PowerShell Protect
PowerShell Protect integration for PowerShell Universal.
Last updated
PowerShell Protect integration for PowerShell Universal.
Last updated
PowerShell Protect is a feature of PowerShell Pro Tools. It allows you to audit and block PowerShell scripts and PowerShell command lines that are executed on your machine. You can deploy the client piece and then configure it using PowerShell Universal. PowerShell Universal can also be used as a collection mechanism for events generated by PowerShell Protect. Additionally, PowerShell Universal can trigger scripts when certain rules are triggered.
You can access PowerShell Protect tooling by navigating to Security \ Protect.
PowerShell Protect is configured via XML. PowerShell Universal can be used to create this XML. Navigate to the PowerShell Protect page and then click Configurations. Click Create New Configuration and name the configuration you are creating.
Default rules are configured that will block certain behaviors without additional configuration. You can choose to disable any rules you may not desire to enforce.
Actions are the result of custom rules triggering based on scripts being run. You can take actions such as blocking the script, sending the event to the event log or sending the event to PowerShell Universal.
Depending on the action selected, you will need to include additional settings. For example, to integrate with PowerShell Universal, you will need to define the HTTP address of the PSU server and an app token used to authenticate against PSU.
Custom rules can be defined to match features of a script being run. For example, you can match the user, script content, variables and domain being used to run a script. If the custom rule matches, you can then execute one or more rules that you have defined.
PowerShell Protect requires a PowerShell Pro Tools license for each user that will have the client installed. You can include the license information on the license tab. It will be included as part of the configuration file.
Once you have completed your configuration, you can navigate back to the Configurations page and download the XML.
You can learn how to install PowerShell Protect configurations here.
When you configure a rule to use the Universal action, events will be populated within the Events tab of PowerShell Universal.
When you configure a rule to use the Universal action, events can also trigger scripts. From the Automation \ Triggers page, create a new trigger and set the Event to PowerShell Protect Event. Then, you can choose to filter down which rule causes the trigger to fire.
The $ProtectEvent parameter will be passed to your script. This object contains the following properties.
Rule
String
The name of the rule that trigger this script.
Script
String
The content of the script executed.
ContentPath
String
The script path. If run from the command line, this will be null.
ApplicationName
String
An application name identifier. This may include the application version.
UserName
String
The user that ran the script.
ComputerName
String
The computer name of where the script ran.
Administrator
Boolean
Whether or not the user had admin access while running the script.
DomainName
String
The domain name of where the script was run.
Timestamp
DateTime
When the script was run.
