Ingest PowerShell logs
complete
B
Bjørn Mathisen
Is this an EDR or SIEM capabilty?
Nate O'Brien
marked this post as
complete
PowerShell ingestion is available through the Windows Event Log collection capability of the Huntress Agent.
Nate O'Brien
Merged in a post:
PowerShell Integration
Chris Bisnett
Track PowerShell modules and scripts to identify anomalous/malicious activity
G
Greyson Phillips
Any updates for a 2026 rollout?
Travis
N
Neil Philbrook
For the Essential 8 Maturity Level 2, it appears we are required to centrally log the transcripts of powershell executions.
The language used in the Essential 8 Maturity Model is:
"PowerShell module logging, script block logging and transcription events
are centrally logged."
And in the Process Guide it's more specifically called out:
"Within the RSoP report, look for the ‘Turn on Module Logging’, ‘Turn on PowerShell Script Block Logging’ and ‘Turn on PowerShell Transcription’ settings at ‘Computer Configuration\Policies\Administrative Templates\Windows Components\Windows PowerShell’. They should all be enabled. In addition, module logging should ideally be configured to log all modules (i.e. ‘*’), although an organisation may tailor this setting.
Finally, determine if these event logs are being centrally stored."
R
Ruben Castello
How is that going?
Chris Bisnett
marked this post as
in progress
We're working to support ingest and parsing of PowerShell logs for module loading and script block logging. This should satisfy the Essential 8 and other compliance frameworks and will give us more telemetry to identify malicious activity.
Chris Bisnett
Merged in a post:
Macro Executions
A
Anthony Rankine
Australian ACSC Essential 8 wants us to centrally log macro executions and powershell scripts executions. We are looking to replace Defender for endpoint P2 which gives us the device events table in the Advanced theat hunting schema. If we replace that P2 with Defender for Business and/or hunterss we will lose that data to query.
Anything we can do here to add this to SIEM or EDR?
Thanks.