This topic explains how you can continuously gather PowerShell events to InTrust repositories and, if necessary, forward it to a SIEM solution of your choice for analysis. The functionality described here is part of the feature set provided by InTrust Deployment Manager. To proceed, run this console and connect to your InTrust organization.
It's up to you if you want to store your PowerShell audit data in one of your existing repositories or a dedicated repository. A dedicated repository is recommended if you intend to forward the incoming data to a SIEM solution.
If you want to create a new repository, go to the Storage view, click the New button and follow the steps. For details, see Managing Repositories.
You need a dedicated collection for PowerShell events. Go to the Collections view and take the following steps:
For more details, see Managing Collections.
If you want to forward your collected PowerShell data, take the following steps:
If you just want to archive your PowerShell audit data without real-time awareness of what is going on, you may want to use task-based gathering. This kind of gathering is also the only option if you want to collect data without installing InTrust agents on the audited computers.
The functionality described here is part of the feature set provided by InTrust Manager. To proceed, run this console and connect to your InTrust organization.
To implement the simplest configuration for this scenario, create the following:
After you have set up these configuration objects, click the Commit button in the toolbar to put the workflow in effect.
For details about the particular procedures involved in this configuration, see the following topics:
To match the Windows PowerShell Operational Log and Windows PowerShell Core Operational Log data sources that are available out of the box, Repository Viewer provides the Threat Hunting | Windows | PowerShell search folder with dedicated predefined searches. You can use these searches directly or make custom searches based on them to better suit your needs.
For details about running searches and preparing scheduled reports on your repository data, see Searching for Events in Repository Viewer.