Powershell filter output data from Get-WinEvent

1
votes

How I can Write-Output only:

  • TimeCreated
  • Account Name
  • Account Domain
  • Object type
  • and object name.

Code:

Get-WinEvent -ComputerName DS1 -LogName Security -FilterXPath "*[System[EventID=4670 and TimeCreated[timediff(@SystemTime) <= 86400000]] and EventData[Data[@Name='ObjectType']='File']]"  | fl

Here is the output of the script:

TimeCreated  : 2020-04-15 7:38:42 AM
        ProviderName : Microsoft-Windows-Security-Auditing
        Id           : 4670
        Message      : Permissions on an object were changed.

                       Subject:
                           Security ID:        S-9-9-291-9999999999-8999992562-9999999661-999999
                           Account Name:        todd
                           Account Domain:        dmn
                           Logon ID:        0x55555555555555

                       Object:
                           Object Server:    Security
                           Object Type:    File
                           Object Name:    F:\Share\share1\photo.png
                           Handle ID:    0x70a2

                       Process:
                           Process ID:    0x5
                           Process Name:    

                       Permissions Change:
                           Original Security Descriptor:    
                           New Security Descriptor:    O:S-9-9-291-9999999999-8999992562-9999999661-999999:DU
1
windowspowershelleventsoutput

1 Answers

2
votes

I cannot test if your filter actually works, bus assuming that is ok, you have two options here.

  1. Try and parse out the data (especially the Message part) using a lot of awkward regexes
  2. Get the data you need from the XML

I prefer the second option:

$filter = "*[System[EventID=4670 and TimeCreated[timediff(@SystemTime) <= 86400000]] and EventData[Data[@Name='ObjectType']='File']]"
$result = Get-WinEvent -ComputerName DS1 -LogName Security -FilterXPath $filter | ForEach-Object {
    # convert the event to XML and grab the Event node
    $eventXml = ([xml]$_.ToXml()).Event
    $eventData = $eventXml.EventData.Data
    # output the properties you need
    [PSCustomObject]@{
        TimeCreated   = [DateTime]$eventXml.System.TimeCreated.SystemTime
        AccountName   = ($eventData | Where-Object { $_.Name -eq 'SubjectUserName' }).'#text'
        AccountDomain = ($eventData | Where-Object { $_.Name -eq 'SubjectDomainName' }).'#text'
        ObjectType    = ($eventData | Where-Object { $_.Name -eq 'ObjectType' }).'#text'
        ObjectName    = ($eventData | Where-Object { $_.Name -eq 'ObjectName' }).'#text'
        Computer      = $eventXml.System.Computer
    }
}

# output on screen
$result

# output to CSV file
$result | Export-Csv -Path 'X:\TheOutputFile.csv' -NoTypeInformation