maml:description>
<command:syntax><command:syntaxItem><maml:name>Get-SysmonEventData</maml:name>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>EventId</maml:name>
<maml:Description><maml:para>Sysmon Event ID of records to show
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Int32[]</command:parameterValue>
<dev:type><maml:name>Int32[]</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>MaxEvents</maml:name>
<maml:Description><maml:para>Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Int32</command:parameterValue>
<dev:type><maml:name>Int32</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>0</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="PSPath"><maml:name>Path</maml:name>
<maml:Description><maml:para>Specifies a path to one or more exported SysMon events in evtx format.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type><maml:name>String[]</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"><maml:name>StartTime</maml:name>
<maml:Description><maml:para>Start Date to get all event going forward.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue>
<dev:type><maml:name>DateTime</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"><maml:name>EndTime</maml:name>
<maml:Description><maml:para>End data for searching events.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue>
<dev:type><maml:name>DateTime</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
</command:syntaxItem>
<command:syntaxItem><maml:name>Get-SysmonEventData</maml:name>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>EventType</maml:name>
<maml:Description><maml:para>EventType that a Rule can be written against.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type><maml:name>String[]</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>MaxEvents</maml:name>
<maml:Description><maml:para>Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Int32</command:parameterValue>
<dev:type><maml:name>Int32</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>0</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="PSPath"><maml:name>Path</maml:name>
<maml:Description><maml:para>Specifies a path to one or more exported SysMon events in evtx format.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type><maml:name>String[]</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"><maml:name>StartTime</maml:name>
<maml:Description><maml:para>Start Date to get all event going forward.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue>
<dev:type><maml:name>DateTime</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"><maml:name>EndTime</maml:name>
<maml:Description><maml:para>End data for searching events.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue>
<dev:type><maml:name>DateTime</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
</command:syntaxItem>
</command:syntax>
<command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>EventId</maml:name>
<maml:Description><maml:para>Sysmon Event ID of records to show
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Int32[]</command:parameterValue>
<dev:type><maml:name>Int32[]</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>EventType</maml:name>
<maml:Description><maml:para>EventType that a Rule can be written against.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type><maml:name>String[]</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>MaxEvents</maml:name>
<maml:Description><maml:para>Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Int32</command:parameterValue>
<dev:type><maml:name>Int32</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>0</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="PSPath"><maml:name>Path</maml:name>
<maml:Description><maml:para>Specifies a path to one or more exported SysMon events in evtx format.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type><maml:name>String[]</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"><maml:name>StartTime</maml:name>
<maml:Description><maml:para>Start Date to get all event going forward.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue>
<dev:type><maml:name>DateTime</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"><maml:name>EndTime</maml:name>
<maml:Description><maml:para>End data for searching events.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue>
<dev:type><maml:name>DateTime</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
</command:parameters>
<command:inputTypes></command:inputTypes>
<command:returnValues></command:returnValues>
<maml:alertSet><maml:alert><maml:para>
</maml:para>
</maml:alert>
</maml:alertSet>
<command:examples><command:example><maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title>
<dev:code>Get-SysMonEventData -EventId 1 -MaxEvents 10 -EndTime (Get-Date) -StartTime (Get-Date).AddDays(-1)</dev:code>
<dev:remarks><maml:para>All process creation events in the last 24hr
</maml:para>
</dev:remarks>
</command:example>
<command:example><maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title>
<dev:code>Get-SysMonEventData -EventId 3 -MaxEvents 20 -Path .\export.evtx</dev:code>
<dev:remarks><maml:para>last 20 network connection events from a exported SysMon log.
</maml:para>
</dev:remarks>
</command:example>
</command:examples>
<command:relatedLinks></command:relatedLinks>
</command:command>
<command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp">
<command:details><command:name>Get-SysmonRuleFilter</command:name>
<command:verb>Get</command:verb>
<command:noun>SysmonRuleFilter</command:noun>
<maml:description><maml:para>Get the configured filters for a specified Event Type Rule in a Sysmon configuration file.
</maml:para>
</maml:description>
</command:details>
<maml:description><maml:para>Get the configured filters for a specified Event Type Rule in a Sysmon configuration file.
</maml:para>
</maml:description>
<command:syntax><command:syntaxItem><maml:name>Get-SysmonRuleFilter</maml:name>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>Path</maml:name>
<maml:Description><maml:para>Path to XML config file.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Object</command:parameterValue>
<dev:type><maml:name>Object</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>EventType</maml:name>
<maml:Description><maml:para>Event type rule to get filter for.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>OnMatch</maml:name>
<maml:Description><maml:para>Event type on match action.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
</command:syntaxItem>
<command:syntaxItem><maml:name>Get-SysmonRuleFilter</maml:name>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"><maml:name>LiteralPath</maml:name>
<maml:Description><maml:para>Path to XML config file.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Object</command:parameterValue>
<dev:type><maml:name>Object</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>OnMatch</maml:name>
<maml:Description><maml:para>Event type on match action.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
</command:syntaxItem>
</command:syntax>
<command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>Path</maml:name>
<maml:Description><maml:para>Path to XML config file.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Object</command:parameterValue>
<dev:type><maml:name>Object</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"><maml:name>LiteralPath</maml:name>
<maml:Description><maml:para>Path to XML config file.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Object</command:parameterValue>
<dev:type><maml:name>Object</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>EventType</maml:name>
<maml:Description><maml:para>Event type rule to get filter for.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>OnMatch</maml:name>
<maml:Description><maml:para>Event type on match action.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
</command:parameters>
<command:inputTypes></command:inputTypes>
<command:returnValues></command:returnValues>
<maml:alertSet><maml:alert><maml:para>
</maml:para>
</maml:alert>
</maml:alertSet>
<command:examples><command:example><maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title>
<dev:code>Get-SysmonRuleFilter -Path C:\sysmon.xml -EventType ProcessCreate</dev:code>
<dev:remarks><maml:para>Get the filter under the ProcessCreate Rule.
</maml:para>
</dev:remarks>
</command:example>
</command:examples>
<command:relatedLinks></command:relatedLinks>
</command:command>
<command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp">
<command:details><command:name>New-SysmonFileCreateFilter</command:name>
<command:verb>New</command:verb>
<command:noun>SysmonFileCreateFilter</command:noun>
<maml:description><maml:para>Create a new filter for the logging file creation.
</maml:para>
</maml:description>
</command:details>
<maml:description><maml:para>Create a new filter for the logging file creation.
</maml:para>
</maml:description>
<command:syntax><command:syntaxItem><maml:name>New-SysmonFileCreateFilter</maml:name>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>Path</maml:name>
<maml:Description><maml:para>Path to XML config file.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Object</command:parameterValue>
<dev:type><maml:name>Object</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name>
<maml:Description><maml:para>Event type on match action.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name>
<maml:Description><maml:para>Condition for filtering against and event field.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name>
<maml:Description><maml:para>Event field to filter on.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name>
<maml:Description><maml:para>Value of Event Field to filter on.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type><maml:name>String[]</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
</command:syntaxItem>
<command:syntaxItem><maml:name>New-SysmonFileCreateFilter</maml:name>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"><maml:name>LiteralPath</maml:name>
<maml:Description><maml:para>Path to XML config file.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Object</command:parameterValue>
<dev:type><maml:name>Object</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name>
<maml:Description><maml:para>Event type on match action.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name>
<maml:Description><maml:para>Condition for filtering against and event field.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name>
<maml:Description><maml:para>Event field to filter on.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name>
<maml:Description><maml:para>Value of Event Field to filter on.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type><maml:name>String[]</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
</command:syntaxItem>
</command:syntax>
<command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>Path</maml:name>
<maml:Description><maml:para>Path to XML config file.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Object</command:parameterValue>
<dev:type><maml:name>Object</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"><maml:name>LiteralPath</maml:name>
<maml:Description><maml:para>Path to XML config file.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Object</command:parameterValue>
<dev:type><maml:name>Object</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name>
<maml:Description><maml:para>Event type on match action.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name>
<maml:Description><maml:para>Condition for filtering against and event field.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name>
<maml:Description><maml:para>Event field to filter on.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name>
<maml:Description><maml:para>Value of Event Field to filter on.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type><maml:name>String[]</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
</command:parameters>
<command:inputTypes></command:inputTypes>
<command:returnValues></command:returnValues>
<maml:alertSet><maml:alert><maml:para>
</maml:para>
</maml:alert>
</maml:alertSet>
<command:examples><command:example><maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title>
<dev:code></dev:code>
<dev:remarks><maml:para>
</maml:para>
</dev:remarks>
</command:example>
</command:examples>
<command:relatedLinks></command:relatedLinks>
</command:command>
<command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp">
<command:details><command:name>New-SysmonFileCreateStreamHash</command:name>
<command:verb>New</command:verb>
<command:noun>SysmonFileCreateStreamHash</command:noun>
<maml:description><maml:para>Create a new filter for the logging of the saving of data on a file stream.
</maml:para>
</maml:description>
</command:details>
<maml:description><maml:para>Create a new filter for the logging of the saving of data on a file stream.
</maml:para>
</maml:description>
<command:syntax><command:syntaxItem><maml:name>New-SysmonFileCreateStreamHash</maml:name>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>Path</maml:name>
<maml:Description><maml:para>Path to XML config file.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Object</command:parameterValue>
<dev:type><maml:name>Object</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name>
<maml:Description><maml:para>Event type on match action.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name>
<maml:Description><maml:para>Condition for filtering against and event field.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name>
<maml:Description><maml:para>Event field to filter on.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name>
<maml:Description><maml:para>Value of Event Field to filter on.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type><maml:name>String[]</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
</command:syntaxItem>
<command:syntaxItem><maml:name>New-SysmonFileCreateStreamHash</maml:name>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"><maml:name>LiteralPath</maml:name>
<maml:Description><maml:para>Path to XML config file.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Object</command:parameterValue>
<dev:type><maml:name>Object</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name>
<maml:Description><maml:para>Event type on match action.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name>
<maml:Description><maml:para>Condition for filtering against and event field.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name>
<maml:Description><maml:para>Event field to filter on.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name>
<maml:Description><maml:para>Value of Event Field to filter on.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type><maml:name>String[]</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
</command:syntaxItem>
</command:syntax>
<command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>Path</maml:name>
<maml:Description><maml:para>Path to XML config file.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Object</command:parameterValue>
<dev:type><maml:name>Object</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"><maml:name>LiteralPath</maml:name>
<maml:Description><maml:para>Path to XML config file.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Object</command:parameterValue>
<dev:type><maml:name>Object</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name>
<maml:Description><maml:para>Event type on match action.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name>
<maml:Description><maml:para>Condition for filtering against and event field.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name>
<maml:Description><maml:para>Event field to filter on.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name>
<maml:Description><maml:para>Value of Event Field to filter on.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type><maml:name>String[]</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
</command:parameters>
<command:inputTypes></command:inputTypes>
<command:returnValues></command:returnValues>
<maml:alertSet><maml:alert><maml:para>
</maml:para>
</maml:alert>
</maml:alertSet>
<command:examples><command:example><maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title>
<dev:code>New-SysmonRegistryEvent -Path .\32config.xml -OnMatch include -Condition Contains -EventField TargetObject 'RunOnce'</dev:code>
<dev:remarks><maml:para>Capture persistance attemp by creating a registry entry in the RunOnce keys.
</maml:para>
</dev:remarks>
</command:example>
</command:examples>
<command:relatedLinks></command:relatedLinks>
</command:command>
<command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp">
<command:details><command:name>New-SysmonRegistryEvent</command:name>
<command:verb>New</command:verb>
<command:noun>SysmonRegistryEvent</command:noun>
<maml:description><maml:para>Create a new filter for the actions against the registry.
</maml:para>
</maml:description>
</command:details>
<maml:description><maml:para>Create a new filter for actions against the registry. Supports filtering by aby of the following event types: * CreateKey
</maml:para>
<maml:para>* DeleteKey
</maml:para>
<maml:para>* RenameKey
</maml:para>
<maml:para>* CreateValue
</maml:para>
<maml:para>* DeleteValue
</maml:para>
<maml:para>* RenameValue
</maml:para>
<maml:para>* SetValue
</maml:para>
<maml:para>
</maml:para>
<maml:para>Hives in TargetObject are referenced as: * \REGISTRY\MACHINE\HARDWARE
</maml:para>
<maml:para>* \REGISTRY\USER\Security ID number
</maml:para>
<maml:para>* \REGISTRY\MACHINE\SECURITY
</maml:para>
<maml:para>* \REGISTRY\USER\.DEFAULT
</maml:para>
<maml:para>* \REGISTRY\MACHINE\SYSTEM
</maml:para>
<maml:para>* \REGISTRY\MACHINE\SOFTWARE
</maml:para>
<maml:para>* \REGISTRY\MACHINE\SAM
</maml:para>
</maml:description>
<command:syntax><command:syntaxItem><maml:name>New-SysmonRegistryEvent</maml:name>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>Path</maml:name>
<maml:Description><maml:para>Path to XML config file.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Object</command:parameterValue>
<dev:type><maml:name>Object</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name>
<maml:Description><maml:para>Event type on match action.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name>
<maml:Description><maml:para>Condition for filtering against and event field.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name>
<maml:Description><maml:para>Event field to filter on.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name>
<maml:Description><maml:para>Value of Event Field to filter on.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type><maml:name>String[]</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
</command:syntaxItem>
<command:syntaxItem><maml:name>New-SysmonRegistryEvent</maml:name>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"><maml:name>LiteralPath</maml:name>
<maml:Description><maml:para>Path to XML config file.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Object</command:parameterValue>
<dev:type><maml:name>Object</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name>
<maml:Description><maml:para>Event type on match action.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name>
<maml:Description><maml:para>Condition for filtering against and event field.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name>
<maml:Description><maml:para>Event field to filter on.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name>
<maml:Description><maml:para>Value of Event Field to filter on.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type><maml:name>String[]</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
</command:syntaxItem>
</command:syntax>
<command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>Path</maml:name>
<maml:Description><maml:para>Path to XML config file.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Object</command:parameterValue>
<dev:type><maml:name>Object</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"><maml:name>LiteralPath</maml:name>
<maml:Description><maml:para>Path to XML config file.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">Object</command:parameterValue>
<dev:type><maml:name>Object</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name>
<maml:Description><maml:para>Event type on match action.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name>
<maml:Description><maml:para>Condition for filtering against and event field.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name>
<maml:Description><maml:para>Event field to filter on.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String</command:parameterValue>
<dev:type><maml:name>String</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name>
<maml:Description><maml:para>Value of Event Field to filter on.
</maml:para>
</maml:Description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type><maml:name>String[]</maml:name>
<maml:uri /></dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
</command:parameters>
<command:inputTypes></command:inputTypes>
<command:returnValues></command:returnValues>
<maml:alertSet><maml:alert><maml:para>
</maml:para>
</maml:alert>
</maml:alertSet>
<command:examples><command:example><maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title>
<dev:code></dev:code>
<dev:remarks><maml:para>
</maml:para>
</dev:remarks>
</command:example>
</command:examples>
<command:relatedLinks></command:relatedLinks>
</command:command>
</helpItems>