So if you launch your favorite word processing app and view the first page of a document, the whole operation appears as a smooth, synchronous activity. The operating system, whether Linux or Windows, does the low-level handling of device actions – anything from disk reads, to packets being received - and hides this from garden variety apps that we run from our desktop. It’s a far more efficient way to do security monitoring than by brute-force polling.įurther down below, I’ll explain how this is accomplished.īut first, anyone who’s ever taken, as I have, a basic “Operating Systems for Poets” course knows that there’s a demarcation between user-level and system-level processes. In this scenario, you’re not in an endless PowerShell loop, burning up CPU cycles, but instead the script is only notified or activated when the event - a file is modified or a new user logs in - actually occurs. PowerShell instead gives you direct event-driven monitoring based on the operating system’s access to low-level changes. It’s the equivalent of getting a push notification on a news web page alerting you to a breaking story rather than having to manually refresh the page. A junior IT admin can quickly put together, say, a Linux shell script to poll a directory to see if a file has been updated or retrieve a list of running processes to learn if a non-standard process has popped up. To begin, let’s explore using PowerShell as a system monitoring tool to watch files, processes, and users.īefore you start cursing into your browsers, I’m well aware that any operating system command language can be used to monitor system-level happenings. Building an AD tool is a great learning experience. I'd recommend this for both new and advanced PowerShell users. PowerShell can do interesting security work on a small scale, but it is in no way equipped to take on an entire infrastructure. And also give IT folks an appreciation of the miracles that are accomplished by real security platforms, like our own Metadata Framework.
We’ll take the view in these posts that while PowerShell won’t replace purpose-built security platforms - Varonis can breathe easier now - it will help IT staff monitor for threats and perform other security functions.
Powershell script to monitor folder for new files series#
Sounds to me like it’s the right time to start another series of PowerShell posts. I made the remarkable discovery that PowerShell is a security tool in its own right.
0 kommentar(er)
