NXLog search
Let's talk Start free
Let's talk Start free

How to filter a Powershell Message to NOT send

View thread
Thomas_Powers

Hello NXLog folks!!

I'm trying to send all powershell alerts to our logserver but I want to exclude those generated by a specific executable. Since the powershell transcription doesn't list the exe as $process, but instead in context info...how does one filter that out? In this case, anything coming from tsm.exe, or tsmv.exe or tsmv1.exe

All insight is welcome

Thanks

TP

Here:s a sample of the log:

CommandInvocation(Set-StrictMode): "Set-StrictMode" ParameterBinding(Set-StrictMode): name="Version"; value="1.0"

Context: Severity = Informational Host Name = Windows PowerShell ISE Host Host Version = 5.1.17134.858 Host ID = 8ae5c6dd-1af0-4e65-aeac-7a67be38f4e4 Host Application = C:\Program Files\TSM\TSM.exe Engine Version = 1.0 Runspace ID = f1c12215-0436-4e63-8bf2-2bfadf608c65 Pipeline ID = 385 Command Name = Set-StrictMode Command Type = Cmdlet Script Name = Command Path = Sequence Number = 53836 User = Connected User = Shell ID =

Here's our Log selection snippet:

<Input in> Module im_msvistalog Query <QueryList>
<Query Id="0">
<Select Path="Security"></Select>
<Select Path="System">[System/Level=4]</Select>
<Select Path="Application"></Select>
<Select Path="Setup"></Select>
<Select Path='Windows PowerShell'></Select>
<Select Path='Microsoft-Windows-AAD/Operational'></Select>
<Select Path='Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant'></Select>
<Select Path='Microsoft-Windows-Application-Experience/Program-Telemetry'></Select>
<Select Path='Microsoft-Windows-AppLocker/EXE and DLL'></Select>
<Select Path='Microsoft-Windows-AppLocker/MSI and Script'></Select>
<Select Path='Microsoft-Windows-AppLocker/Packaged app-Deployment'></Select>
<Select Path='Microsoft-Windows-AppLocker/Packaged app-Execution'></Select>
<Select Path="Microsoft-Windows-Sysmon/Operational"></Select>
<Select Path="Microsoft-Windows-PowerShell/Admin"></Select>
<Select Path="Microsoft-Windows-PowerShell/Operational"></Select>
<Select Path='Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'></Select>
<Select Path='Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose'>*</Select>
</Query>
</QueryList> </Input>