The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

PowerShell is a task automation and configuration management program from Microsoft. This technology pack processes PowerShell logs.

Requirement(s)

  • Windows 10, Windows 11, or Windows Server 2023

  • PowerShell 5.1 or 7

  • Log delivery agent: Winlogbeat 7.11/8.8 or NXLog 3.2

  • Graylog Server with a valid enterprise license running Graylog version 5.0.3 or later

  • Illuminate 3.4+

Hint: Windows does not log all PowerShell logs by default. If needed, please activate advanced logging via Group Policy or Registry.

Supported Logs/Event IDs

200, 300, 400, 403, 500, 501, 600, 800, 4100, 4101, 4102, 4103, 4104, 4105, 4106, 32784, 40961, 40962, 53504, 53506.

Supported Event Log Names

  • Microsoft-Windows-PowerShell/Operational

  • PowerShellCore/Operational

  • Windows PowerShell

Warning: Windows 11 currently has a bug affecting Winlogbeat. The message field may contain placeholders instead of actual data. While the pack will work with Windows 11 and Winlogbeat, important logging details may be missing. Microsoft is currently working on a patch. For Windows Server 2022, Winlogbeat 8 or NXLog is recommended. Note that Winlogbeat 7 may not ship the message field; this usually appears as an empty message.

This pack will normalize common fields for PowerShell if shipped to one of these three listed event log names.

Stream Configuration

This technology pack includes one stream:

  • “Illuminate:Powershell Messages”

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes one index set definition:

  • “powershell Logs”

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Examples

These logs come from Windows Event Viewer as evtx files are not human readable.

Requirements

  • The pack works with Winlogbeat and NXlog.

  • (NXLog + Sidecar) NXLog's binaries need to be installed under C:\Program Files (x86)\nxlog or the permissions for Sidecar file access has to be adjusted.

Graylog Sidecar Configuration

Please follow Graylog documentation to install Sidecar. You need to add the following paths in your Winlogbeat or NXLog configuration:

  • Winlogbeat (with Security logs):

    Copy
    winlogbeat:
      event_logs:
       - name: Security
       - name: Microsoft-Windows-PowerShell/Operational
       - name: PowerShellCore/Operational
       - name: Windows PowerShell
  • Example config file for NXLog (with Security logs):

    Copy
    <Input eventlog>
            Module im_msvistalog
            PollInterval 1
            SavePos False
            ReadFromLast True
        <QueryXML>
            <QueryList>
                <Query Id='1'>
                    <Select Path='Security'>*</Select>
                    <Select Path='Windows Powershell'>*</Select>
                    <Select Path='PowerShellCore/Operational'>*</Select>
                    <Select Path='Microsoft-Windows-PowerShell/Operational'>*</Select>
                </Query>
            </QueryList>
        </QueryXML>       
    </Input>

    Adjust the host IP and port accordingly to your Graylog server. Configuration files are key sensitive, and correct spacing is necessary. Installation of NXlogs binaries in C:\Program Files (x86)\nxlog is recommended, but if you choose a different location, you must adjust the Sidecar file permissions and define a new ROOT location. If you are not using PowerShellCore (PowerShell 6.x and higher), omit the PowerShellCore line. To capture remote PowerShell access, add path: Microsoft-Windows-WinRM/Operational (not supported by this pack).

    • Graylog Input: Beats with Beats type prefix

    PowerShell Configuration

    • Not all PowerShell logs are logged by default. If needed, activate Script Block Logging (event ID 4104), Module Logging (event ID 4103), and others via group policy.

    • PowerShell version 5 (and lower) and PowerShellCore version 6.x (and higher) have separate policy and registry settings. If you want to log both versions, you need to adjust both keys.

    • PowerShellCore uses PowerShellCore/Operational as an additional log source.
      Attention: Depending on your environment PowerShell logging might generate very large volumes of data.

    What is Provided

    • Rules to normalize and enrich PowerShell log messages

    • Dashboards

    PowerShell Message Processing

    The Illuminate processing of PowerShell log messages provides the following:

    • Field extraction, normalization, and message enrichment for PowerShell log messages.

    • GIM Categorization of the following messages:

      vendor_command_name GIM Event Type Code GIM Event Type
      Add-LocalGroupMember 111007 group member added
      New-LocalUser 110000 account created
      New-LocalGroup 110002 group created
      Enable-LocalUser 112001 account enabled
      Disable-LocalUser 111501 account disabled
      Remove-LocalUser 110500 account locked
      Remove-LocalGroupMember 111008 group member removed
      Remove-LocalGroup 110501 group deleted
      Rename-LocalUser 111003 account renamed
      Rename-LocalGroup 111009 group properties modified
      Set-LocalGroup 111009 group properties modified
      Set-LocalUser 111000 account modified
      Clear-EventLog 220000 audit log cleared
      Start-Process 190000 process started
      Stop-Process 190100 process stopped
      Start-Service 210000 service started
      Stop-Service 210100 service stopped
      Get-LocalGroupMember 119500 group membership enumerated

    PowerShell Spotlight Content Pack

    PowerShell offers one dashboard with four tabs. One overview dashboard and three dashboards around relevant data for sigma rules.