PowerShell logs details about PowerShell operations, such as starting and stopping the engine and providers, and executing PowerShell commands. Therefore, audit configuration and logging are important. The following steps should be followed for configuration;
1- Connect to the group policy management.
2- Required fields are Enabled under Administrative Templates – Windows components- Windows Powershell.
3- Logs with Audit enabled start to appear under EventViewer-Application and Services Logs- Microsoft – Windows – Powershell – Operational.
4- After this stage, we will see how to add this source to Logsign Unified SecOps Platform with WMI Integration;
5- The fullpath of the relevant log file is in Regedit as the new key.
It should be created under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog.
6- The generated key name should be entered carefully. For Powershell, this domain name is;
Microsoft-Windows-PowerShell/Operational to be entered.
7- The gpupdate /force is executed in cmd.
8- When performing Logsign resource integration, WMI is selected. Integration is completed by selecting the Microsoft-Windows-PowerShell/Operational in log file tab.