Thursday, July 14, 2011

Get-Winevent Part III: Querying the Event Log for Logons (Part E)

In Part A of this series ('Get-Winevent Part III Querying the Event Log for logons'), I worked with the 'where-object' cmdlet to filter through properties of specific logon event types. In Part B, I used '-filterhashtable' and 'findstr' to more quickly dig into the message field of logon events, utlimately producing a spreadsheet or database format of those events. In Part C, I presented code that enumerates all provider types for these events.  Then I used '-filterhashtable' with an array of multiple security EventIDs whose select 'Message' fields I searched with 'findstr' for specific properties relating to logons.  In Part D,  I pull this all together, creating a timeline of multiple security EventIDs whose select 'Message' fields I pump into a spreadsheet for further analysis. In Part E (below), I tie in additional auditing events, specifically connections permitted by the Windows Filtering Platform:

'Auditpol' allows the administrator to add additional events to be collected by the Event Viewer. To see all potential categories:

auditpol /get /category:* 

[partial  list:]
System audit policy
Category/Subcategory Setting
   Security System Extension Success
   System Integrity Success and Failure
   IPsec Driver Success
   Other System Events Success and Failure
   Security State Change Success
   Logon Success and Failure
   Logoff Success
A quick trick to set all categories and their subcategories for auditing:

auditpol /set /category:*

After some time, we query the Security log and notice event 5156 for further monitoring:

get-winevent Security -max 100 | ft -auto -wrap | more

7/14/2011 6:59:55 PM Microsoft-Windows-Security-Auditing 5156 The Windows Filtering Platform has permitted a connection.
Application Information:Process ID: 3588Application Name: \device\harddiskvolume3\program files (x86)\opera\opera.exe
Network Information:Direction: OutboundSource Address: Port: 51199Destination Address: Port: 80Protocol: 6 
$5156=get-winevent -filterhashtable @{logname='security';id=5156} -max 1000
foreach ($event in $5156) {($event | Select TimeCreated,Message | fl * | findstr /G:Search5156.lst) -replace " ","" -join "," | out-file -append 5156.csv}

where Search5156.lst:

Now we can add some headers and create some filters in our spreadsheet:

1 comment:

  1. please stop using findstr in Powershell code. It's just an eye sore. Use Select-String instead (-simplematch for non-regex searches)