gwsales

This will get you xml, not sure if it would be easier to pass into a parser or if it adds any additional load. `sudo praudit -x -l /dev/auditpipe`

@andrewkroh can you get this one reopened or maybe assigned to a team?

Example of why this is needed: https://twitter.com/GrantWSales/status/1291743466523889666 TwitterGrant Sales on Twitter“@dms1899 For this specific sample, the best option for host detection is PS:800. Look for param3 starting with 'CommandInvocation(Get-Item)' where...

I agree with @PaulHigin that it looks like 4103 was supposed to replace 800, however PowerShell v5 sill logs both with module logging enabled. The big difference between 800 and...

Created a few samples. Legacy 400 (No corresponding 4XXX event code that logs startup with context info): ```xml 400 0 4 4 0 0x80000000000000 19443 Windows PowerShell DESKTOP-RIPCLIP Available None...

Does adding a milestone mean this could be pulled in for that release?

Is there any way to add comments here when this is considered and skipped or accepted? There doesn't seem to be any progress on this issue since September and I...

Please get this into a future update. We need to enable logging for this in the 4103 events or restore the older PS:800 event code logging. This was skipped or...

* Authentication * Process Execution / Process Creation * Network Connections * File Reads and Writes * System Changes Would be nice to add some advanced things as well like...

@elastic/siem Has there been any progress here? Elastic has solid coverage on Windows and Linux, but really seemed to just skip over anything MacOS. Would be great to see some...