SIEM, Log Management, Security, Compliance, Server Monitoring and Uptime Monitoring Software
Table of Contents

PowerShell Actions

PowerShell Actions enable you to execute specific commands and scripts in response to an event. This action is typically used as an Intrusion Prevention System (IPS) by network administrators in response to Intrusion Detection System (IDS) events such as DoS and Phishing attacks.

Note
  • Use this Action in conjunction with an Intrusion Detection System (IDS) Template (e.g. IIS W3C Log Monitor or IIS W3C Log Consolidation configured to simultaneously monitor the file contents).
  • Use the sample Add Windows Firewall Rule to automatically block DoS and Phishing attacks on your IIS or other web servers. Once the Add Windows Firewall Rule Action is assigned to the IDS Template, the result is an Intrusion Prevention System (IPS) Action.

Automatically Add Windows Firewall Rules When DoS and Phishing Attacks are Detected Tutorial

In this Topic

To create a PowerShell Action

  • From the Menu Bar select File | New. The Create New Object View displays.
  • Select Alerts and Actions. The New Action view displays.
  • Use the Name text box to specify a unique name.
  • From the Type drop-down select PowerShell.
  • Use the Windows server or workstation drop-down to target the managed server.
Important
This action requires the Agent to be installed on each managed system and each assigned Template configured to use the Agent. For more information see: Agents
  • Use the Type drop-down to select to either run individual commands with dynamically set parameter values or run static scripts.

To create a PowerShell Command Action

  • Use the Module drop-down to select from the list of available modules. Click the help button to view Microsoft's corresponding PowerShell documentation.
  • Use the Command drop-down to select from the list of available module commands. Click the help button to view Microsoft's corresponding PowerShell documentation.
  • Use the Parameters drop-down to set the command's parameter values.
Note
Use variable placeholders, keys wrapped with curly brackets {KEY}, to replace with extracted values.
For example: {c-ip} or {TARGET_ACCOUNT_NAME}
Sample Intrusion Prevention System (IPS) - Add Windows Firewall Rule Action
Sample Intrusion Prevention System (IPS) - Add Windows Firewall Rule Action

To create a PowerShell Script Action

  • Use the Filename drop-down to select the local script to run.
Important
When managing a remote machine, the script is uploaded to the Agent, then, executed locally on the remote machine.
  • Use the Arguments text box to specify the PowerShell command-line parameters.
    For example: -ExecutionPolicy Unrestricted

Testing the PowerShell Action

  • Use the Select server or workstation drop-down to specify the managed system to test the action on.
  • When testing a Command Type, temporarily change any variable placeholders with test values.
  • Click the Test button.
Important
When managing a remote machine, the commands and scripts are uploaded to the Agent, then, executed locally through the Agent on the managed machine. If the managed machine is configured to keep the Agent connected, the test is immediate, otherwise the test is queued to execute the next time the Agent connects. If the Agent is configured to connect at a frequency greater than once a minute, the test may timeout, however, the action will still be executed the next time the Agent connects.

Related Topics

Actions

Agents