Hey scott.driver you can use GPO to set up a policy to log PowerShell events (see Configure PowerShell logging to see PowerShell anomalies in Splunk UBA - Splunk Documentation ). And install sysmon on the hosts (Sysmon - Windows Sysinternals | Microsoft Docs ). For the sysmon install you could use GPO or PowerShell. I did it manually because I didn't have that many hosts. After those are running, install the LEM agent on each host and add a new connector in LEM. You should have everything working at that point. Did that answer your question Scott?
↧