PoshCode Archive  Artifact Content

Artifact a0ebe41d041f2a82c57d80a608fb937ebd06106e913ca5c6a5ac5ce2624c69f1:

  • File SysMon-Event-Data.ps1 — part of check-in [8d0ebe28b5] at 2018-06-10 13:56:10 on branch trunk — Example extracting data from sysmon event logs. (user: rcookiemonster size: 3039)

# encoding: ascii
# api: powershell
# title: SysMon Event Data
# description: Example extracting data from sysmon event logs.
# version: 0.1
# type: script
# author: rcookiemonster
# license: CC0
# x-poshcode-id: 5494
# x-archived: 2015-03-23T13:45:16
# x-published: 2015-10-08T22:48:00
#
#
    # Download Get-WinEventData ... https://gallery.technet.microsoft.com/scriptcenter/Get-WinEventData-Extract-344ad840
        . "\\path\to\Get-WinEventData.ps1"

    # Set up Sysmon as desired
        #http://technet.microsoft.com/en-us/sysinternals/dn798348

    #Use Get-WinEvent and Get-WinEventData to obtain events and extract XML data from them:
        Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational";id=3} |
            Get-WinEventData |
            select -first 1 -Property *

            <#

                ...
                EventDataUtcTime             : 10/8/2014 10:41 PM
                EventDataProcessGuid         : {00000000-A3D1-5435-0000-001094C60700}
                EventDataProcessId           : 5248
                EventDataImage               : C:\Program Files (x86)\Plex\Plex Media Server\PlexDlnaServer.exe
                EventDataUser                : *************\*************
                EventDataProtocol            : tcp
                EventDataInitiated           : false
                EventDataSourceIsIpv6        : false
                EventDataSourceIp            : 127.0.0.1
                EventDataSourceHostname      : *************
                EventDataSourcePort          : 12804
                EventDataSourcePortName      : 
                EventDataDestinationIsIpv6   : false
                EventDataDestinationIp       : 127.0.0.1
                EventDataDestinationHostname : *************
                EventDataDestinationPort     : 12805
                EventDataDestinationPortName : 
                ...

            #>

        # Work with the extracted data as desired:
        Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational";id=3} | get-wineventdata | ?{$_.EventDataImage -like "*plex*"} |
            select EventDataSourceIP, EventDataDestinationIP 

            <#

                EventDataSourceIp EventDataDestinationIp
                ----------------- ----------------------
                127.0.0.1         127.0.0.1                   
                127.0.0.1         127.0.0.1             
                192.168.1.4       192.168.1.4           
                192.168.1.4       192.168.1.4           
                127.0.0.1         127.0.0.1             
                127.0.0.1         127.0.0.1             
                127.0.0.1         127.0.0.1             
                127.0.0.1         127.0.0.1             
                192.168.1.4       192.168.1.115         
                192.168.1.4       192.168.1.115         
                192.168.1.4       192.168.1.115         

            #>