Solved

What is the PowerShell entry to record the 'event code ID message' to further define the event codes?

Posted on 2015-02-04
6
160 Views
Last Modified: 2015-02-05
Hello Expert,

Within the ForEach loop on Property item [9] I'd like to include the event code ID description in the output. Do you know what the input entry should be,  @{Name='xxxxxxx';Expression={$psitem.Properties[9].Value}}, `, in-place of  'x'? I tried 'Message', 'Description' and 'Explanation' in-place of the 'x' variable but was unsuccessful to retrieve the desired results.

Thank you,
CuriousMAUser


 ========================================================================================
#
# NAME: WinEventID.ps1
#
# Modified: IT Staff
# Date: 03-Feb-2015
# Verison: PowerShell 4.0
# Client OS: Windows 7, Server OS: Windows 2008 R2
#
# DESCRIPTION:
# Retrieve event codes (ex. 4728 & 4729) to determine the breach of the unauthorized users
# Change event codes within the script to search for alternate security events
#
# Assumes the presence of Microsoft's ActiveDirectory PowerShell module.
# =========================================================================================
#
# Event Code 4728
#

Set-ExecutionPolicy remotesigned -Force
Import-module activedirectory

try{
 $SearchID='4728'
 get-childitem "C:\EventLog\SecurityEvents.evtx" | select FullName | ForEach{
  %{get-winevent  -filterHashTable @{path=$psitem.Fullname;ID=$SearchID } -ErrorAction Stop   |                
     ? {$psitem.Properties[5].Value -match $UserName}   |  
     Select-Object -Property TimeCreated, `
                             @{Name='SecurityId';Expression={$psitem.Properties[4].Value}}, `
                             @{Name='AccountName';Expression={$psitem.Properties[5].Value}}, `
                             @{Name='AccountDomain';Expression={$psitem.Properties[6].Value}}, `
                             @{Name='LogonId';Expression={$psitem.Properties[7].Value}}, `
                             @{Name='LogonType';Expression={$psitem.Properties[8].Value}}, `
                             @{Name='xxxxxxx';Expression={$psitem.Properties[9].Value}}, `
     Format-Table
 }  }
 }
 Catch{
 $psitem.Exception.GetType().FullName
 $psitem.Exception.Message
 }
#
# Event Code 4729
#
try{
 $SearchID='4729'
 get-childitem "C:\EventLog\SecurityEvents.evtx" | select FullName | ForEach{
  %{get-winevent  -filterHashTable @{path=$psitem.Fullname;ID=$SearchID } -ErrorAction Stop   |                
     ? {$psitem.Properties[5].Value -match $UserName}   |  
     Select-Object -Property TimeCreated, `
                             @{Name='SecurityId';Expression={$psitem.Properties[4].Value}}, `
                             @{Name='AccountName';Expression={$psitem.Properties[5].Value}}, `
                             @{Name='AccountDomain';Expression={$psitem.Properties[6].Value}}, `
                             @{Name='LogonId';Expression={$psitem.Properties[7].Value}}, `
                             @{Name='LogonType';Expression={$psitem.Properties[8].Value}}, `
                             @{Name='xxxxxxx';Expression={$psitem.Properties[9].Value}}, `
     Format-Table
 }  }
 }
 Catch{
 $psitem.Exception.GetType().FullName
 $psitem.Exception.Message
}
0
Comment
Question by:CuriousMAUser
  • 4
  • 2
6 Comments
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
Comment Utility
Try replacing
@{Name='xxxxxxx';Expression={$psitem.Properties[9].Value}}, `
with
@{Name='Description';Expression={$psitem.Message}}
The name can be anything you want, it's the expression part that determines what goes into that calculated property.

BTW, you might want to check out the following article, which describes a method for adding all the values under the "Properties" property as named properties of the event object, that way you don't have to use things like $_.Properties[5].Value
http://blogs.technet.com/b/ashleymcglone/archive/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs.aspx
0
 

Author Closing Comment

by:CuriousMAUser
Comment Utility
Thank you.
0
 

Author Comment

by:CuriousMAUser
Comment Utility
Hello FooTech,

At this link I've tried to mimic the code described to extract the XML into a csv files but receive errors. I feel like I'm floundering, any thoughts? Does the script below stand alone or append to an existing script?

http://blogs.technet.com/b/ashleymcglone/archive/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs.aspx

# ==============================================================================================
#
# NAME: WinEventID.ps1
#
# Modified: IT Staff
# Date: 05-Feb-2015
# Verison: PowerShell 4.0
# Client OS: Windows 7
# Server OS: Windows 2008 R2
#
# DESCRIPTION:
# Retrieve event codes (ex. 4728 & 4729) to determine the breach of the unauthorized users
# Change event codes within the script to search for alternate security events
#
# Assumes the presence of Microsoft's ActiveDirectory PowerShell module.
# =============================================================================================
# Prompt for Credentials
 $cred = Get-Credential DomainName\admin

# Grab the events from a DC
 $Events = Get-WinEvent -ComputerName DomainController-DC01 -Credential $cred '
    -FilterHashTable @{Logname='Security';ID=4728} '

# Parse out the event message data
 
 ForEach ($Event in Events) {
  # Convert the event to XML
  $eventXML= [xml]$Event.ToXml()
  # Iterate through each one of the XML message properties
  For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++)
    # Append these as object properties
  Add-Member -InputObject $Event -MemberType NoteProperty -Force '
    -Name $eventXML.Event.EventData.Data[$i].name '
    -Value $eventXML.event.eventData.Data[$i].'#text'

 # View the results with your favorite output method
 $Events | export-csv C:\Scripts\SleepMedEventID.csv
 $Events | Select-Object * | Out-GridView
  }
}
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:CuriousMAUser
Comment Utility
Missing -

For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
0
 
LVL 39

Expert Comment

by:footech
Comment Utility
It stands alone.
Looks like you have single-quotes (') at the end of a few lines where you should have backticks (`) for line continuation.  Change those, or just have each command on a single line so you don't have to worry about line continuation.
0
 

Author Comment

by:CuriousMAUser
Comment Utility
Thank you, again, much better.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

In this previous article (https://oddytee.wordpress.com/2016/05/05/provision-new-office-365-user-and-mailbox-from-exchange-hybrid-via-powershell/), we made basic license assignments to users in O365. When I say basic, the method is the simplest way …
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now