Overview
Windows PowerShell is a cross-platform task automation and configuration management framework, consisting of a command-line shell and scripting language. It is built on top of the .NET Common Language Runtime (CLR). It helps IT professionals automate system administration of Windows operating system and applications that run on Windows.
Blumira integrates with Microsoft Windows operating systems to provide automated threat detection and actionable response for PowerShell. Blumira supports the following Microsoft Windows server operating systems:
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012R2
- Windows Server 2012
Blumira provides broad coverage for Windows Server, including collecting logs using NXLog, Command Line Logging, DNS Debugging, and Winlogbeat.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Obtain the IP address of your Blumira sensor to use when configuring the external service.
To gather the IP address of the sensor:
- In Blumira, navigate to Settings > Sensors.
- Click the sensor row to open the details page.
- Under Overview, in the Host Details box, copy the IP value.
Using Poshim for automated Windows setup
To complete this integration, we recommend using Blumira’s Poshim (PowerShell Shim) script, which is designed to ensure that you are collecting the right data from hosts across your entire environment. Poshim handles the installation and configuration for NXLog and Sysmon to ship logs over Sysmon to a targeted IP.
Reference: See Automating Windows log collection with Poshim for instructions.
If you choose to use Poshim for this integration, nothing further is needed on this page. For manual configuration, continue reading below.
Setting up NXLog for Windows
You will need to first install and configure NXLog on the windows host using these instructions: Integrating with Microsoft Windows Server.
Enable Windows Firewall logging using PowerShell
To reduce noise, Blumira recommends setting this up to only log traffic dropped by the firewall. While allowed traffic can be sent, it will drastically increase noise within your logging infrastructure and will essentially log all traffic from that host. Blumira recommends only doing this in situations where you have a highly sensitive host that does not traverse any other logging that Blumira captures.
Recommended PowerShell Command:
Set-NetFirewallProfile –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log -LogBlocked True -LogAllowed False -LogIgnored True
If significant verbosity is required, use this command which will log Allowed connections as well:
Set-NetFirewallProfile –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log -LogBlocked True -LogAllowed True -LogIgnored True