en-US/Posh-SysMon-help.xml
<?xml version="1.0" encoding="utf-8"?>
<helpItems schema="maml" xmlns="http://msh"> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Get-SysmonEventData</command:name> <command:verb>Get</command:verb> <command:noun>SysmonEventData</command:noun> <maml:description> <maml:para>Searches for specified SysMon Events and retunrs the Event Data as a custom object.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>Searches for specified SysMon Events and retunrs the Event Data as a custom object.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-SysmonEventData</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>EventId</maml:name> <maml:Description> <maml:para>Sysmon Event ID of records to show</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Int32[]</command:parameterValue> <dev:type> <maml:name>Int32[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>MaxEvents</maml:name> <maml:Description> <maml:para>Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>0</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="PSPath"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Specifies a path to one or more exported SysMon events in evtx format.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>StartTime</maml:name> <maml:Description> <maml:para>Start Date to get all event going forward.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue> <dev:type> <maml:name>DateTime</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>EndTime</maml:name> <maml:Description> <maml:para>End data for searching events.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue> <dev:type> <maml:name>DateTime</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-SysmonEventData</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>EventType</maml:name> <maml:Description> <maml:para>EventType that a Rule can be written against.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>MaxEvents</maml:name> <maml:Description> <maml:para>Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>0</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="PSPath"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Specifies a path to one or more exported SysMon events in evtx format.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>StartTime</maml:name> <maml:Description> <maml:para>Start Date to get all event going forward.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue> <dev:type> <maml:name>DateTime</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>EndTime</maml:name> <maml:Description> <maml:para>End data for searching events.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue> <dev:type> <maml:name>DateTime</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>EventId</maml:name> <maml:Description> <maml:para>Sysmon Event ID of records to show</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Int32[]</command:parameterValue> <dev:type> <maml:name>Int32[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>EventType</maml:name> <maml:Description> <maml:para>EventType that a Rule can be written against.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>MaxEvents</maml:name> <maml:Description> <maml:para>Specifies the maximum number of events that Get-WinEvent returns. Enter an integer. The default is to return all the events in the logs or files.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>0</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName, ByValue)" position="named" aliases="PSPath"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Specifies a path to one or more exported SysMon events in evtx format.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>StartTime</maml:name> <maml:Description> <maml:para>Start Date to get all event going forward.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue> <dev:type> <maml:name>DateTime</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <maml:name>EndTime</maml:name> <maml:Description> <maml:para>End data for searching events.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue> <dev:type> <maml:name>DateTime</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes /> <command:returnValues /> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <dev:code>Get-SysMonEventData -EventId 1 -MaxEvents 10 -EndTime (Get-Date) -StartTime (Get-Date).AddDays(-1)</dev:code> <dev:remarks> <maml:para>All process creation events in the last 24hr</maml:para> </dev:remarks> </command:example> <command:example> <maml:title>-------------------------- EXAMPLE 2 --------------------------</maml:title> <dev:code>Get-SysMonEventData -EventId 3 -MaxEvents 20 -Path .\export.evtx</dev:code> <dev:remarks> <maml:para>last 20 network connection events from a exported SysMon log.</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks /> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Get-SysmonHashingAlgorithm</command:name> <command:verb>Get</command:verb> <command:noun>SysmonHashingAlgorithm</command:noun> <maml:description> <maml:para>{{Fill in the Synopsis}}</maml:para> </maml:description> </command:details> <maml:description> <maml:para>{{Fill in the Description}}</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-SysmonHashingAlgorithm</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-SysmonHashingAlgorithm</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>System.String</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks> <maml:para>{{ Add example description here }}</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonHashingAlgorithm.md</maml:linkText> <maml:uri>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonHashingAlgorithm.md</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Get-SysmonRule</command:name> <command:verb>Get</command:verb> <command:noun>SysmonRule</command:noun> <maml:description> <maml:para>{{Fill in the Synopsis}}</maml:para> </maml:description> </command:details> <maml:description> <maml:para>{{Fill in the Description}}</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-SysmonRule</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>EventType</maml:name> <maml:Description> <maml:para>{{Fill EventType Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">ALL</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">NetworkConnect</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessCreate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreateTime</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessTerminate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ImageLoad</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">DriverLoad</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessAccess</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">RawAccessRead</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessAccess</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreateStreamHash</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">RegistryEvent</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PipeEvent</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">WmiEvent</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-SysmonRule</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>EventType</maml:name> <maml:Description> <maml:para>{{Fill EventType Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">ALL</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">NetworkConnect</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessCreate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreateTime</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessTerminate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ImageLoad</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">DriverLoad</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessAccess</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">RawAccessRead</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessAccess</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreateStreamHash</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">RegistryEvent</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PipeEvent</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">WmiEvent</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>EventType</maml:name> <maml:Description> <maml:para>{{Fill EventType Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>System.String</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks> <maml:para>{{ Add example description here }}</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonRule.md</maml:linkText> <maml:uri>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonRule.md</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Get-SysmonRuleFilter</command:name> <command:verb>Get</command:verb> <command:noun>SysmonRuleFilter</command:noun> <maml:description> <maml:para>Get the configured filters for a specified Event Type Rule in a Sysmon configuration file.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>Get the configured filters for a specified Event Type Rule in a Sysmon configuration file.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-SysmonRuleFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>EventType</maml:name> <maml:Description> <maml:para>Event type rule to get filter for.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-SysmonRuleFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>EventType</maml:name> <maml:Description> <maml:para>Event type rule to get filter for.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes /> <command:returnValues /> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <dev:code>Get-SysmonRuleFilter -Path C:\sysmon.xml -EventType ProcessCreate</dev:code> <dev:remarks> <maml:para>Get the filter under the ProcessCreate Rule.</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>Online Version:</maml:linkText> <maml:uri>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Get-SysmonRule.md</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>New-SysmonConfiguration</command:name> <command:verb>New</command:verb> <command:noun>SysmonConfiguration</command:noun> <maml:description> <maml:para>{{Fill in the Synopsis}}</maml:para> </maml:description> </command:details> <maml:description> <maml:para>{{Fill in the Description}}</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>New-SysmonConfiguration</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>HashingAlgorithm</maml:name> <maml:Description> <maml:para>{{Fill HashingAlgorithm Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">ALL</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">MD5</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">SHA1</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">SHA256</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">IMPHASH</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="10" aliases="none"> <maml:name>RawAccessRead</maml:name> <maml:Description> <maml:para>{{Fill RawAccessRead Description}}</maml:para> </maml:Description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="11" aliases="none"> <maml:name>CheckRevocation</maml:name> <maml:Description> <maml:para>{{Fill CheckRevocation Description}}</maml:para> </maml:Description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="12" aliases="none"> <maml:name>RegistryEvent</maml:name> <maml:Description> <maml:para>{{Fill RegistryEvent Description}}</maml:para> </maml:Description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="13" aliases="none"> <maml:name>FileCreate</maml:name> <maml:Description> <maml:para>{{Fill FileCreate Description}}</maml:para> </maml:Description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="14" aliases="none"> <maml:name>FileCreateStreamHash</maml:name> <maml:Description> <maml:para>{{Fill FileCreateStreamHash Description}}</maml:para> </maml:Description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="15" aliases="none"> <maml:name>PipeEvent</maml:name> <maml:Description> <maml:para>{{Fill PipeEvent Description}}</maml:para> </maml:Description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="16" aliases="none"> <maml:name>WmiEvent</maml:name> <maml:Description> <maml:para>{{Fill WmiEvent Description}}</maml:para> </maml:Description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>NetworkConnect</maml:name> <maml:Description> <maml:para>{{Fill NetworkConnect Description}}</maml:para> </maml:Description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>DriverLoad</maml:name> <maml:Description> <maml:para>{{Fill DriverLoad Description}}</maml:para> </maml:Description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>ImageLoad</maml:name> <maml:Description> <maml:para>{{Fill ImageLoad Description}}</maml:para> </maml:Description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>CreateRemoteThread</maml:name> <maml:Description> <maml:para>{{Fill CreateRemoteThread Description}}</maml:para> </maml:Description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="6" aliases="none"> <maml:name>FileCreateTime</maml:name> <maml:Description> <maml:para>{{Fill FileCreateTime Description}}</maml:para> </maml:Description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="7" aliases="none"> <maml:name>ProcessCreate</maml:name> <maml:Description> <maml:para>{{Fill ProcessCreate Description}}</maml:para> </maml:Description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="8" aliases="none"> <maml:name>ProcessTerminate</maml:name> <maml:Description> <maml:para>{{Fill ProcessTerminate Description}}</maml:para> </maml:Description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="9" aliases="none"> <maml:name>ProcessAccess</maml:name> <maml:Description> <maml:para>{{Fill ProcessAccess Description}}</maml:para> </maml:Description> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>Comment</maml:name> <maml:Description> <maml:para>{{Fill Comment Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>SchemaVersion</maml:name> <maml:Description> <maml:para>{{Fill SchemaVersion Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">4.0</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">4.1</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="11" aliases="none"> <maml:name>CheckRevocation</maml:name> <maml:Description> <maml:para>{{Fill CheckRevocation Description}}</maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>Comment</maml:name> <maml:Description> <maml:para>{{Fill Comment Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>CreateRemoteThread</maml:name> <maml:Description> <maml:para>{{Fill CreateRemoteThread Description}}</maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>DriverLoad</maml:name> <maml:Description> <maml:para>{{Fill DriverLoad Description}}</maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="13" aliases="none"> <maml:name>FileCreate</maml:name> <maml:Description> <maml:para>{{Fill FileCreate Description}}</maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="14" aliases="none"> <maml:name>FileCreateStreamHash</maml:name> <maml:Description> <maml:para>{{Fill FileCreateStreamHash Description}}</maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="6" aliases="none"> <maml:name>FileCreateTime</maml:name> <maml:Description> <maml:para>{{Fill FileCreateTime Description}}</maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>HashingAlgorithm</maml:name> <maml:Description> <maml:para>{{Fill HashingAlgorithm Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>ImageLoad</maml:name> <maml:Description> <maml:para>{{Fill ImageLoad Description}}</maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>NetworkConnect</maml:name> <maml:Description> <maml:para>{{Fill NetworkConnect Description}}</maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="15" aliases="none"> <maml:name>PipeEvent</maml:name> <maml:Description> <maml:para>{{Fill PipeEvent Description}}</maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="9" aliases="none"> <maml:name>ProcessAccess</maml:name> <maml:Description> <maml:para>{{Fill ProcessAccess Description}}</maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="7" aliases="none"> <maml:name>ProcessCreate</maml:name> <maml:Description> <maml:para>{{Fill ProcessCreate Description}}</maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="8" aliases="none"> <maml:name>ProcessTerminate</maml:name> <maml:Description> <maml:para>{{Fill ProcessTerminate Description}}</maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="10" aliases="none"> <maml:name>RawAccessRead</maml:name> <maml:Description> <maml:para>{{Fill RawAccessRead Description}}</maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="12" aliases="none"> <maml:name>RegistryEvent</maml:name> <maml:Description> <maml:para>{{Fill RegistryEvent Description}}</maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>SchemaVersion</maml:name> <maml:Description> <maml:para>{{Fill SchemaVersion Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="16" aliases="none"> <maml:name>WmiEvent</maml:name> <maml:Description> <maml:para>{{Fill WmiEvent Description}}</maml:para> </maml:Description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>False</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>System.String</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.Management.Automation.SwitchParameter</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks> <maml:para>{{ Add example description here }}</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonConfiguration.md</maml:linkText> <maml:uri>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonConfiguration.md</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>New-SysmonDriverLoadFilter</command:name> <command:verb>New</command:verb> <command:noun>SysmonDriverLoadFilter</command:noun> <maml:description> <maml:para>{{Fill in the Synopsis}}</maml:para> </maml:description> </command:details> <maml:description> <maml:para>{{Fill in the Description}}</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>New-SysmonDriverLoadFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">include</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">exclude</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>{{Fill Condition Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">Is</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">IsNot</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Contains</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Excludes</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Image</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">BeginWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">EndWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">LessThan</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">MoreThan</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>{{Fill EventField Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">UtcTime</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ImageLoaded</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Hashes</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Signed</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Signature</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>{{Fill Value Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>{{Fill RuleName Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonDriverLoadFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">include</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">exclude</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>{{Fill Condition Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">Is</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">IsNot</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Contains</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Excludes</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Image</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">BeginWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">EndWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">LessThan</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">MoreThan</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>{{Fill EventField Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">UtcTime</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ImageLoaded</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Hashes</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Signed</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Signature</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>{{Fill Value Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>{{Fill RuleName Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>{{Fill Condition Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>{{Fill EventField Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>{{Fill RuleName Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>{{Fill Value Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks> <maml:para>{{ Add example description here }}</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonDriverLoadFilter.md</maml:linkText> <maml:uri>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonDriverLoadFilter.md</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>New-SysmonFileCreateFilter</command:name> <command:verb>New</command:verb> <command:noun>SysmonFileCreateFilter</command:noun> <maml:description> <maml:para>Create a new filter for the logging file creation.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>Create a new filter for the logging file creation.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>New-SysmonFileCreateFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>{{Fill RuleName Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonFileCreateFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>{{Fill RuleName Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>{{Fill RuleName Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes /> <command:returnValues /> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <dev:code></dev:code> <dev:remarks> <maml:para></maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>Online Version:</maml:linkText> <maml:uri>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonDriverLoadFilter.md</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>New-SysmonFileCreateStreamHash</command:name> <command:verb>New</command:verb> <command:noun>SysmonFileCreateStreamHash</command:noun> <maml:description> <maml:para>Create a new filter for the logging of the saving of data on a file stream.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>Create a new filter for the logging of the saving of data on a file stream.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>New-SysmonFileCreateStreamHash</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonFileCreateStreamHash</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes /> <command:returnValues /> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <dev:code>New-SysmonRegistryEvent -Path .\32config.xml -OnMatch include -Condition Contains -EventField TargetObject 'RunOnce'</dev:code> <dev:remarks> <maml:para>Capture persistance attemp by creating a registry entry in the RunOnce keys.</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks /> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>New-SysmonFileCreateStreamHashFilter</command:name> <command:verb>New</command:verb> <command:noun>SysmonFileCreateStreamHashFilter</command:noun> <maml:description> <maml:para>Create a new filter for the logging of the saving of data on a file stream.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>Create a new filter for the logging of the saving of data on a file stream.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>New-SysmonFileCreateStreamHashFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>Rule Name for the filter.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonFileCreateStreamHashFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>Rule Name for the filter.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>Rule Name for the filter.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes /> <command:returnValues /> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks> <maml:para>{{ Add example description here }}</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>Online Version:</maml:linkText> <maml:uri>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonDriverLoadFilter.md</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>New-SysmonImageLoadFilter</command:name> <command:verb>New</command:verb> <command:noun>SysmonImageLoadFilter</command:noun> <maml:description> <maml:para>{{Fill in the Synopsis}}</maml:para> </maml:description> </command:details> <maml:description> <maml:para>{{Fill in the Description}}</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>New-SysmonImageLoadFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">include</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">exclude</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>{{Fill Condition Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">Is</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">IsNot</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Contains</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Excludes</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Image</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">BeginWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">EndWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">LessThan</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">MoreThan</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>{{Fill EventField Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">UtcTime</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessGuid</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessId</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Image</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ImageLoaded</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Hashes</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Signed</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Signature</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileVersion</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Description</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Product</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Company</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>{{Fill Value Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>{{Fill RuleName Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonImageLoadFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">include</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">exclude</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>{{Fill Condition Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">Is</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">IsNot</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Contains</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Excludes</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Image</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">BeginWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">EndWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">LessThan</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">MoreThan</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>{{Fill EventField Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">UtcTime</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessGuid</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessId</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Image</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ImageLoaded</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Hashes</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Signed</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Signature</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileVersion</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Description</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Product</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Company</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>{{Fill Value Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>{{Fill RuleName Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>{{Fill Condition Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>{{Fill EventField Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>{{Fill RuleName Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>{{Fill Value Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks> <maml:para>{{ Add example description here }}</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonImageLoadFilter.md</maml:linkText> <maml:uri>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonImageLoadFilter.md</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>New-SysmonNetworkConnectFilter</command:name> <command:verb>New</command:verb> <command:noun>SysmonNetworkConnectFilter</command:noun> <maml:description> <maml:para>{{Fill in the Synopsis}}</maml:para> </maml:description> </command:details> <maml:description> <maml:para>{{Fill in the Description}}</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>New-SysmonNetworkConnectFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">include</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">exclude</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>{{Fill Condition Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">Is</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">IsNot</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Contains</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Excludes</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Image</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">BeginWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">EndWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">LessThan</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">MoreThan</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>{{Fill EventField Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">UtcTime</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessGuid</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessId</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Image</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">User</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Protocol</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Initiated</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">SourceIsIpv6</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">SourceIp</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">SourceHostname</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">SourcePort</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">SourcePortName</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">DestinationIsIpv6</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">DestinationIp</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">DestinationHostname</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">DestinationPort</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">DestinationPortName</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>{{Fill Value Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>{{Fill RuleName Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonNetworkConnectFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">include</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">exclude</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>{{Fill Condition Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">Is</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">IsNot</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Contains</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Excludes</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Image</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">BeginWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">EndWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">LessThan</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">MoreThan</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>{{Fill EventField Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">UtcTime</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessGuid</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessId</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Image</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">User</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Protocol</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Initiated</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">SourceIsIpv6</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">SourceIp</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">SourceHostname</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">SourcePort</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">SourcePortName</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">DestinationIsIpv6</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">DestinationIp</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">DestinationHostname</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">DestinationPort</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">DestinationPortName</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>{{Fill Value Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>{{Fill RuleName Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>{{Fill Condition Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>{{Fill EventField Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>{{Fill RuleName Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>{{Fill Value Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks> <maml:para>{{ Add example description here }}</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonNetworkConnectFilter.md</maml:linkText> <maml:uri>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonNetworkConnectFilter.md</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>New-SysmonPipeEvent</command:name> <command:verb>New</command:verb> <command:noun>SysmonPipeEvent</command:noun> <maml:description> <maml:para>Create a new filter for when a Named Pipe is created or connected.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>Create a new filter for when a Named Pipe is created or connected. Useful for watching malware inter process communication.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>New-SysmonPipeEvent</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonPipeEvent</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes /> <command:returnValues /> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks> <maml:para>{{ Add example description here }}</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks /> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>New-SysmonPipeFilter</command:name> <command:verb>New</command:verb> <command:noun>SysmonPipeFilter</command:noun> <maml:description> <maml:para>Create a new filter for when a Named Pipe is created or connected.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>Create a new filter for when a Named Pipe is created or connected. Useful for watching malware inter process communication.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>New-SysmonPipeFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>Rule Name for the filter.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonPipeFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>Rule Name for the filter.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>Rule Name for the filter.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes /> <command:returnValues /> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks> <maml:para>{{ Add example description here }}</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>Online Version:</maml:linkText> <maml:uri>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonNetworkConnectFilter.md</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>New-SysmonProcessAccessFilter</command:name> <command:verb>New</command:verb> <command:noun>SysmonProcessAccessFilter</command:noun> <maml:description> <maml:para>Create a new filter for the logging of when a running process opens another.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>Create a new filter for the logging of when a running process opens another.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>New-SysmonProcessAccessFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>Rule Name for the filter.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonProcessAccessFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>Rule Name for the filter.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>Rule Name for the filter.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes /> <command:returnValues /> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <dev:code>New-SysmonProcessAccessFilter -Path .\testver31.xml -OnMatch include -Condition Contains -EventField TargetImage lsass.exe</dev:code> <dev:remarks> <maml:para>Log any process trying to open lsass.exe.</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>Online Version:</maml:linkText> <maml:uri>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonNetworkConnectFilter.md</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>New-SysmonProcessCreateFilter</command:name> <command:verb>New</command:verb> <command:noun>SysmonProcessCreateFilter</command:noun> <maml:description> <maml:para>{{Fill in the Synopsis}}</maml:para> </maml:description> </command:details> <maml:description> <maml:para>{{Fill in the Description}}</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>New-SysmonProcessCreateFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">include</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">exclude</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>{{Fill Condition Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">Is</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">IsNot</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Contains</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Excludes</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Image</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">BeginWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">EndWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">LessThan</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">MoreThan</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>{{Fill EventField Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">UtcTime</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessGuid</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessId</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Image</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">CommandLine</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">User</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">LogonGuid</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">LogonId</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">TerminalSessionId</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">IntegrityLevel</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Hashes</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ParentProcessGuid</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ParentProcessId</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ParentImage</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ParentCommandLine</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileVersion</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Description</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Product</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Company</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>{{Fill Value Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>{{Fill RuleName Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonProcessCreateFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">include</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">exclude</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>{{Fill Condition Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">Is</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">IsNot</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Contains</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Excludes</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Image</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">BeginWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">EndWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">LessThan</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">MoreThan</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>{{Fill EventField Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">UtcTime</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessGuid</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessId</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Image</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">CommandLine</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">User</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">LogonGuid</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">LogonId</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">TerminalSessionId</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">IntegrityLevel</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Hashes</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ParentProcessGuid</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ParentProcessId</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ParentImage</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ParentCommandLine</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileVersion</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Description</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Product</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Company</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>{{Fill Value Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>{{Fill RuleName Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>{{Fill Condition Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>{{Fill EventField Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>{{Fill RuleName Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>{{Fill Value Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks> <maml:para>{{ Add example description here }}</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessCreateFilter.md</maml:linkText> <maml:uri>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessCreateFilter.md</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>New-SysmonProcessTerminateFilter</command:name> <command:verb>New</command:verb> <command:noun>SysmonProcessTerminateFilter</command:noun> <maml:description> <maml:para>{{Fill in the Synopsis}}</maml:para> </maml:description> </command:details> <maml:description> <maml:para>{{Fill in the Description}}</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>New-SysmonProcessTerminateFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">include</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">exclude</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>{{Fill Condition Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">Is</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">IsNot</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Contains</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Excludes</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Image</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">BeginWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">EndWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">LessThan</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">MoreThan</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>{{Fill EventField Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">UtcTime</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessGuid</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessId</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>{{Fill Value Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>{{Fill RuleName Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonProcessTerminateFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">include</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">exclude</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>{{Fill Condition Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">Is</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">IsNot</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Contains</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Excludes</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Image</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">BeginWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">EndWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">LessThan</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">MoreThan</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>{{Fill EventField Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">UtcTime</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessGuid</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessId</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>{{Fill Value Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>{{Fill RuleName Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>{{Fill Condition Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>{{Fill EventField Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>{{Fill RuleName Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>{{Fill Value Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks> <maml:para>{{ Add example description here }}</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessTerminateFilter.md</maml:linkText> <maml:uri>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessTerminateFilter.md</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>New-SysmonRegistryEvent</command:name> <command:verb>New</command:verb> <command:noun>SysmonRegistryEvent</command:noun> <maml:description> <maml:para>Create a new filter for the actions against the registry.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>Create a new filter for actions against the registry. Supports filtering by aby of the following event types: * CreateKey</maml:para> <maml:para>* DeleteKey</maml:para> <maml:para>* RenameKey</maml:para> <maml:para>* CreateValue</maml:para> <maml:para>* DeleteValue</maml:para> <maml:para>* RenameValue</maml:para> <maml:para>* SetValue</maml:para> <maml:para></maml:para> <maml:para>Hives in TargetObject are referenced as: * \REGISTRY\MACHINE\HARDWARE</maml:para> <maml:para>* \REGISTRY\USER\Security ID number</maml:para> <maml:para>* \REGISTRY\MACHINE\SECURITY</maml:para> <maml:para>* \REGISTRY\USER\.DEFAULT</maml:para> <maml:para>* \REGISTRY\MACHINE\SYSTEM</maml:para> <maml:para>* \REGISTRY\MACHINE\SOFTWARE</maml:para> <maml:para>* \REGISTRY\MACHINE\SAM</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>New-SysmonRegistryEvent</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonRegistryEvent</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes /> <command:returnValues /> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <dev:code></dev:code> <dev:remarks> <maml:para></maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks /> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>New-SysmonRegistryFilter</command:name> <command:verb>New</command:verb> <command:noun>SysmonRegistryFilter</command:noun> <maml:description> <maml:para>Create a new filter for the actions against the registry.</maml:para> </maml:description> </command:details> <maml:description> <maml:para>Create a new filter for actions against the registry. Supports filtering by aby of the following event types: * CreateKey</maml:para> <maml:para>* DeleteKey</maml:para> <maml:para>* RenameKey</maml:para> <maml:para>* CreateValue</maml:para> <maml:para>* DeleteValue</maml:para> <maml:para>* RenameValue</maml:para> <maml:para>* SetValue</maml:para> <maml:para></maml:para> <maml:para>Hives on Schema 3.2 in TargetObject are referenced as: * \REGISTRY\MACHINE\HARDWARE</maml:para> <maml:para>* \REGISTRY\USER\Security ID number</maml:para> <maml:para>* \REGISTRY\MACHINE\SECURITY</maml:para> <maml:para>* \REGISTRY\USER\.DEFAULT</maml:para> <maml:para>* \REGISTRY\MACHINE\SYSTEM</maml:para> <maml:para>* \REGISTRY\MACHINE\SOFTWARE</maml:para> <maml:para>* \REGISTRY\MACHINE\SAM</maml:para> <maml:para></maml:para> <maml:para>Hives on Schema 3.3 and above in TargetObject are referenced as: * HKLM</maml:para> <maml:para>* HKCR</maml:para> <maml:para>* HKEY_USER</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>New-SysmonRegistryFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>Rule Name for the filter.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>New-SysmonRegistryFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>Rule Name for the filter.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>Path to XML config file.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>Event type on match action.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>Condition for filtering against and event field.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>Event field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>Value of Event Field to filter on.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>RuleName</maml:name> <maml:Description> <maml:para>Rule Name for the filter.</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes /> <command:returnValues /> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- EXAMPLE 1 --------------------------</maml:title> <dev:code>New-SysmonRegistryFilter -Path .\32config.xml -OnMatch include -Condition Contains -EventField TargetObject 'RunOnce'</dev:code> <dev:remarks> <maml:para>Capture persistance attemp by creating a registry entry in the RunOnce keys.</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>Online Version:</maml:linkText> <maml:uri>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/New-SysmonProcessTerminateFilter.md</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Remove-SysmonRule</command:name> <command:verb>Remove</command:verb> <command:noun>SysmonRule</command:noun> <maml:description> <maml:para>{{Fill in the Synopsis}}</maml:para> </maml:description> </command:details> <maml:description> <maml:para>{{Fill in the Description}}</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Remove-SysmonRule</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>EventType</maml:name> <maml:Description> <maml:para>{{Fill EventType Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">NetworkConnect</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessCreate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreateTime</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessTerminate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ImageLoad</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">DriverLoad</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">CreateRemoteThread</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessAccess</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">RawAccessRead</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreateStreamHash</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">RegistryEvent</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PipeEvent</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">WmiEvent</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">RuleName</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">Include</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Exclude</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Remove-SysmonRule</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>EventType</maml:name> <maml:Description> <maml:para>{{Fill EventType Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">NetworkConnect</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessCreate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreateTime</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessTerminate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ImageLoad</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">DriverLoad</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">CreateRemoteThread</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessAccess</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">RawAccessRead</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreateStreamHash</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">RegistryEvent</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PipeEvent</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">WmiEvent</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">RuleName</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">Include</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Exclude</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>EventType</maml:name> <maml:Description> <maml:para>{{Fill EventType Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks> <maml:para>{{ Add example description here }}</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Remove-SysmonRule.md</maml:linkText> <maml:uri>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Remove-SysmonRule.md</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Remove-SysmonRuleFilter</command:name> <command:verb>Remove</command:verb> <command:noun>SysmonRuleFilter</command:noun> <maml:description> <maml:para>{{Fill in the Synopsis}}</maml:para> </maml:description> </command:details> <maml:description> <maml:para>{{Fill in the Description}}</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Remove-SysmonRuleFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>EventType</maml:name> <maml:Description> <maml:para>{{Fill EventType Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">NetworkConnect</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessCreate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreateTime</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessTerminate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ImageLoad</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">DriverLoad</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">CreateRemoteThread</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">RawAccessRead</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessAccess</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreateStreamHash</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">RegistryEvent</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PipeEvent</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">WmiEvent</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">include</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">exclude</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>{{Fill Condition Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">Is</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">IsNot</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Contains</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Excludes</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Image</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">BeginWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">EndWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">LessThan</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">MoreThan</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>{{Fill EventField Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>{{Fill Value Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Remove-SysmonRuleFilter</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>EventType</maml:name> <maml:Description> <maml:para>{{Fill EventType Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">NetworkConnect</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessCreate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreateTime</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessTerminate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ImageLoad</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">DriverLoad</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">CreateRemoteThread</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">RawAccessRead</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessAccess</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreateStreamHash</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">RegistryEvent</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PipeEvent</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">WmiEvent</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">include</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">exclude</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>{{Fill Condition Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">Is</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">IsNot</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Contains</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Excludes</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Image</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">BeginWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">EndWith</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">LessThan</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">MoreThan</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>{{Fill EventField Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>{{Fill Value Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="3" aliases="none"> <maml:name>Condition</maml:name> <maml:Description> <maml:para>{{Fill Condition Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="4" aliases="none"> <maml:name>EventField</maml:name> <maml:Description> <maml:para>{{Fill EventField Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>EventType</maml:name> <maml:Description> <maml:para>{{Fill EventType Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="5" aliases="none"> <maml:name>Value</maml:name> <maml:Description> <maml:para>{{Fill Value Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks> <maml:para>{{ Add example description here }}</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Remove-SysmonRuleFilter.md</maml:linkText> <maml:uri>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Remove-SysmonRuleFilter.md</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Set-SysmonHashingAlgorithm</command:name> <command:verb>Set</command:verb> <command:noun>SysmonHashingAlgorithm</command:noun> <maml:description> <maml:para>{{Fill in the Synopsis}}</maml:para> </maml:description> </command:details> <maml:description> <maml:para>{{Fill in the Description}}</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Set-SysmonHashingAlgorithm</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>HashingAlgorithm</maml:name> <maml:Description> <maml:para>{{Fill HashingAlgorithm Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">ALL</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">MD5</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">SHA1</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">SHA256</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">IMPHASH</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Set-SysmonHashingAlgorithm</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>HashingAlgorithm</maml:name> <maml:Description> <maml:para>{{Fill HashingAlgorithm Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">ALL</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">MD5</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">SHA1</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">SHA256</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">IMPHASH</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>HashingAlgorithm</maml:name> <maml:Description> <maml:para>{{Fill HashingAlgorithm Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks> <maml:para>{{ Add example description here }}</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Set-SysmonHashingAlgorithm.md</maml:linkText> <maml:uri>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Set-SysmonHashingAlgorithm.md</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <command:details> <command:name>Set-SysmonRule</command:name> <command:verb>Set</command:verb> <command:noun>SysmonRule</command:noun> <maml:description> <maml:para>{{Fill in the Synopsis}}</maml:para> </maml:description> </command:details> <maml:description> <maml:para>{{Fill in the Description}}</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Set-SysmonRule</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>EventType</maml:name> <maml:Description> <maml:para>{{Fill EventType Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">NetworkConnect</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessCreate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreateTime</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessTerminate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ImageLoad</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">DriverLoad</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">CreateRemoteThread</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessAccess</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">RawAccessRead</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreateStreamHash</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">RegistryEvent</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PipeEvent</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">WmiEvent</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">Include</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Exclude</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>Action</maml:name> <maml:Description> <maml:para>{{Fill Action Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">Modify</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Add</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Set-SysmonRule</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>EventType</maml:name> <maml:Description> <maml:para>{{Fill EventType Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">NetworkConnect</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessCreate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreateTime</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessTerminate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ImageLoad</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">DriverLoad</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">CreateRemoteThread</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">ProcessAccess</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">RawAccessRead</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreateStreamHash</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">RegistryEvent</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">FileCreate</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">PipeEvent</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">WmiEvent</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">Include</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Exclude</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>Action</maml:name> <maml:Description> <maml:para>{{Fill Action Description}}</maml:para> </maml:Description> <command:parameterValueGroup> <command:parameterValue required="false" command:variableLength="false">Modify</command:parameterValue> <command:parameterValue required="false" command:variableLength="false">Add</command:parameterValue> </command:parameterValueGroup> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="named" aliases="none"> <maml:name>Action</maml:name> <maml:Description> <maml:para>{{Fill Action Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="1" aliases="none"> <maml:name>EventType</maml:name> <maml:Description> <maml:para>{{Fill EventType Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="PSPath"> <maml:name>LiteralPath</maml:name> <maml:Description> <maml:para>{{Fill LiteralPath Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="2" aliases="none"> <maml:name>OnMatch</maml:name> <maml:Description> <maml:para>{{Fill OnMatch Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="True (ByPropertyName)" position="0" aliases="none"> <maml:name>Path</maml:name> <maml:Description> <maml:para>{{Fill Path Description}}</maml:para> </maml:Description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri /> </dev:type> <dev:defaultValue>None</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String[]</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>System.String</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>System.Object</maml:name> </dev:type> <maml:description> <maml:para></maml:para> </maml:description> </command:returnValue> </command:returnValues> <maml:alertSet> <maml:alert> <maml:para></maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <dev:code>PS C:\> {{ Add example code here }}</dev:code> <dev:remarks> <maml:para>{{ Add example description here }}</maml:para> </dev:remarks> </command:example> </command:examples> <command:relatedLinks> <maml:navigationLink> <maml:linkText>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Set-SysmonRule.md</maml:linkText> <maml:uri>https://github.com/darkoperator/Posh-Sysmon/blob/master/docs/Set-SysmonRule.md</maml:uri> </maml:navigationLink> </command:relatedLinks> </command:command> </helpItems> |