Please find below couple guidelines whenever you want to use the Microsoft Powershell Sensor for custom scripts.


Custom scripts (Standard Powershell, Exchange, Sharepoint)

Custom script must be enclosed as a function definition. 


function doStuff()



custom script


A function definition must be saved in a file e.g. dostuff.ps1

In GL enter dostuff in the field “Script Filename” excluding the file extension “.ps1”.

doStuff –param1 parameterValue in the field “Parameters”



    • If  the script uses a parameter which is the target server, it must be defined as
      “server” in order to be resolved automatically from the “Targets” list. Following the example above the “Parameters” field will contain:

doStuff –param1 parameterValue –server


The value for the parameter “server” will be set automatically from the “Targets” list for each selected target.

    • MaxEnvelopeSizekb parameter on the server gives the size of Soap message that can be sent. Scripts or commands are sent within Soap messages. The config for a server:

winrm g winrm/config

  • Likely that you have to increase the MaxMemory level on the remote host

what are the current values ?

winrm get winrm/config/winrs


set new max memory value (e.g. 1024MB)

winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'



Cmndlet (Standard Powershell, Exchange, Sharepoint)

  • Files containing cmndlets must exist: ps_commands.txt, exchange_ps_commands.txt, sharepoint_ps_commands.txt.
  • The field “Commandlet Name” is autocomplete field shows only cmdlets of the relevant context (Standard Powershell, Exchange, Sharepoint). Cmndlets not in the files are not allowed.

  • The field “Parameters” can contain arguments, flags and piped commands. The following must be observed:

Each argument or flag starts with “-“

Each piped Cmndlet must start with “|”

Each argument, flag or piped cmdlet must in a new line. E.g. 

-startDate 12/10/2014



Presently only cmdlets can be executed. Files containing cmdlets must exist in files: o365_exchange_ps_commands.txt, o365_sec_and_compliance_ps_commands.txt. The following cmdlets types can be executed:

  • Exchange
  • Security and Compliance for Exchange