Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Query for when PowerShell execution policy is set to Bypass

WinRegistry

Description

Submitted by rsanchez

0 0 
index="windows" sourcetype=WinRegistry key_path="HKLM\\software\\microsoft\\powershell\\1\\shellids\\microsoft.powershell\\executionpolicy"
| table _time, host, registry_type, registry_value_data, registry_value_name
| rename host as Host, registry_type as Action, registry_value_data as "Registry Value", registry_value_name as "Registry Value Name"

Comments

0 total

Be the first to comment on this SPL.

Leave a comment

You must log in to post a comment.

Ad slot: bottom