Here I get the desired 'logon' events into spreadsheet format:
$EventLogonIDs="4611","4624","4625","4634","4647","4648","4672","4774","4775","4908","4964"
$MultipleIDLogEntries=Get-WinEvent -FilterHashtable @{Logname='security';Id=@($EventLogonIDs)}
foreach ($item in $MultipleIDLogEntries) {($item | Select TimeCreated, Message | fl * | findstr /G:search.lst) -replace" ","" -join "," | out-file -append test5.csv }
where search.lst :
TimeCreated
Security ID:
Account Name:
Account Domain:
Logon ID:
Logon Type:
Logon GUID:
Process Name:
Now I get the desired 'sleep' events into spreadsheet format. (My original concern was understanding a why my Windows 7 PC spontaneously "resumes from sleep" by itself and seemingly commences a log-on.)
$EventLogonIDs="1","42"
$MultipleIDLogEntries=Get-WinEvent -FilterHashtable @{Logname='system';Id=@($EventLogonIDs)}
foreach ($item in $MultipleIDLogEntries) {($item | Select TimeCreated, Message | fl * | findstr /I /G:search.lst) -replace" ","" -join "," | out-file -append test6.csv }
where search.lst :
TimeCreated
sleep
Now I mux the two data sets and output the combined csv:
$a=gc .\test5.csv
$b=gc .\test6.csv
$c=$a+$b
$c | out-file test7.csv
Once I translate the csv to a spreadsheet's native format, add column headers, format the Date/Time Column (the unique identifier for our purposes) and sort by Date/Time, I have a story book of events for the muxed security (e.g. 'logon') and system (e.g. 'sleep') events:
Next we need to discuss how to add additional Security auditing events to our storybook in Part E.
No comments:
Post a Comment