Hunt around EventViewer on the source of your Powershell events (Applications and Services Logs / Windows PowerShell)
Filter in/out the events you require but as a base you should be looking at
<QueryList>
<Query Id="0" Path="Windows PowerShell">
<Select Path="Windows PowerShell">*</Select>
</Query>
</QueryList>
Usually for a managed install you would add your Xpath to the Log source for the server in the XPath Query box
For an unmanaged install your going to need to get creative and implement this via the WinCollect installer
https://www.ibm.com/community/qradar/2019/03/14/wincollect-7-2-8-stand-alone-cmd-line-with-xpath-option/Good luck and keep us posted.
------------------------------
JH
------------------------------
Original Message:
Sent: Mon December 09, 2019 08:37 PM
From: Brian Robertson
Subject: Ingesting PowerShell logs
Hi All,
Has anyone managed to get PowerShell logs ingested into QRadar and parsed properly etc?
One of our customers is keen on getting these logs into the SIEM and we are trying to work through the best way to go about it.
The customer wants to set-up a custom view within AD to just display the events he is interested in and is then hoping that the WinCollect agent already on the box can be configured to collect the logs matching the view. I'm not sure that its possible to do using WinCollect (installed in unmanaged mode).
Appreciate any ideas.
Thanks
Brian
------------------------------
Brian Robertson
------------------------------