This document details how to configure Windows and Sentinel to enable Powershell monitoring in Azure Sentinel. This is a 2 step process:
- Enable logging in Windows Devices
- Add Windows event logs in Azure Sentinel
Enable logging in Windows Devices
We can enable Powershell logging in the Group Policy Editor. Not all versions of Windows have this installed out of the box. To open the Group Policy Editor, click on the Windows Start and type gpedit.msc
Under “Computer Configuration” –> “Administrative Templates” –> “Windows Components” –> “Windows PowerShell”
Double click on “Turn On Module Logging”. In the window that opens, select “Enable”. Then, under Module Names, click on “Show”. Enter *
as the value to enable logging for all modules.
Do the same for “Turn on Script Block Logging”.
Open Powershell and run gpupdate /force
to update the new Group Policy settings.
In Event Viewer, we will now able to see Windows Powershell events (under “Application and Services Logs”).
Add Windows Event logs in Azure Sentinel
Go to the Log Analytics workspace in Azure Sentinel. Under “Agents configuration” -> “Windows event logs”, enable all logs (Error, Warning, and Information) for
- Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
- Microsoft-Windows-PowerShell/Operational
- Microsoft-Windows-PowerShell/Admin
- Windows PowerShell
Using Sentinel to detect Powershell attacks
This webpage is a good read on how to use Sentinel to detect a Powershell attack. It specifically focuses on Powershell obfuscation.