en-US/Posh-SysMon-help.xml
<?xml version="1.0" encoding="utf-8"?>
<helpItems schema="maml"> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details><command:name>Get-SysmonEventData</command:name> <command:verb>Get</command:verb> <command:noun>SysmonEventData</command:noun> <maml:description><maml:para>Searches for specified SysMon Events and retunrs the Event Data as a custom object. </maml:para> </maml:description> </command:details> <maml:description><maml:para>Searches for specified SysMon Events and retunrs the Event Data as a custom object. </maml:para> </maml:description> <command:syntax><command:syntaxItem><maml:name>Get-SysmonEventData</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>EventId</maml:name> <maml:Description><maml:para>Sysmon Event ID of records to show </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Int32[]</command:parameterValue> <dev:type><maml:name>Int32[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>MaxEvents</maml:name> <maml:Description><maml:para>Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type><maml:name>Int32</maml:name> <maml:uri /></dev:type> <dev:defaultValue>0</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="PSPath"><maml:name>Path</maml:name> <maml:Description><maml:para>Specifies a path to one or more exported SysMon events in evtx format. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"><maml:name>StartTime</maml:name> <maml:Description><maml:para>Start Date to get all event going forward. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue> <dev:type><maml:name>DateTime</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"><maml:name>EndTime</maml:name> <maml:Description><maml:para>End data for searching events. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue> <dev:type><maml:name>DateTime</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem><maml:name>Get-SysmonEventData</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>EventType</maml:name> <maml:Description><maml:para>EventType that a Rule can be written against. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>MaxEvents</maml:name> <maml:Description><maml:para>Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type><maml:name>Int32</maml:name> <maml:uri /></dev:type> <dev:defaultValue>0</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="PSPath"><maml:name>Path</maml:name> <maml:Description><maml:para>Specifies a path to one or more exported SysMon events in evtx format. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"><maml:name>StartTime</maml:name> <maml:Description><maml:para>Start Date to get all event going forward. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue> <dev:type><maml:name>DateTime</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"><maml:name>EndTime</maml:name> <maml:Description><maml:para>End data for searching events. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue> <dev:type><maml:name>DateTime</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>EventId</maml:name> <maml:Description><maml:para>Sysmon Event ID of records to show </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Int32[]</command:parameterValue> <dev:type><maml:name>Int32[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>EventType</maml:name> <maml:Description><maml:para>EventType that a Rule can be written against. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>MaxEvents</maml:name> <maml:Description><maml:para>Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type><maml:name>Int32</maml:name> <maml:uri /></dev:type> <dev:defaultValue>0</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="PSPath"><maml:name>Path</maml:name> <maml:Description><maml:para>Specifies a path to one or more exported SysMon events in evtx format. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"><maml:name>StartTime</maml:name> <maml:Description><maml:para>Start Date to get all event going forward. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue> <dev:type><maml:name>DateTime</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"><maml:name>EndTime</maml:name> <maml:Description><maml:para>End data for searching events. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue> <dev:type><maml:name>DateTime</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes></command:inputTypes> <command:returnValues></command:returnValues> <maml:alertSet><maml:alert><maml:para> </maml:para> </maml:alert> </maml:alertSet> <command:examples><command:example><maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <dev:code>Get-SysMonEventData -EventId 1 -MaxEvents 10 -EndTime (Get-Date) -StartTime (Get-Date).AddDays(-1)</dev:code> <dev:remarks><maml:para>All process creation events in the last 24hr </maml:para> </dev:remarks> </command:example> <command:example><maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <dev:code>Get-SysMonEventData -EventId 3 -MaxEvents 20 -Path .\export.evtx</dev:code> <dev:remarks><maml:para>last 20 network connection events from a exported SysMon log. </maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks></command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details><command:name>Get-SysmonRuleFilter</command:name> <command:verb>Get</command:verb> <command:noun>SysmonRuleFilter</command:noun> <maml:description><maml:para>Get the configured filters for a specified Event Type Rule in a Sysmon configuration file. </maml:para> </maml:description> </command:details> <maml:description><maml:para>Get the configured filters for a specified Event Type Rule in a Sysmon configuration file. </maml:para> </maml:description> <command:syntax><command:syntaxItem><maml:name>Get-SysmonRuleFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>EventType</maml:name> <maml:Description><maml:para>Event type rule to get filter for. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Event type on match action. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem><maml:name>Get-SysmonRuleFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Event type on match action. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>EventType</maml:name> <maml:Description><maml:para>Event type rule to get filter for. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Event type on match action. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes></command:inputTypes> <command:returnValues></command:returnValues> <maml:alertSet><maml:alert><maml:para> </maml:para> </maml:alert> </maml:alertSet> <command:examples><command:example><maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <dev:code>Get-SysmonRuleFilter -Path C:\sysmon.xml -EventType ProcessCreate</dev:code> <dev:remarks><maml:para>Get the filter under the ProcessCreate Rule. </maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks></command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details><command:name>New-SysmonFileCreateFilter</command:name> <command:verb>New</command:verb> <command:noun>SysmonFileCreateFilter</command:noun> <maml:description><maml:para>Create a new filter for the logging file creation. </maml:para> </maml:description> </command:details> <maml:description><maml:para>Create a new filter for the logging file creation. </maml:para> </maml:description> <command:syntax><command:syntaxItem><maml:name>New-SysmonFileCreateFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Event type on match action. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition for filtering against and event field. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event field to filter on. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of Event Field to filter on. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem><maml:name>New-SysmonFileCreateFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Event type on match action. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition for filtering against and event field. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event field to filter on. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of Event Field to filter on. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Event type on match action. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition for filtering against and event field. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event field to filter on. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of Event Field to filter on. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes></command:inputTypes> <command:returnValues></command:returnValues> <maml:alertSet><maml:alert><maml:para> </maml:para> </maml:alert> </maml:alertSet> <command:examples><command:example><maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <dev:code></dev:code> <dev:remarks><maml:para> </maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks></command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details><command:name>New-SysmonFileCreateStreamHash</command:name> <command:verb>New</command:verb> <command:noun>SysmonFileCreateStreamHash</command:noun> <maml:description><maml:para>Create a new filter for the logging of the saving of data on a file stream. </maml:para> </maml:description> </command:details> <maml:description><maml:para>Create a new filter for the logging of the saving of data on a file stream. </maml:para> </maml:description> <command:syntax><command:syntaxItem><maml:name>New-SysmonFileCreateStreamHash</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Event type on match action. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition for filtering against and event field. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event field to filter on. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of Event Field to filter on. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem><maml:name>New-SysmonFileCreateStreamHash</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Event type on match action. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition for filtering against and event field. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event field to filter on. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of Event Field to filter on. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Event type on match action. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition for filtering against and event field. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event field to filter on. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of Event Field to filter on. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes></command:inputTypes> <command:returnValues></command:returnValues> <maml:alertSet><maml:alert><maml:para> </maml:para> </maml:alert> </maml:alertSet> <command:examples><command:example><maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <dev:code>New-SysmonRegistryEvent -Path .\32config.xml -OnMatch include -Condition Contains -EventField TargetObject 'RunOnce'</dev:code> <dev:remarks><maml:para>Capture persistance attemp by creating a registry entry in the RunOnce keys. </maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks></command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details><command:name>New-SysmonRegistryEvent</command:name> <command:verb>New</command:verb> <command:noun>SysmonRegistryEvent</command:noun> <maml:description><maml:para>Create a new filter for the actions against the registry. </maml:para> </maml:description> </command:details> <maml:description><maml:para>Create a new filter for actions against the registry. Supports filtering by aby of the following event types: * CreateKey </maml:para> <maml:para>* DeleteKey </maml:para> <maml:para>* RenameKey </maml:para> <maml:para>* CreateValue </maml:para> <maml:para>* DeleteValue </maml:para> <maml:para>* RenameValue </maml:para> <maml:para>* SetValue </maml:para> <maml:para> </maml:para> <maml:para>Hives in TargetObject are referenced as: * \REGISTRY\MACHINE\HARDWARE </maml:para> <maml:para>* \REGISTRY\USER\Security ID number </maml:para> <maml:para>* \REGISTRY\MACHINE\SECURITY </maml:para> <maml:para>* \REGISTRY\USER\.DEFAULT </maml:para> <maml:para>* \REGISTRY\MACHINE\SYSTEM </maml:para> <maml:para>* \REGISTRY\MACHINE\SOFTWARE </maml:para> <maml:para>* \REGISTRY\MACHINE\SAM </maml:para> </maml:description> <command:syntax><command:syntaxItem><maml:name>New-SysmonRegistryEvent</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Event type on match action. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition for filtering against and event field. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event field to filter on. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of Event Field to filter on. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem><maml:name>New-SysmonRegistryEvent</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Event type on match action. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition for filtering against and event field. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event field to filter on. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of Event Field to filter on. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters><command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"><maml:name>Path</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"><maml:name>LiteralPath</maml:name> <maml:Description><maml:para>Path to XML config file. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type><maml:name>Object</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"><maml:name>OnMatch</maml:name> <maml:Description><maml:para>Event type on match action. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"><maml:name>Condition</maml:name> <maml:Description><maml:para>Condition for filtering against and event field. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"><maml:name>EventField</maml:name> <maml:Description><maml:para>Event field to filter on. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type><maml:name>String</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"><maml:name>Value</maml:name> <maml:Description><maml:para>Value of Event Field to filter on. </maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type><maml:name>String[]</maml:name> <maml:uri /></dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes></command:inputTypes> <command:returnValues></command:returnValues> <maml:alertSet><maml:alert><maml:para> </maml:para> </maml:alert> </maml:alertSet> <command:examples><command:example><maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <dev:code></dev:code> <dev:remarks><maml:para> </maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks></command:relatedLinks> </command:command> </helpItems> |