Thursday, July 14, 2011

Get-Winevent Part III: Querying the Event Log for Logons (Part E)

In Part A of this series ('Get-Winevent Part III Querying the Event Log for logons'), I worked with the 'where-object' cmdlet to filter through properties of specific logon event types. In Part B, I used '-filterhashtable' and 'findstr' to more quickly dig into the message field of logon events, utlimately producing a spreadsheet or database format of those events. In Part C, I presented code that enumerates all provider types for these events.  Then I used '-filterhashtable' with an array of multiple security EventIDs whose select 'Message' fields I searched with 'findstr' for specific properties relating to logons.  In Part D,  I pull this all together, creating a timeline of multiple security EventIDs whose select 'Message' fields I pump into a spreadsheet for further analysis. In Part E (below), I tie in additional auditing events, specifically connections permitted by the Windows Filtering Platform:


'Auditpol' allows the administrator to add additional events to be collected by the Event Viewer. To see all potential categories:


auditpol /get /category:* 


[partial  list:]
System audit policy
Category/Subcategory Setting
System
   Security System Extension Success
   System Integrity Success and Failure
   IPsec Driver Success
   Other System Events Success and Failure
   Security State Change Success
Logon/Logoff
   Logon Success and Failure
   Logoff Success
 ...
A quick trick to set all categories and their subcategories for auditing:


auditpol /set /category:*


After some time, we query the Security log and notice event 5156 for further monitoring:


get-winevent Security -max 100 | ft -auto -wrap | more


7/14/2011 6:59:55 PM Microsoft-Windows-Security-Auditing 5156 The Windows Filtering Platform has permitted a connection.
Application Information:Process ID: 3588Application Name: \device\harddiskvolume3\program files (x86)\opera\opera.exe
Network Information:Direction: OutboundSource Address: 192.168.0.11Source Port: 51199Destination Address: 199.59.149.243Destination Port: 80Protocol: 6 
...
$5156=get-winevent -filterhashtable @{logname='security';id=5156} -max 1000
foreach ($event in $5156) {($event | Select TimeCreated,Message | fl * | findstr /G:Search5156.lst) -replace " ","" -join "," | out-file -append 5156.csv}


where Search5156.lst:
TimeCreated
Source
Destination

Now we can add some headers and create some filters in our spreadsheet:
Posted by Ryan M. Ferris at 7:30 PM
Labels:

1 comment:

  1. megamorfApril 4, 2013 at 3:47 PM

    please stop using findstr in Powershell code. It's just an eye sore. Use Select-String instead (-simplematch for non-regex searches)

    ReplyDelete

Subscribe to: Post Comments (Atom)