PowerShell Executions Report

In IT environments, PowerShell scripting tool is often used to automate tasks and manage systems. Though this tool is flexible, it is often used as a target of abuse and exploited to execute malicious scripts. Administrators are often required to generate PowerShell script execution reports to maintain visibility, control, and accountability over the automated tasks and system configurations within their environment. These reports help administrators track when scripts were run and whether they were executed successfully or whether they encountered errors. This information is crucial for troubleshooting, auditing, and compliance purposes. The PowerShell Executions report offered by eG Enterprise help administrators generate a detailed report which pinpoints inefficiencies or misconfigurations, allowing administrators to proactively address script execution issues and optimize system performance.

To generate the report, do the following:

1. Select the PowerShell Executions option by following the menu sequence: REPORTS BY FUNCTION -> Domain-specific Reports -> Security and Compliance.

2. Figure 1 then appears. In Figure 1, select a criteria for analysis from the Analyze By list box.

   

   Figure 1 : Specifying the criteria for generating the PowerShell Executions report

3. Using this report, you can analyze the PowerShell Executions on one/more managed components, or those that are part of a zone, service or segment. The options provided by the Analyze By list box are discussed hereunder:

   • Component: Select this option to choose the component(s) from across all the managed components in the environment.
   • Zone: To generate a report for one/more components that are included in a zone, pick the Zone option. A Zone drop-down list will then appear, from which you would have to select the zone to which the components of interest to you belong. A Sub zone flag also appears. Indicate whether the components present within the sub-zones of the chosen zone are also to be to be considered for report generation, by setting the Sub zone flag to Yes.
   • Segment: If you want to generate a report for one/more chosen components that belong to a segment, select the Segment option from Analyze By list box, and then pick the Segment from the drop-down list that appears.
   • Service: If you want to generate a report for one/more components involved in the delivery of a service, select the Service option from Analyze By, and then pick the required Service from the drop-down list that appears.
4. Next, from the Component Type list, pick the component type for which the report is to be generated.
5. The Components list will now be populated with all the components that are managed in your environment for the chosen component type. If the Components list consists of too many components, then viewing all the components and selecting the ones you need for report generation could require endless scrolling. To avoid this, you can click the button next to the Components list. A Components pop up window will then appear using which you can view almost all the components in a single interface and Select the ones to be included in this report.

6. Then, specify the Timeline for generating this report. You can either provide a fixed time line such as 1 hour, 2 days, etc., or select the Any option from the list to provide a From and To date/time for report generation.

   Note:

   For every user registered with the eG Enterprise, the administrator can indicate the maximum timeline for which that user can generate a report. Once the maximum timeline is set for a user, then, whenever that user logs into eG Reporter and attempts to generate a report, the Timeline list box in the report page will display options according to the maximum timeline setting of that user. For instance, if a user can generate a report for a maximum period of 3 days only, then 3 days will be the highest option displayed in the Timeline list - i.e., 3 days will be the last option in the fixed Timeline list. Similarly, if the user chooses the Any option from the Timeline list and proceeds to provide a start date and end date for report generation using the From and To specifications, eG Enterprise will first check if the user's Timeline specification conforms to his/her maximum timeline setting. If not, report generation will fail. For instance, for a user who is allowed to generate reports spanning over a maximum period of 3 days only, the difference between the From and To dates should never be over 3 days. If it is, then, upon clicking the Run Report button a message box will appear, prompting the user to change the From and To specification.

7. In addition to the settings discussed above, this report comes with a set of default specifications. These settings are hidden by default. If you do not want to disturb these default settings, then you can proceed to generate the report by clicking the Run Report button soon after you pick one/more components for report generation. However, if you want to view and then alter these settings (if required), click on the icon. The default settings will then appear in the More Options drop down window (See Figure 2). The steps below discuss each of these settings and how they can be customized.

   

   Figure 2 : The default settings for generating the report

8. If you wish to generate a detailed report with each PowerShell script executed on the target server and the count of executions based on the policies, then choose Yes from the Show Details list. This will ensure that the PowerShell Script Execution Details section in the generated report displays a drop down for every server with the list of Powershell scripts executed and the count of executions based on policies. By default, No is chosen from this list.

9. By default, the Show Script Full Path list is set to Yes indicating that the graphs in the generated report will display the full path of the PowerShell scripts executed on the servers for which the report is being generated. If you wish to the graphs to display the name of the PowerShell script alone in the generated report, then, pick No from this list.

10. Next, indicate the report Time period.

    Note:

    By default, the Time period is set to 24 hours. Accordingly, the From and To parameters in the [timeframe] section of the eg_report.ini file (in the <eg_install_dir>\manager\config directory) are set to 00:00 and 24:00 respectively. If need be, you can override this default setting by configuring a different timeframe against the From and/or To parameters.

11. In large environments, reports generated using months of data can take a long time to complete. Administrators now have the option of generating reports on-line or in the background. When a report is scheduled for background generation, administrators can proceed with their other monitoring, diagnosis, and reporting tasks, while the eG manager is processing the report. This saves the administrator valuable time. To schedule background processing of a report, you can either select the Background Save - PDF option or the Background Save - CSV option from the Report Generation list. To process reports in the foreground, select the Foreground Generation - HTML option from this list.

    Note:

    • The Report Generation list will appear only if the EnableBackgroundReport flag in the [BACKGROUND_PROCESS] section of the eg_report.ini file (in the <EG_INSTALL_DIR>\manager\config directory) is set to Yes.
    • The default selection in the Report Generation list will change according to the Timeline specified for the report. If the Timeline set is greater than or equal to the number of days specified against the MinDurationForReport parameter in the [BACKGROUND_PROCESS] section of the eg_report.ini file, then the default selection in the Report Generation list will be Background Save - PDF. On the other hand, if the Timeline set for the report is lesser than the value of the MinDurationForReport parameter, then the default selection in the Report Generation list will be Foreground. This is because, the MinDurationForReport setting governs when reports are to be processed in the background. By default, this parameter is set to 2 weeks - this indicates that by default, reports with a timeline of 2 weeks and above will be processed in the background.
12. Click the Done button once you have made changes to the More Options drop down window.
13. Finally, click the Run Report button to generate the report.

14. If the Report Generation is Foreground Generation - HTML, then Figure 3 will appear as soon as you click the Run Report button.

    

    Figure 3 : The generated PowerShell Executions report

    The generated report (see Figure 3) displays the following sections:

    • The Summary section of the generated report (see Figure 3) displays at a single glance the total count of PowerShell Executions on the chosen servers over a period of time, the count of unique scripts that were executed and the count of executions based of policy (Unrestricted, Bypassed, RemoteSigned and Unsigned) over a chosen period of time.

    • The PowerShell Execution section (see Figure 3) reveals a Daywise PowerShell Execution bar graph that details a distribution of Powershell script executions based on different policies for each day over the chosen period of time. Using this graph, administrators can instantly figure out when(day/time) exactly maximum number of PowerShell scripts were executed and what type of execution has happened the most over a period of time.

    • Next is a series of graphs(see Figure 4) that displays the top servers with PowerShell executions, the top 10 PowerShell scripts based on executions, the top 10 PowerShell scripts with Remotesigned executions, thee top 10 PowerShell scripts with Unrestricted executions, the top 10 PowerShell scripts with Bypass executions and the top 10 PowerShell scripts with Unsigned executions over a period of time. Using these graphs administrators can figure out the server on which maximum number of PowerShell scripts were executed over the chosen period of time, the PowerShell script that was executed the maximum number of times and the maximum number of times a PowerShell script was executed based on the policy type over a chosen period of time.

      

      Figure 4 : A series of graphs displayed in the generated report

    • The Unsigned Script Details section (see Figure 5) reveals the name of each script, the server on which each script was executed and the number of times each script was executed. This section will reveal the exact PowerShell script that was executed the maximum number of times as an Unsigned script.

      

      Figure 5 : The PowerShell Execution Details table in the generated report

    • The PowerShell Script Execution Details section (see Figure 5) reveals a detailed table that displays the name of each server, the count of unique PowerShell scripts that were executed on the server and the number of executions based on RemoteSigned, Unrestricted and Bypass policies over a chosen period of time.

15. If the Show Details flag is set to Yes and the Report Generation is chosen as Foreground Generation - HTML, then, a right arrow button will appear preceding each server and which when clicked reveals a table as shown in Figure 6.

    

    Figure 6 : The list of scripts executed on each server

    The table in Figure 6 reveals all the PowerShell scripts that were executed on the server and the number of times each script was executed based on the policies.