CODEWITHSUNDEEP
powershellsecuritywindowevent-viewer
Khushboo
Khushboo

Reputation: 53

How to filter windows event security logs based of security ID (SID) and EventID using PowerShell

When I filter Windows Security logs by EventId and Security Id (SID) Seperately, I get the output. Now I want to merge the two filters. I want to filter by EventId and SID both. If SID is 'System' It should filter it out. How do I merge the two filters. Here is the code for Filtering EventIds: 

 Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx"  | where {$_.Id -eq 4624 -or $_.Id -eq 4634 -or $_.Id -eq 4778 -or $_.Id -eq 4779 -or $_.Id -eq 4608 -or $_.Id -eq 4609 -or $_.Id -eq 4800 -or $_.Id -eq 4801 -or $_.Id -eq 4802 -or $_.Id -eq 4803 -or $_.Id -eq 4688 -or $_.Id -eq 4689}  |?{$_.TimeCreated -gt (Get-Date).AddHours(-1)} | select  @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, @{Name="Source";Expression={$_."Id"}}, Message, UserName

Here is the code for Filtering based of SID:

$out += Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx" -FilterXPath '*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-21-1004336348-1383384898-1417001333-892045"]]'  |?{$_.TimeCreated -gt (Get-Date).AddHours(-1)} | select  @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, @{Name="Source";Expression={$_."Id"}}, Message, UserName

Upvotes: 0

Views: 4012

Answers (2)

postanote
postanote

Reputation: 16076

It's just another calculated property you add to the first block. No reason for the separate code block.

So, try this to get the combined data you are after. We, just take you code as is and use the .Net Xml namespace to get the sid or any other item(s) you choose. You can of course filter as you like on the final collection.

Clear-Host
Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx" `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select  @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, 
          @{Name="Source";Expression={$_."Id"}},
          @{Name="SubjectUserSidValue";Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},Message `
          -First 9 `
          | Format-table -AutoSize


TimeGenerated        Source SubjectUserSidValue    Message                                                                      
-------------        ------ -------------------    -------
1/31/2018 5:27:16 AM   4634 S-1-5-18               An account was logged off....
1/31/2018 5:27:16 AM   4624 S-1-0-0                An account was successfully logged on....
1/31/2018 5:27:16 AM   4634 S-1-5-18               An account was logged off....
1/31/2018 5:27:16 AM   4624 S-1-0-0                An account was successfully logged on....
1/31/2018 5:27:07 AM   4634 S-1-5-18               An account was logged off....
1/31/2018 5:27:07 AM   4624 S-1-0-0                An account was successfully logged on....
1/31/2018 5:27:07 AM   4624 S-1-0-0                An account was successfully logged on....
1/31/2018 5:26:31 AM   4634 S-1-5-21-3...          An account was logged off....
1/31/2018 5:26:29 AM   4634 S-1-5-18               An account was logged off....

Update as per OP additional question

This is what you can grab by array position from the XML.

Name                      #text                          
----                      -----                          
SubjectUserSid            S-1-5-18                       
SubjectUserName           2012DC$                        
SubjectDomainName         CONTOSO                        
SubjectLogonId            0x3e7                          
TargetUserSid             S-1-0-0                        
TargetUserName            postanote                        
TargetDomainName          CONTOSO                        
Status                    0xc000015b                     
FailureReason             %%2308                         
SubStatus                 0x0                            
LogonType                 4                              
LogonProcessName          Advapi                         
AuthenticationPackageName Negotiate                      
WorkstationName           2012DC                         
TransmittedServices       -                              
LmPackageName             -                              
KeyLength                 0                              
ProcessId                 0x390                          
ProcessName               C:\Windows\System32\svchost.exe
IpAddress                 -                              
IpPort                    -

So, updating the script becomes...

Clear-Host
Get-WinEvent -path 'C:\Windows\System32\winevt\Logs\Security.evtx' `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select  @{Name='TimeGenerated';Expression={$_.'TimeCreated'}}, 
          @{Name='Source';Expression={$_.'Id'}},
          @{Name='SubjectUserSidValue';Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},
          @{Name='TargetUserName';Expression={([xml]$_.ToXml()).Event.EventData.Data[1].'#text'}},
          @{Name='LogonProcessName';Expression={([xml]$_.ToXml()).Event.EventData.Data[11].'#text'}} `
          -First 100 `
          | Format-table -AutoSize

* Updating again to reflect the OP next question... *

As per your last question / request Then, for the other values, the update becomes this.

How to collect the full info before parsing...

$Event = Get-WinEvent ...
$Event | Select -Property *
$EventXML = [xml]$Event.ToXml()
$EventXML.Event.EventData.Data


Clear-Host
Get-WinEvent -path 'C:\Windows\System32\winevt\Logs\Security.evtx' `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select  @{Name='TimeGenerated';Expression={$_.'TimeCreated'}}, 
        @{Name='EventID';Expression={$_.'Id'}},
        @{Name='TaskCategory';Expression={$_.'TaskDisplayName'}},
        @{Name='SubjectUserSid';Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},
        @{Name='AccountName';Expression={([xml]$_.ToXml()).Event.EventData.Data[1].'#text'}},
        @{Name='LogonProcessName';Expression={([xml]$_.ToXml()).Event.EventData.Data[11].'#text'}} `
        -First 9 `
        | Format-table -AutoSize



TimeGenerated       EventID TaskCategory SubjectUserSid  AccountName LogonProcessName
-------------       ------- ------------ --------------  ----------- ----------------
2/2/2018 2:41:03 AM    4634 Logoff       S-1-5-21-376... spadmin
2/2/2018 2:40:53 AM    4624 Logon        S-1-0-0         -           -
2/2/2018 2:40:51 AM    4634 Logoff       S-1-5-21-376... SKY01$
2/2/2018 2:40:37 AM    4634 Logoff       S-1-5-18        DC01$
...

Upvotes: 0

Aurimas Stands with Ukraine
Aurimas Stands with Ukraine

Reputation: 1266

does this work for you?

Get-WinEvent -FilterHashtable @{path='C:\Windows\System32\winevt\Logs\Security.evtx'; data = 'S-1-5-21-1004336348-1383384898-1417001333-892045'}| where {$_.Id -eq 4624 -or $_.Id -eq 4634 -or $_.Id -eq 4778 -or $_.Id -eq 4779 -or $_.Id -eq 4608 -or $_.Id -eq 4609 -or $_.Id -eq 4800 -or $_.Id -eq 4801 -or $_.Id -eq 4802 -or $_.Id -eq 4803 -or $_.Id -eq 4688 -or $_.Id -eq 4689}  |?{$_.TimeCreated -gt (Get-Date).AddHours(-1)} | select  @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, @{Name="Source";Expression={$_."Id"}}, Message, UserName

Upvotes: 2

Related Questions