如何使用 PowerShell 根据安全 ID (SID) 和 EventID 筛选 windows 事件安全日志
How to filter windows event security logs based of security ID (SID) and EventID using PowerShell
当我按 EventId 和安全 ID (SID) 分别过滤 Windows 安全日志时,我得到了输出。现在我想合并这两个过滤器。我想同时按 EventId 和 SID 进行过滤。如果 SID 是 'System' 它应该过滤掉它。如何合并这两个过滤器。
以下是过滤 EventId 的代码:
Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx" | where {$_.Id -eq 4624 -or $_.Id -eq 4634 -or $_.Id -eq 4778 -or $_.Id -eq 4779 -or $_.Id -eq 4608 -or $_.Id -eq 4609 -or $_.Id -eq 4800 -or $_.Id -eq 4801 -or $_.Id -eq 4802 -or $_.Id -eq 4803 -or $_.Id -eq 4688 -or $_.Id -eq 4689} |?{$_.TimeCreated -gt (Get-Date).AddHours(-1)} | select @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, @{Name="Source";Expression={$_."Id"}}, Message, UserName
下面是基于 SID 过滤的代码:
$out += Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx" -FilterXPath '*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-21-1004336348-1383384898-1417001333-892045"]]' |?{$_.TimeCreated -gt (Get-Date).AddHours(-1)} | select @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, @{Name="Source";Expression={$_."Id"}}, Message, UserName
这对你有用吗?
Get-WinEvent -FilterHashtable @{path='C:\Windows\System32\winevt\Logs\Security.evtx'; data = 'S-1-5-21-1004336348-1383384898-1417001333-892045'}| where {$_.Id -eq 4624 -or $_.Id -eq 4634 -or $_.Id -eq 4778 -or $_.Id -eq 4779 -or $_.Id -eq 4608 -or $_.Id -eq 4609 -or $_.Id -eq 4800 -or $_.Id -eq 4801 -or $_.Id -eq 4802 -or $_.Id -eq 4803 -or $_.Id -eq 4688 -or $_.Id -eq 4689} |?{$_.TimeCreated -gt (Get-Date).AddHours(-1)} | select @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, @{Name="Source";Expression={$_."Id"}}, Message, UserName
这只是您添加到第一个块的另一个计算 属性。没有单独代码块的原因。
所以,试试这个来获取您想要的组合数据。我们只是按原样使用您的代码并使用 .Net Xml 命名空间来获取 sid 或您选择的任何其他项目。当然,您可以根据自己的喜好对最终合集进行过滤。
Clear-Host
Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx" `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select @{Name="TimeGenerated";Expression={$_."TimeCreated"}},
@{Name="Source";Expression={$_."Id"}},
@{Name="SubjectUserSidValue";Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},Message `
-First 9 `
| Format-table -AutoSize
TimeGenerated Source SubjectUserSidValue Message
------------- ------ ------------------- -------
1/31/2018 5:27:16 AM 4634 S-1-5-18 An account was logged off....
1/31/2018 5:27:16 AM 4624 S-1-0-0 An account was successfully logged on....
1/31/2018 5:27:16 AM 4634 S-1-5-18 An account was logged off....
1/31/2018 5:27:16 AM 4624 S-1-0-0 An account was successfully logged on....
1/31/2018 5:27:07 AM 4634 S-1-5-18 An account was logged off....
1/31/2018 5:27:07 AM 4624 S-1-0-0 An account was successfully logged on....
1/31/2018 5:27:07 AM 4624 S-1-0-0 An account was successfully logged on....
1/31/2018 5:26:31 AM 4634 S-1-5-21-3... An account was logged off....
1/31/2018 5:26:29 AM 4634 S-1-5-18 An account was logged off....
根据 OP 附加问题更新
这是您可以从 XML.
中按数组位置获取的内容
Name #text
---- -----
SubjectUserSid S-1-5-18
SubjectUserName 2012DC$
SubjectDomainName CONTOSO
SubjectLogonId 0x3e7
TargetUserSid S-1-0-0
TargetUserName postanote
TargetDomainName CONTOSO
Status 0xc000015b
FailureReason %%2308
SubStatus 0x0
LogonType 4
LogonProcessName Advapi
AuthenticationPackageName Negotiate
WorkstationName 2012DC
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x390
ProcessName C:\Windows\System32\svchost.exe
IpAddress -
IpPort -
所以,更新脚本变成...
Clear-Host
Get-WinEvent -path 'C:\Windows\System32\winevt\Logs\Security.evtx' `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select @{Name='TimeGenerated';Expression={$_.'TimeCreated'}},
@{Name='Source';Expression={$_.'Id'}},
@{Name='SubjectUserSidValue';Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},
@{Name='TargetUserName';Expression={([xml]$_.ToXml()).Event.EventData.Data[1].'#text'}},
@{Name='LogonProcessName';Expression={([xml]$_.ToXml()).Event.EventData.Data[11].'#text'}} `
-First 100 `
| Format-table -AutoSize
* 再次更新以反映 OP 的下一个问题... *
根据您的上一个问题/要求
然后,对于其他的值,更新就变成这样了。
如何在解析前收集完整信息...
$Event = Get-WinEvent ...
$Event | Select -Property *
$EventXML = [xml]$Event.ToXml()
$EventXML.Event.EventData.Data
Clear-Host
Get-WinEvent -path 'C:\Windows\System32\winevt\Logs\Security.evtx' `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select @{Name='TimeGenerated';Expression={$_.'TimeCreated'}},
@{Name='EventID';Expression={$_.'Id'}},
@{Name='TaskCategory';Expression={$_.'TaskDisplayName'}},
@{Name='SubjectUserSid';Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},
@{Name='AccountName';Expression={([xml]$_.ToXml()).Event.EventData.Data[1].'#text'}},
@{Name='LogonProcessName';Expression={([xml]$_.ToXml()).Event.EventData.Data[11].'#text'}} `
-First 9 `
| Format-table -AutoSize
TimeGenerated EventID TaskCategory SubjectUserSid AccountName LogonProcessName
------------- ------- ------------ -------------- ----------- ----------------
2/2/2018 2:41:03 AM 4634 Logoff S-1-5-21-376... spadmin
2/2/2018 2:40:53 AM 4624 Logon S-1-0-0 - -
2/2/2018 2:40:51 AM 4634 Logoff S-1-5-21-376... SKY01$
2/2/2018 2:40:37 AM 4634 Logoff S-1-5-18 DC01$
...
当我按 EventId 和安全 ID (SID) 分别过滤 Windows 安全日志时,我得到了输出。现在我想合并这两个过滤器。我想同时按 EventId 和 SID 进行过滤。如果 SID 是 'System' 它应该过滤掉它。如何合并这两个过滤器。 以下是过滤 EventId 的代码:
Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx" | where {$_.Id -eq 4624 -or $_.Id -eq 4634 -or $_.Id -eq 4778 -or $_.Id -eq 4779 -or $_.Id -eq 4608 -or $_.Id -eq 4609 -or $_.Id -eq 4800 -or $_.Id -eq 4801 -or $_.Id -eq 4802 -or $_.Id -eq 4803 -or $_.Id -eq 4688 -or $_.Id -eq 4689} |?{$_.TimeCreated -gt (Get-Date).AddHours(-1)} | select @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, @{Name="Source";Expression={$_."Id"}}, Message, UserName
下面是基于 SID 过滤的代码:
$out += Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx" -FilterXPath '*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-21-1004336348-1383384898-1417001333-892045"]]' |?{$_.TimeCreated -gt (Get-Date).AddHours(-1)} | select @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, @{Name="Source";Expression={$_."Id"}}, Message, UserName
这对你有用吗?
Get-WinEvent -FilterHashtable @{path='C:\Windows\System32\winevt\Logs\Security.evtx'; data = 'S-1-5-21-1004336348-1383384898-1417001333-892045'}| where {$_.Id -eq 4624 -or $_.Id -eq 4634 -or $_.Id -eq 4778 -or $_.Id -eq 4779 -or $_.Id -eq 4608 -or $_.Id -eq 4609 -or $_.Id -eq 4800 -or $_.Id -eq 4801 -or $_.Id -eq 4802 -or $_.Id -eq 4803 -or $_.Id -eq 4688 -or $_.Id -eq 4689} |?{$_.TimeCreated -gt (Get-Date).AddHours(-1)} | select @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, @{Name="Source";Expression={$_."Id"}}, Message, UserName
这只是您添加到第一个块的另一个计算 属性。没有单独代码块的原因。
所以,试试这个来获取您想要的组合数据。我们只是按原样使用您的代码并使用 .Net Xml 命名空间来获取 sid 或您选择的任何其他项目。当然,您可以根据自己的喜好对最终合集进行过滤。
Clear-Host
Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx" `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select @{Name="TimeGenerated";Expression={$_."TimeCreated"}},
@{Name="Source";Expression={$_."Id"}},
@{Name="SubjectUserSidValue";Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},Message `
-First 9 `
| Format-table -AutoSize
TimeGenerated Source SubjectUserSidValue Message
------------- ------ ------------------- -------
1/31/2018 5:27:16 AM 4634 S-1-5-18 An account was logged off....
1/31/2018 5:27:16 AM 4624 S-1-0-0 An account was successfully logged on....
1/31/2018 5:27:16 AM 4634 S-1-5-18 An account was logged off....
1/31/2018 5:27:16 AM 4624 S-1-0-0 An account was successfully logged on....
1/31/2018 5:27:07 AM 4634 S-1-5-18 An account was logged off....
1/31/2018 5:27:07 AM 4624 S-1-0-0 An account was successfully logged on....
1/31/2018 5:27:07 AM 4624 S-1-0-0 An account was successfully logged on....
1/31/2018 5:26:31 AM 4634 S-1-5-21-3... An account was logged off....
1/31/2018 5:26:29 AM 4634 S-1-5-18 An account was logged off....
根据 OP 附加问题更新
这是您可以从 XML.
中按数组位置获取的内容Name #text
---- -----
SubjectUserSid S-1-5-18
SubjectUserName 2012DC$
SubjectDomainName CONTOSO
SubjectLogonId 0x3e7
TargetUserSid S-1-0-0
TargetUserName postanote
TargetDomainName CONTOSO
Status 0xc000015b
FailureReason %%2308
SubStatus 0x0
LogonType 4
LogonProcessName Advapi
AuthenticationPackageName Negotiate
WorkstationName 2012DC
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x390
ProcessName C:\Windows\System32\svchost.exe
IpAddress -
IpPort -
所以,更新脚本变成...
Clear-Host
Get-WinEvent -path 'C:\Windows\System32\winevt\Logs\Security.evtx' `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select @{Name='TimeGenerated';Expression={$_.'TimeCreated'}},
@{Name='Source';Expression={$_.'Id'}},
@{Name='SubjectUserSidValue';Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},
@{Name='TargetUserName';Expression={([xml]$_.ToXml()).Event.EventData.Data[1].'#text'}},
@{Name='LogonProcessName';Expression={([xml]$_.ToXml()).Event.EventData.Data[11].'#text'}} `
-First 100 `
| Format-table -AutoSize
* 再次更新以反映 OP 的下一个问题... *
根据您的上一个问题/要求 然后,对于其他的值,更新就变成这样了。
如何在解析前收集完整信息...
$Event = Get-WinEvent ...
$Event | Select -Property *
$EventXML = [xml]$Event.ToXml()
$EventXML.Event.EventData.Data
Clear-Host
Get-WinEvent -path 'C:\Windows\System32\winevt\Logs\Security.evtx' `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select @{Name='TimeGenerated';Expression={$_.'TimeCreated'}},
@{Name='EventID';Expression={$_.'Id'}},
@{Name='TaskCategory';Expression={$_.'TaskDisplayName'}},
@{Name='SubjectUserSid';Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},
@{Name='AccountName';Expression={([xml]$_.ToXml()).Event.EventData.Data[1].'#text'}},
@{Name='LogonProcessName';Expression={([xml]$_.ToXml()).Event.EventData.Data[11].'#text'}} `
-First 9 `
| Format-table -AutoSize
TimeGenerated EventID TaskCategory SubjectUserSid AccountName LogonProcessName
------------- ------- ------------ -------------- ----------- ----------------
2/2/2018 2:41:03 AM 4634 Logoff S-1-5-21-376... spadmin
2/2/2018 2:40:53 AM 4624 Logon S-1-0-0 - -
2/2/2018 2:40:51 AM 4634 Logoff S-1-5-21-376... SKY01$
2/2/2018 2:40:37 AM 4634 Logoff S-1-5-18 DC01$
...