From d3e22053f737883b0c8c42224967e976bb988863 Mon Sep 17 00:00:00 2001
From: Ahmed Shawky <ahmedelantry@gmail.com>
Date: Mon, 17 May 2021 15:19:06 +0400
Subject: [PATCH] Include powershell module logging

---
 Vagrant/scripts/install-winlogbeat.ps1 | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/Vagrant/scripts/install-winlogbeat.ps1 b/Vagrant/scripts/install-winlogbeat.ps1
index 00b2e23..1759b06 100644
--- a/Vagrant/scripts/install-winlogbeat.ps1
+++ b/Vagrant/scripts/install-winlogbeat.ps1
@@ -67,6 +67,22 @@ winlogbeat.event_logs:
   - name: WEC7-Active-Directory
   - name: WEC7-Privilege-Use
   - name: WEC7-Terminal-Services
+  
+  - name: Windows PowerShell
+    event_id: 400, 403, 600, 800
+    processors:
+      - script:
+          lang: javascript
+          id: powershell
+          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
+
+  - name: Microsoft-Windows-PowerShell/Operational
+    event_id: 4103, 4104, 4105, 4106
+    processors:
+      - script:
+          lang: javascript
+          id: powershell-operational
+          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
 
 setup.kibana:
   host: "192.168.38.105:5601"