Evaluating Event Log Data (Part 3)

by Jun 8, 2021

In the previous tip we looked at Get-WinEvent and how you can use calculated properties to directly access the “Properties” attached to each event rather than having to text-parse the event message.

For example, below code produced a list of installed updates by pulling out the names of installed updates from the array found in “Properties”:

$software = @{
    Name = 'Software'
    Expression = { $_.Properties[0].Value  }
}


Get-WinEvent -FilterHashTable @{
    Logname='System'
    ID=19
    ProviderName='Microsoft-Windows-WindowsUpdateClient'
} | Select-Object -Property TimeCreated, $software

This concept works generically for all event types, and the only work for you is to find out which information is contained in which array index. Let’s take at a more complex event type that contains more than just one piece of information:

$LogonType = @{
    Name = 'LogonType'
    Expression = { $_.Properties[8].Value }
}

$Process = @{
    Name = 'Process'
    Expression = { $_.Properties[9].Value }
}

$Domain = @{
    Name = 'Domain'
    Expression = { $_.Properties[5].Value }
}

$User = @{
    Name = 'User'
    Expression = { $_.Properties[6].Value }
}

$Method = @{
    Name = 'Method'
    Expression = { $_.Properties[10].Value }
}


Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    Id = 4624
    } | Select-Object -Property TimeCreated, $LogonType, $Process, $Domain, $User, $Method

Here, Get-WinEvent reads all events with ID 4624 from the security log. These events represent logons. Since the events are located in the Security log you need local Administrator privileges to run the code.

Select-Object returns only the TimeCreated property. All remaining properties are calculated and essentially all do the same: they pull some information from the “Properties” array found in any event log entry object.

As it turns out, the user name that logged on can be found in index 6 of this array, and the logon type is found in array index 8.

By wrapping the code into a function, it is now simple to make sophisticated queries across the logged logon events:

function Get-LogonInfo
{
  $LogonType = @{
    Name = 'LogonType'
    Expression = { $_.Properties[8].Value }
  }

  $Process = @{
    Name = 'Process'
    Expression = { $_.Properties[9].Value }
  }

  $Domain = @{
    Name = 'Domain'
    Expression = { $_.Properties[5].Value }
  }

  $User = @{
    Name = 'User'
    Expression = { $_.Properties[6].Value }
  }

  $Method = @{
    Name = 'Method'
    Expression = { $_.Properties[10].Value }
  }


  Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    Id = 4624
  } | Select-Object -Property TimeCreated, $LogonType, $Process, $Domain, $User, $Method
}

Get-LogonInfo |
  Where-Object Domain -ne System |
  Where-Object User -ne 'Window Manager' |
  Select-Object -Property TimeCreated, Domain, User, Method 

The result looks similar to this:

 
TimeCreated         Domain                  User             Method
-----------         ------                  ----             ------
06.05.2021 11:46:04 RemotingUser2           DELL7390         Negotiate
05.05.2021 19:20:16 tobi.weltner@-------.de MicrosoftAccount Negotiate
05.05.2021 19:20:06 UMFD-1                  Font Driver Host Negotiate
05.05.2021 19:20:05 UMFD-0                  Font Driver Host Negotiate   
 


Twitter This Tip! ReTweet this Tip!