Saturday, June 9, 2012

Charting ordered Hash Data from the Security Event Log







# RMF Network Security Friday, June 08, 2012  PS CTP3V2
# See http://thinking-about-network-security.blogspot.com/2012/03/evtsys-actually-auditpol-and-auditusr.html for auditpol configuration to accumulate (Security) Kernel counters.
# where do.txt:
# New Process Name:
# Destination Address
# See MS Charting derived Function 'Chart-hashdata'

if ($HashData) {rv HashData}; if ($ArrayData) {rv ArrayData};
[array[]]$ArrayData=get-winevent -log Security -max 1000 |`
   where-object  {$_.ID -eq 4688 -or $_.ID -eq 5156 -or $_.ID -eq 5157}`
   | Select Timecreated,RecordID,ID,@{Name="MessageString"; Expression = {($_.Message |findstr /G:do.txt)}}
foreach ($i in ($ArrayData)) {$HashData+=[ordered]@{$i.RecordID=$i.ID}}
Chart-hashdata line 500 500 "Security Log Audits: New Process and Destination Address Events" Events "EventIDs 4688 or 5156 or 5157"

PS C:\ps1\CTPv3> $Arraydata[0..10] | ft -auto

TimeCreated          RecordId   Id MessageString
-----------          --------   -- -------------
5/30/2012 2:11:35 PM 44766425 4688     New Process Name:    C:\Windows\SysWOW64\auditpol.exe
5/30/2012 2:11:35 PM 44766424 4688     New Process Name:    C:\cygwin\bin\bash.exe
5/30/2012 2:11:26 PM 44766423 5156     Destination Address:    127.0.0.1
5/30/2012 2:11:26 PM 44766422 4688     New Process Name:    C:\Windows\SysWOW64\auditpol.exe
5/30/2012 2:11:26 PM 44766421 4688     New Process Name:    C:\cygwin\bin\bash.exe
5/30/2012 2:11:25 PM 44766420 5156     Destination Address:    ff02::1:2
5/30/2012 2:11:19 PM 44766418 5156     Destination Address:    192.168.0.1
5/30/2012 2:11:19 PM 44766417 5156     Destination Address:    192.168.0.1
5/30/2012 2:11:19 PM 44766416 5156     Destination Address:    192.168.0.1

PS C:\ps1\CTPv3> $ArrayData.ID | group | Sort -desc -property Count

Count Name                      Group
----- ----                      -----
  824 5156                      {5156, 5156, 5156, 5156...}
   23 4688                      {4688, 4688, 4688, 4688...}
    7 5157                      {5157, 5157, 5157, 5157...}

PS C:\ps1\CTPv3> ($Hashdata | more)[0..10]

Name                           Value
----                           -----
44766425                       4688
44766424                       4688
44766423                       5156
44766422                       4688
44766421                       4688
44766420                       5156
44766418                       5156

foreach ($i in $ArrayData){$i | export-csv -notype -append ArrayData.csv}

PS C:\ps1\CTPv3> more ArrayData.csv
"TimeCreated","RecordId","Id","MessageString"
"5/30/2012 2:11:35 PM","44766425","4688","      New Process Name:       C:\Windows\SysWOW64\auditpol.exe"
"5/30/2012 2:11:35 PM","44766424","4688","      New Process Name:       C:\cygwin\bin\bash.exe"
"5/30/2012 2:11:26 PM","44766423","5156","      Destination Address:    127.0.0.1"
"5/30/2012 2:11:26 PM","44766422","4688","      New Process Name:       C:\Windows\SysWOW64\auditpol.exe"
"5/30/2012 2:11:26 PM","44766421","4688","      New Process Name:       C:\cygwin\bin\bash.exe"
"5/30/2012 2:11:25 PM","44766420","5156","      Destination Address:    ff02::1:2"


Posted by Ryan M. Ferris at 11:27 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)