frack113
44 lines
1.1 KiB
YAML
44 lines
1.1 KiB
YAML
title: Conversion of Generic Rules into Powershell Specific EventID Rules
|
|
order: 10
|
|
logsources:
|
|
ps_module:
|
|
category: ps_module
|
|
product: windows
|
|
conditions:
|
|
EventID: 4103
|
|
rewrite:
|
|
product: windows
|
|
service: powershell
|
|
ps_script:
|
|
category: ps_script
|
|
product: windows
|
|
conditions:
|
|
EventID: 4104
|
|
rewrite:
|
|
product: windows
|
|
service: powershell
|
|
# for the "classic" channel
|
|
ps_classic_start:
|
|
category: ps_classic_start
|
|
product: windows
|
|
conditions:
|
|
EventID: 400
|
|
rewrite:
|
|
product: windows
|
|
service: powershell-classic
|
|
ps_classic_provider_start:
|
|
category: ps_classic_provider_start
|
|
product: windows
|
|
conditions:
|
|
EventID: 600
|
|
rewrite:
|
|
product: windows
|
|
service: powershell-classic
|
|
ps_classic_script:
|
|
category: ps_classic_script
|
|
product: windows
|
|
conditions:
|
|
EventID: 800
|
|
rewrite:
|
|
product: windows
|
|
service: powershell-classic |