Not getting EventCodes 4103 and 4104 even though l...

weetabixsplunk · ‎12-16-2020

I'm trying to get better visibility of our PowerShell activity in one of my boxes (cola182) so I enabled process Auditing (EventCode 4688) - Which is working perfectly fine.

However, when I attempted to enable Module Logging (4103) and Script Block Logging (4104) it doesn't seem like I am receiving these logs.

I went to Policy Editor > Computer Configuration > Windows Components > Powershell logging and made sure that the following were enabled (literally the 3 of them are showing as enabled):

Turn on Module Logging

Turn on PowerShell Script Block Logging

Turn on PowerShell transcription.

I ran a crappy little test.ps1 script in cola182 in hopes that this activity would be reflected in my splunk logs:

$alert = { "I like chicken salad sandwiches" }
& $alert
& $alert

When I check splunk, I am able to see this activity, but it doesn't come up under 4103

LogName=Windows PowerShell
SourceName=PowerShell
EventCode=800
EventType=4 Type=Information
ComputerName=Cola182
TaskCategory=Pipeline Execution Details
OpCode=Info
RecordNumber=6578
Keywords=Classic Message=Pipeline execution details for command line: .

ParameterBinding(Out-Default): name="InputObject"; value="I like chicken salad sandwiches"

As simple as my initial script is, technically it's a script block. Howcome I'm not able to see this activity? What am I missing?

Thanks!

DavidHourani · ‎01-26-2021

Hi @weetabixsplunk !

Have a look here, and let me know if this helps : https://docs.splunk.com/Documentation/UBA/5.0.4/GetDataIn/AddPowerShell

Cheers,

David

Not getting EventCodes 4103 and 4104 even though logging is enabled (powershell).

Windows

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms