fbpx
Back Arrow Back to All Integrations

Microsoft Windows PowerShell

Microsoft Windows PowerShell

Windows Server – PowerShell

Windows PowerShell is a cross-platform task automation and configuration management framework, consisting of a command-line shell and scripting language. It is built on top of the .NET Common Language Runtime (CLR). It helps IT professionals automate system administration of Windows operating system and applications that run on Windows.

 

Blumira integrates with Microsoft Windows operating systems to provide automated threat detection and actionable response for PowerShell. Blumira supports the following Microsoft Windows server operating systems:

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012R2
  • Windows Server 2012
  • Windows Server 2008R2
  • Windows Server 2008
  • Windows Server 2003R2
  • Windows Server 2003

Blumira provides broad coverage for windows server including collecting logs using NXLog, Command Line Logging, DNS Debugging and Winlogbeat.

 

Recommended: Automated Windows Setup

Recommended: Use Blumira’s automated Windows log setup agent, Poshim (PowerShell Shim), designed to help ensure you’re collecting the right data from hosts across your entire environment. Poshim handles the installation and configuration for NXLog and Sysmon to ship logs over Sysmon to a targeted IP.

See Poshim Setup Instructions

 

If using Poshim, nothing further is needed on this page. For manual config, continue reading below.

 

Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.

 

Free Trial

Setting up NXLog for Windows

You will need to first install and configure NXLog on the windows host using these instructions: https://www.blumira.com/integration/windows-server/

Enable Windows Firewall Logging Using PowerShell

To reduce noise, Blumira recommends setting this up to only log out Dropped traffic by the Firewall. While Allowed traffic can be sent, it will drastically increase noise within your logging infrastructure and will essentially log all traffic from that host. Blumira recommends only doing this in situations where you have a highly sensitive host that does not traverse any other logging that Blumira captures.

Recommended PowerShell Command

Set-NetFirewallProfile –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log -LogBlocked True -LogAllowed False -LogIgnored True

If significant verbosity is required, use this command which will log Allowed connections as well

Set-NetFirewallProfile –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log -LogBlocked True -LogAllowed True -LogIgnored True