You should be able to get the TargetUserName
and SubjectUserName
properties by filtering the EventData
for those specifically named attributes.
Example code updated (I've also removed the .'#text'
part from the EventID line to ensure this value is captured)
$filter = "*[System[EventID=4740 and Provider[@Name='Microsoft-Windows-Security-Auditing']]]"
$result = Get-WinEvent -LogName Security -FilterXPath $filter | ForEach-Object {
# convert the event to XML and grab the Event node
$eventXml = ([xml]$_.ToXml()).Event
# output the properties you need
[PSCustomObject]@{
EventID = $eventXml.System.EventID
TimeCreated = $eventXml.System.TimeCreated.SystemTime -replace '\.\d+.*$'
Computer = $eventXml.System.Computer
TargetUserName = ($eventXml.EventData.Data | Where-Object { $_.Name -eq "TargetUserName"}).'#text'
SubjectUserName = ($eventXml.EventData.Data | Where-Object { $_.Name -eq "SubjectUserName"}).'#text'
}
}
# output on screen
$result | Format-Table -AutoSize
# save as CSV file if you like
$result | Export-Csv -Path 'C:\MyProgr_Events_302.csv' -NoTypeInformation
If you prefer, you could pull out all attributes with the following instead:
$filter = "*[System[EventID=4740 and Provider[@Name='Microsoft-Windows-Security-Auditing']]]"
$result = Get-WinEvent -LogName Security -FilterXPath $filter | ForEach-Object {
# convert the event to XML and grab the Event node
$eventXml = ([xml]$_.ToXml()).Event
# output the properties you need
$object = [PSCustomObject]@{
EventID = $eventXml.System.EventID
TimeCreated = $eventXml.System.TimeCreated.SystemTime -replace '\.\d+.*$'
Computer = $eventXml.System.Computer
}
$eventXml.EventData.Data | ForEach-Object { $object | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_.'#text' }
$object
}
# output on screen$
$result | Format-Table -AutoSize
You'd then end up with all the attributes available to you and each result would contain data such as: