This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
      • Netwitness XDR
      • EC-Council Training
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
    • Role-Based Training
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions
  • NetWitness Community
  • Discussions
  • Windows Powershell logs
  • Options
    • Subscribe to RSS Feed
    • Mark Topic as New
    • Mark Topic as Read
    • Float this Topic for Current User
    • Bookmark
    • Subscribe
    • Mute
    • Printer Friendly Page

Windows Powershell logs

DELVALERIO
DELVALERIO Beginner
Beginner
Options
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Report Inappropriate Content

‎2017-03-07 01:02 PM

Is anyone processing Windows Powershell Logs with Netwitness?  I am curious what parser is used or did you write a custom parser? 

  • Community Thread
  • Discussion
  • Forum Thread
  • NetWitness
  • NW
  • NWP
  • RSA NetWitness
  • RSA NetWitness Platform
0 Likes
Share
Reply
  • All forum topics
  • Previous Topic
  • Next Topic
3 REPLIES 3

EricPartington
Employee EricPartington
Employee
Options
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Report Inappropriate Content

‎2017-03-07 04:34 PM

Powershell logs can be parsed by the default windows log parsers.  If you download the parser from RSA live and rename the envision file to .zip and extract you can take a look at the parser and see what Powershell messages are extracted and where.

 

The one part that I have not been able to test is the script block logging and what can be seen from that.

 

these are the Powershell logs that I have recently parsed in my environment

 

40962, 40961, 53504, 4100

0 Likes
Share
Reply

DELVALERIO
DELVALERIO Beginner
Beginner
In response to EricPartington
Options
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Report Inappropriate Content

‎2017-03-14 12:39 PM

Thanks Eric.  How did you get the powershell logs into your environment?  We are currently ingesting the Win Security Event logs, but cant figure out how to also grab the powershell logs, without grabbing All the logs. We are collecting from about 16,000 servers and dont want all the other logs.

0 Likes
Share
Reply

EricPartington
Employee EricPartington
Employee
In response to DELVALERIO
Options
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Report Inappropriate Content

‎2017-03-14 01:22 PM

In my test lab I am finding that using Windows Event collection is the best method to gather logs from server and endpoints based on collections and then capture those with WMI from one central computer.  That way you can define the event logs specifically (as well as filters) to get exactly what you want.

 

That is how I am grabbing the powershell logs into NWLogs.

 

Windows client (powershell logs) -> WMI to WEF server -> ForwardedEvents log -> WMI -> NWLogCollector

0 Likes
Share
Reply
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.