Powershell | Where-Object Data from Properties (System.Collections.Generic.IList) of Get-WinEvent

Question

I am running this (line 1 is fine, just line 2 I know isnt right):

$specificEvent = Get-WinEvent -FilterHashtable @{"ProviderName"="Microsoft-Windows-Security-Auditing";Id=4648} | select -First 1 
$specificEvent | ? {($_).Properties[1] -eq "whatever"}

And its not working. Not surprised but is there a real way to get to the properties data which is of System.Collections.Generic.IList type?

I can also gain access to the same data this way:

$specificEvent | % {
    ([xml]$_.ToXml()).Event.EventData.Data
}

But again I have no idea how I can leverage that in where-object.

I was also wondering if anyone knew how to display that data within the select-object (vs processing in a foreach loop) so when I finally get filtering working I can display what I need back.

To anyone willing to help, thank you so much!

UPDATE: Based on the answer provided below I was able to craft this code. It isnt perfect but gets the job done pretty well

$EventIDs = (Get-WinEvent -FilterHashtable @{
    "ProviderName"="Microsoft-Windows-Security-Auditing";
    StartTime=(get-date).AddHours(-24);
    Id=4625} | select RecordID).RecordID

Foreach ($r in $EventIDs) {
    $EvXML = $null
    [xml]$EvXML = (Get-WinEvent -LogName "Security" -FilterXPath "*[System[EventRecordID=$($r)]]").ToXML()

    $Events = $null
    $Events = For ($i=0; $i -lt $EvXML.Event.EventData.Data.Count; $i++) {
        New-Object -TypeName psobject -Property (
            [ordered]@{Name  = $EvXML.Event.EventData.Data[$i].Name
            Value = $EvXML.Event.EventData.Data[$i].'#text'}
        )
    }

    write-host ($events | ? {$_.Name -eq "TargetUserName"}).value "|" ($events | ? {$_.Name -eq "TargetDomainName"}).value "|" ($events | ? {$_.Name -eq "IPAddress"}).value ":" ($events | ? {$_.Name -eq "IPPort"}).value
}

Answer 1

What I do when extracting data from event logs is first get the logs I want into an XML type variable, then convert the variable data to objects, like so:

 [xml]$EvXML = (Get-WinEvent -FilterHashtable @{"ProviderName"="Microsoft-Windows-Security-Auditing";Id=4648} -MaxEvents 1).ToXML()
 $Event = For ($i=0; $i -lt $EvXML.Event.EventData.Data.Count; $i++) {
    New-Object -TypeName psobject -Property ([ordered]@{Name  = $EvXML.Event.EventData.Data[$i].Name
                                                        Value = $EvXML.Event.EventData.Data[$i].'#text'})
 }

Once the data is an array of objects, you can do whatever you want with it just like any other array of PS objects. If you want the system data, replace $EvXML.Event.EventData with $EvXML.Event.System and you can key off any of the fields you want. To see what's available to reference for any event, see the XML view in Event Viewer. Then, you'll be able to extract and process any single piece of data you want by referencing $Event[#].Name or $Event[#].Value.