Hi all, I'll start by saying i'm a complete rookie with OSSEC, but i know what i am looking to setup:
I have sysmon on my windows agent, reporting back some good info, including powershell usage. What i'd like to do on my OSSEC server is setup an alert rule to trigger when usage of specific powershell commands is logged by sysmon, in particular "-noprofile" and "-ExecutionPolicy Unrestricted" Can anybody offer me some noobie pointers on how to go about this? Thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
