Configuring Powershell in Sentinel

This document details how to configure Windows and Sentinel to enable Powershell monitoring in Azure Sentinel. This is a 2 step process:

• Enable logging in Windows Devices
• Add Windows event logs in Azure Sentinel

Enable logging in Windows Devices

We can enable Powershell logging in the Group Policy Editor. Not all versions of Windows have this installed out of the box. To open the Group Policy Editor, click on the Windows Start and type gpedit.msc

Under “Computer Configuration” –> “Administrative Templates” –> “Windows Components” –> “Windows PowerShell”

Double click on “Turn On Module Logging”. In the window that opens, select “Enable”. Then, under Module Names, click on “Show”. Enter * as the value to enable logging for all modules.

Do the same for “Turn on Script Block Logging”.

Open Powershell and run gpupdate /force to update the new Group Policy settings.

In Event Viewer, we will now able to see Windows Powershell events (under “Application and Services Logs”).

Add Windows Event logs in Azure Sentinel

Go to the Log Analytics workspace in Azure Sentinel. Under “Agents configuration” -> “Windows event logs”, enable all logs (Error, Warning, and Information) for

• Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
• Microsoft-Windows-PowerShell/Operational
• Microsoft-Windows-PowerShell/Admin
• Windows PowerShell

Using Sentinel to detect Powershell attacks

This webpage is a good read on how to use Sentinel to detect a Powershell attack. It specifically focuses on Powershell obfuscation.