Initial update to support 4.1 schema

Author: darkoperator

Functions/Get-SysmonRuleFilter.ps1

@@ -37,7 +37,7 @@ function Get-SysmonRuleFilter {
             'ProcessTerminate', 'ImageLoad', 'DriverLoad',
             'CreateRemoteThread','RawAccessRead', 'ProcessAccess',
             'FileCreateStreamHash', 'RegistryEvent', 'FileCreate',
-            'PipeEvent', 'WmiEvent')]
+            'PipeEvent', 'WmiEvent','RuleName')]
         [string]
         $EventType,
 

Functions/New-SysmonConfiguration.ps1

@@ -130,12 +130,12 @@ function New-SysmonConfiguration
         [String]
         $Comment,
 
-        # Schema Vesion for the configuration file, default is 3.3.
+        # Schema Vesion for the configuration file, default is 4.1.
         [Parameter(Mandatory=$False,
                    ValueFromPipelineByPropertyName=$true)]
-                   [ValidateSet('4.0','3.4')]
+                   [ValidateSet('4.0','4.1')]
         [string]
-        $SchemaVersion = '4.0'
+        $SchemaVersion = '4.1'
     )
 
     Begin{}

Functions/New-SysmonCreateRemoteThreadFilter.ps1

@@ -50,7 +50,13 @@ function New-SysmonCreateRemoteThreadFilter {
             ValueFromPipelineByPropertyName=$true,
             Position=4)]
         [string[]]
-        $Value
+        $Value,
+
+        # Rule Name for the filter.
+        [Parameter(Mandatory=$false,
+            ValueFromPipelineByPropertyName=$true)]
+        [string]
+        $RuleName
     )
 
     Begin { }
@@ -64,6 +70,11 @@ function New-SysmonCreateRemoteThreadFilter {
             'OnMatch' = $OnMatch
 
         }
+
+        if($RuleName) {
+            $cmdoptions.Add('RuleName',$RuleName)
+        }
+        
         switch($psCmdlet.ParameterSetName) {
             'Path' {
                 $cmdOptions.Add('Path',$Path)

Functions/New-SysmonDriverLoadFilter.ps1

@@ -51,7 +51,13 @@ function New-SysmonDriverLoadFilter {
             ValueFromPipelineByPropertyName=$true,
             Position=4)]
         [string[]]
-        $Value
+        $Value,
+
+        # Rule Name for the filter.
+        [Parameter(Mandatory=$false,
+            ValueFromPipelineByPropertyName=$true)]
+        [string]
+        $RuleName
     )
 
     Begin {}
@@ -66,6 +72,10 @@ function New-SysmonDriverLoadFilter {
 
         }
 
+        if($RuleName) {
+            $cmdoptions.Add('RuleName',$RuleName)
+        }
+
         switch($psCmdlet.ParameterSetName) {
             'Path' {
                 $cmdOptions.Add('Path',$Path)

Functions/New-SysmonFileCreateFilter.ps1

@@ -52,23 +52,41 @@ function New-SysmonFileCreateFilter {
             ValueFromPipelineByPropertyName=$true,
             Position=4)]
         [string[]]
-        $Value
+        $Value,
+
+        # Rule Name for the filter.
+        [Parameter(Mandatory=$false,
+            ValueFromPipelineByPropertyName=$true)]
+        [string]
+        $RuleName
     )
 
     Begin {}
     Process {
         $FieldString = $MyInvocation.MyCommand.Module.PrivateData[$EventField]
+        $cmdoptions = @{
+            'EventType' =  'FileCreateStreamHash'
+            'Condition' = $Condition
+            'EventField' = $FieldString
+            'Value' = $Value
+            'OnMatch' = $OnMatch
+        }
 
-        switch($psCmdlet.ParameterSetName) {
+        if($RuleName) {
+            $cmdoptions.Add('RuleName',$RuleName)
+        }
+
+        switch ($PSCmdlet.ParameterSetName) {
             'Path' {
-                New-RuleFilter -Path $Path -EventType FileCreateTime -Condition $Condition -EventField $FieldString -Value $Value -OnMatch $OnMatch
+                $cmdOptions.Add('Path',$Path)
+                New-RuleFilter @cmdOptions
             }
 
             'LiteralPath' {
-                New-RuleFilter -LiteralPath $LiteralPath -EventType FileCreateTime -Condition $Condition -EventField $FieldString -Value $Value -OnMatch $OnMatch
+                $cmdOptions.Add('LiteralPath',$LiteralPath)
+                New-RuleFilter @cmdOptions
             }
         }
-
     }
     End {}
 }

Functions/New-SysmonFileCreateStreamHashFilter.ps1

@@ -56,7 +56,13 @@ function New-SysmonFileCreateStreamHashFilter {
             ValueFromPipelineByPropertyName=$true,
             Position=4)]
         [string[]]
-        $Value
+        $Value,
+
+        # Rule Name for the filter.
+        [Parameter(Mandatory=$false,
+            ValueFromPipelineByPropertyName=$true)]
+        [string]
+        $RuleName
     )
 
     Begin {}
@@ -70,6 +76,10 @@ function New-SysmonFileCreateStreamHashFilter {
             'OnMatch' = $OnMatch
         }
 
+        if($RuleName) {
+            $cmdoptions.Add('RuleName',$RuleName)
+        }
+
         switch ($PSCmdlet.ParameterSetName) {
             'Path' {
                 $cmdOptions.Add('Path',$Path)

Functions/New-SysmonImageLoadFilter.ps1

@@ -53,7 +53,13 @@ function New-SysmonImageLoadFilter {
             ValueFromPipelineByPropertyName=$true,
             Position=4)]
         [string[]]
-        $Value
+        $Value,
+
+        # Rule Name for the filter.
+        [Parameter(Mandatory=$false,
+            ValueFromPipelineByPropertyName=$true)]
+        [string]
+        $RuleName
     )
 
     Begin {}
@@ -86,6 +92,11 @@ function New-SysmonImageLoadFilter {
             'OnMatch' = $OnMatch
 
         }
+
+        if($RuleName) {
+            $cmdoptions.Add('RuleName',$RuleName)
+        }
+
         switch($psCmdlet.ParameterSetName)
         {
             'Path'

Functions/New-SysmonNetworkConnectFilter.ps1

@@ -56,7 +56,13 @@ function New-SysmonNetworkConnectFilter
             ValueFromPipelineByPropertyName=$true,
             Position=4)]
         [string[]]
-        $Value
+        $Value,
+
+        # Rule Name for the filter.
+        [Parameter(Mandatory=$false,
+            ValueFromPipelineByPropertyName=$true)]
+        [string]
+        $RuleName
     )
 
     Begin {}
@@ -71,6 +77,10 @@ function New-SysmonNetworkConnectFilter
 
         }
 
+        if($RuleName) {
+            $cmdoptions.Add('RuleName',$RuleName)
+        }
+
         switch($psCmdlet.ParameterSetName) {
             'Path' {
                 $cmdOptions.Add('Path',$Path)

Functions/New-SysmonPipeFilter.ps1

@@ -57,7 +57,13 @@ function New-SysmonPipeFilter {
             ValueFromPipelineByPropertyName=$true,
             Position=4)]
         [string[]]
-        $Value
+        $Value,
+
+        # Rule Name for the filter.
+        [Parameter(Mandatory=$false,
+            ValueFromPipelineByPropertyName=$true)]
+        [string]
+        $RuleName
     )
 
     Begin {}
@@ -71,6 +77,11 @@ function New-SysmonPipeFilter {
             'OnMatch' = $OnMatch
 
         }
+
+        if($RuleName) {
+            $cmdoptions.Add('RuleName',$RuleName)
+        }
+        
         switch ($PSCmdlet.ParameterSetName) {
             'Path' {
                 $cmdOptions.Add('Path',$Path)

Functions/New-SysmonProcessAccessFilter.ps1

@@ -61,7 +61,13 @@ function New-SysmonProcessAccessFilter {
             ValueFromPipelineByPropertyName=$true,
             Position=4)]
         [string[]]
-        $Value
+        $Value,
+
+        # Rule Name for the filter.
+        [Parameter(Mandatory=$false,
+            ValueFromPipelineByPropertyName=$true)]
+        [string]
+        $RuleName
     )
 
     Begin {}
@@ -75,6 +81,11 @@ function New-SysmonProcessAccessFilter {
             'OnMatch' = $OnMatch
 
         }
+
+        if($RuleName) {
+            $cmdoptions.Add('RuleName',$RuleName)
+        }
+
         switch ($PSCmdlet.ParameterSetName) {
             'Path' {
                 $cmdOptions.Add('Path',$Path)