I'm trying to get better visibility of our PowerShell activity in one of my boxes (cola182) so I enabled process Auditing (EventCode 4688) - Which is working perfectly fine.
However, when I attempted to enable Module Logging (4103) and Script Block Logging (4104) it doesn't seem like I am receiving these logs.
I went to Policy Editor > Computer Configuration > Windows Components > Powershell logging and made sure that the following were enabled (literally the 3 of them are showing as enabled):
Turn on Module Logging
Turn on PowerShell Script Block Logging
Turn on PowerShell transcription.
I ran a crappy little test.ps1 script in cola182 in hopes that this activity would be reflected in my splunk logs:
$alert = { "I like chicken salad sandwiches" }
& $alert
& $alert
When I check splunk, I am able to see this activity, but it doesn't come up under 4103
LogName=Windows PowerShell
SourceName=PowerShell
EventCode=800
EventType=4 Type=Information
ComputerName=Cola182
TaskCategory=Pipeline Execution Details
OpCode=Info
RecordNumber=6578
Keywords=Classic Message=Pipeline execution details for command line: .
ParameterBinding(Out-Default): name="InputObject"; value="I like chicken salad sandwiches"
As simple as my initial script is, technically it's a script block. Howcome I'm not able to see this activity? What am I missing?
Thanks!
Hi @weetabixsplunk !
Have a look here, and let me know if this helps : https://docs.splunk.com/Documentation/UBA/5.0.4/GetDataIn/AddPowerShell
Cheers,
David