Actions

Actions available in PowerShell Protect.

Actions are taken after particular rules' conditions are met. Rules reference actions by using the action's name in an ActionRef node.

Actions are specified using the Action node. You need to specify the Name, Type and any Settings to the action. The name is used for reference in the rules.

<Action>
<Name>File</Name>
<Type>File</Type>
<Settings>
<Setting>
<Name>Path</Name>
<Value>%temp%\test.txt</Value>
</Setting>
<Setting>
<Name>Format</Name>
<Value>{appname},{rule}</Value>
</Setting>
</Settings>
</Action>

Action Types

File

The file action will append to a file whenever a rule's conditions are satisfied. You will need to define the path and format for the file action.

Settings

Path - The path to the file. This should be a full file path. Environment variables will be expanded.

Format - A formatting string for the format of the message to write.

TCP

The TCP action connects to a TCP address and port to send a formatted TCP message. This is primarily used for SIEM integration. You will need to specify the hostname, port and format settings. The message is sent as an UTF8 encoded string to the address and port.

Settings

HostName - The host name or address to send the message to

Port - The port to send the message to

Format - A formatting string for the format of the message

HTTP

The HTTP action send HTTP requests to the configured URL using the specified format. The message is sent as a UTF8 encoded string.

Settings

Address - The address to send the HTTP request to

Format - A formatting string for the format of the message

Formatting Strings

You can use formatting strings to configure the output of the various audit actions (File, TCP, HTTP). You can use the following properties in your format strings.

Properties

Script

The complete script content.

ContentPath

The path to the script if it was executed as a by path name. This will be an empty string if executed from the terminal.

ApplicationName

The name of the application that ran PowerShell. This is typically a string with the format PowerShell_path_version.

UserName

The username of the user that ran that command.

ComputerName

The name of the computer running the command.

Administrator

Whether the PowerShell process has administrative permissions.

DomainName

The name of the user's domain running the command.

Rule

The rule that triggered the audit.

Timestamp

The UTC time stamp of the message.

Syntax

The property name will be replaced by the value. Put the name of the property and brackets.

{timestamp}, {applicationName}, {rule}

Examples

TCP to SIEM

In this example we are logging any use of a command containing "webrequest" with a TCP request to a SIEM (such as Splunk)

<?xml version="1.0" encoding="utf-8" ?>
<Configuration>
<Rules>
<Rule>
<Name>Attempted Web Request</Name>
<Conditions>
<Condition>
<Property>command</Property>
<Operator>contains</Operator>
<Value>webrequest</Value>
</Condition>
</Conditions>
<Actions>
<ActionRef>
<Name>TCP to Splunk</Name>
</ActionRef>
</Actions>
</Rule>
</Rules>
<Actions>
<Action>
<Name>TCP to Splunk</Name>
<Type>TCP</Type>
<Settings>
<Setting>
<Name>HostName</Name>
<Value>12.34.45.67</Value>
</Setting>
<Setting>
<Name>Port</Name>
<Value>514</Value>
</Setting>
<Setting>
<Name>Format</Name>
<Value>{applicationName},{rule},{UserName},{ComputerName},{ContentPath},{Administrator},{DomainName}</Value>
</Setting>
</Settings>
</Action>
</Actions>
</Configuration>