forked from olafhartong/sysmon-modular
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathGenerate-Sysmon-config.ps1
28 lines (23 loc) · 1.24 KB
/
Generate-Sysmon-config.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# Generate-Sysmon-config.ps1
#
# This will move the existing sysmonconfig.xml to a backup version and generate the new configuration
#
# Note!
# The following error is expected, since the sysmonconfig.xml is empty at the time of checking by the script
# Merge-SysmonXMLConfiguration : The schema version of C:\sysmon-modular\sysmonconfig.xml () does not match that of the reference configuration: C:\sysmon-modular\baseconfig.xml (4.10) At line:1
#
## Import "PSSysmonTools"
## Import-Module .\PSSysmonTools.psm1
$now=Get-Date -format "dd-MMM-yyyy-HH-mm"
If((Test-Path .\sysmonconfig.xml)) {
Write-Host "Existing sysmonconfig found, backing up."
Move-Item .\sysmonconfig.xml -Destination sysmonconfig-$now.xml -Force
} Else {
Write-Host "No config found."
}
## Filter Output and Backup Files
#sysmonconfig-16-Nov-2018-09-21.xml
#sysmonconfig-\d{2}-\w{3}-\d{4}-\d{2}-\d{2}.xml
#sysmonconfig.xml
Write-Host "Generating new configuration..."
Get-ChildItem -Path . -Filter *.xml -Recurse -ErrorAction SilentlyContinue | Where {$_.Name -NotMatch "sysmonconfig(?:-\d{2}-\w{3}-\d{4}-\d{2}-\d{2})?.xml"} | Merge-SysmonXMLConfiguration -ReferencePolicyPath .\baseconfig.xml -ExcludeMergeComments | Out-File sysmonconfig.xml -Encoding UTF8