PowerShell Tutorials Event Viewer #2 : Get-WinEvent (Filter by XML and XPATH)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi and welcome to part two of this powershell tutorial series around the event viewer in the first video we went over the get event log commandlet to interact with the event viewer so we were looking specifically for audit failures so failed logins so we can see here i already have the code that we made in the last video and if we just run this part here right now it does take quite a bit of time it takes roughly about a minute or so but we'll see our results here and it'll show us all the failed logins grouped by what user tried the login and then all the actual data is stored so the computer that tried to log in and the ip as well today we are going to be looking at the get win event commandlet so it's a little bit different in terms of your options for parameters but it does the exact same thing but it is a lot faster if you can use xpath or xml filtering so let's go ahead and let's get started on that one so the first thing we're going to want to do is just set up the actual uh basic uh commandlet here which is going to be get dash win event oops not wind event but win event so here we have it so the first parameter we're going to have um is definitely the log name because we want to grab everything that's in that security log now the other options that we get now is filter but if we remove the log name and we just go like this we actually get filterxpath filterxml you could also do a filter by hash table i might do this in a a second part to this video we're going to be focusing on the xml and the xpath because those two are very very similar and i find that xpath is very good to work with it's a little bit confusing at first but once you get it down pat and it's definitely a lot easier so we'll be looking at the filter xml first so this one is actually a little bit easy because all you need to do is you just need to go into your event viewer and then all you need to do is do a filter current log and then here you have all the options so let's do in the last hour and let's do the event sources let's do um it should be microsoft windows security auditing i believe so let's just scroll down here and we should see microsoft windows security auditing right here all right and then let's just look for the event id specifically we already know we want to look for event id 4 6 2 5 6 2 5 all right so then if we look at the xml it actually creates the full xml query that we need to actually um execute so if we just copy this and then we go back into our powershell powershell window here let's just push this down a little bit and actually create a variable called um xml filter and then we're going to make this a literal string so what that is is just the at symbol and then a single quote and then just press enter a few times and then do a single quote and then an at symbol there and all we're going to do is we're just going to paste in our xml in there and then in here for the filterxml we're going to pass in our xml filter so if we run this we should act get our data that we eventually got down to this so if we just execute this here so there's all of our events right now so as we did in the last one we actually took those events um and we went into the actual object and created our own object with better more user-friendly names and we were able to do some sorting on them so let's go ahead and let's do that with the get win event here so let's store all these events in a variable called events and then we're going to do for each event in events we're just going to capitalize the e here and we're going to close the parentheses and open and close curly brackets and as i always do is i just like to um run this so i get everything so as you can already see when we run this query it is a lot faster um the get win event with the xml filter or the x path filter is quite a bit quicker and we can actually do a measure command at the end of this video to see how much faster it is but let's just go ahead and let's just see how we can actually get these events filtered down so as we did the last time if we just look at events so we have our first event here and if we do a dot on it we can see all the options so we have the id of it we have the level we have the log name the machine name some properties and we also have the message so if we look at the message once again just like the get event log the message is definitely hard to work with it has all the information we need but very hard to work with now with the get win event uh compared to when we worked with the get event log we had dot replacement strings with get win event it is actually just dot properties and we get the exact same values here now the nice thing about replacement strings and the dot properties the actual indexes i believe stay the same so we can actually check that uh by just doing that for each loop exactly like we did the last time so let's do a for each open parenthesis dollar sign x in zero dot dot dollar sign event dot properties dot and then a closed parenthesis then open and close curly brackets and then in here we are going to do a write output we are going to write out the x value and then the event oops we need to wrap this in a dollar sign open and close parentheses as a variable wrapper then we're going to reference event dot properties and then we're going to reference our x value now if i just run this let's see what it gives us all right so it does give us the numbers but then it gives us this weird system.diagnostics.eventing.reader.event. that is because we need to add a dot value to the end here and then if we just run this now we can see all of our values so we can see that our username is still five our domain is still six our client name that tried is 13 still and then our ip address is 19. so those are exactly the same here so they are quite interchangeable uh the only thing that you really have to look out for is make sure that you're using the right um replacement string or properties depending on which command that you ended up using so let's go ahead and let's just do username tried and that's going to be equal to event dot properties and that's gonna be at five and we're gonna do value [Music] and we're just gonna copy paste this four times and we're gonna change this to domain tried then client name from and then client ip from and then the domain is at index six the client name is at 13 and then the ip is at 19 and then what we're going to go ahead and do is we're going to go ahead and create that object here so let's just create again our array arraylist up here so we're going to do a dollar sign log equals square bracket close square bracket and inside the square bracket we're going to set that to system dot collections dot array list and then we're just going to set that to an empty array here and inside of our for each loop we are going to go ahead and call it a log entry and we are going to set that to a new object type name ps object and we're going to add members here so we're going to add properties to it so our first value we're going to want to add to it is going to be so we need to pass in the log entry to the ad member first and member type is going to be a note property then our first one is going to be username so username tried and then the value for that is going to be username tried so again we're just going to copy this line because there's no point in rewriting out this line a bunch of times uh so then the only thing we need to change here is domain tried the name here and then this one is going to be client name from and this one is going to be client ip from and then domain tried client name from and then client ip from here and then what we're going to do is we're going to do a log dot add log entry and again just to remove that output to the console we're going to add a square and close square bracket with the word void in front of it i mean that's going to get rid of that and then we could do a log group object and we're going to group the object by username pride so if we run all of this here we get all of our results back almost instantaneously and then if we go back to our event log from yesterday let's just remove this one it does take quite a bit more time compared to our get win event so again like the get win event was super super easy to build was the filterxml because you could just use the event viewer to really build out that xml and then just copy paste it you really don't have to do any work um for that filter so that's how you would use that xml filter with get win event so now the other one uh that i talked to you guys a bit about at the beginning is the uh xpath xpath is uh slightly complicated at first i was really confused when i first used it um but now i'm definitely feeling a little bit more confident in it and it definitely makes the queries a little bit easier to read takes up a lot less room it's going to take up one line and it's actually just going to be on the same line as your commandlet um so it's super uh useful it's just as fast so let's go ahead and let's get started on that one here so what we're going to do is we're just going to do our get win event here and then we're going to do a um log name is going to be security because i do need to add that in this case and then we are going to do a filter xpath now in here we can do double quotes or you could do single quotes um it's completely up to you and especially depending on if you're going to be using variables inside i would do a double quote so let's just use double quotes just to be ready for any future changes in case we want to use variables in here so our filter xpath is going to be based on our so in your event viewer when you go look at your event typically you look at it in the friendly view and you have a system and event data but you could also look at it through the xml view which this will have all the same data just in an xml format now the xpath works off of this xml format so what we want to do is let's say we want to grab this event so this event is going to be this root object here so we're going to want to go into the event we're going to want to go into system and we're going to want to grab everything with the provider name of microsoft windows security auditing and the event id of 4625 and then the time created we want something of in the last hour so this should be fairly easy to actually build out and then we can add on to it so let's go back into our powershell here so as we know the first item was event and then we just need to put a square bracket and close square bracket so where but that gets us that gets us in here in this first node the event node now the next one we're going to want to go into is going to be system so let's go and add that in here so we're going to do system and then we're going to do an open and close square bracket so now we're inside of system now the next one we want to do is we want to get the provider and we want to get the name of microsoft windows security automate so provider is the tag name and then name is an action is actually an attribute of provider so the way that we would do that is we would put in the tag of provider here and then we're going to do an open and close square bracket again and we're going to do at name and we're going to do equals single quote single quote and then we are just going to go ahead and paste this in here so that's just the microsoft security auditing system uh microsoft security audit microsoft windows security auditing and then that is our provider so this is the square bracket or name this is the square bracket for provider and then this is the square bracket or system that should be okay so if we just run this we're going to see that we get all the microsoft windows security auditing events but now we only want the events with the id of 4625 so in this case it's still in system it's right after provider and its event id is going to be four six two five so all we need to do now is going to be um in this one uh so it's going to be right after your name and then because name is in in system and in provider so in here we should be able to do and event id equals four six two five so if we run this here now we only get the events that are four six two five and microsoft windows security audit but we get all of them so we get even the ones from a couple days ago now we only really want the ones for the last hour for our script because we're going to be automating it well let's say we're going to be automating it to run every hour and we want it to send emails just for the events in the last hour so this is where we have to come down into the time created system time so this is the time that it was created so let's go ahead and let's go back into our powershell window here now this one is going to be also in system so we can put it directly after the event id this is going to be an time created and now time created is also that's the system time is an attribute of the time created tag so let's go into the system time but now the only thing that we want to do is we also want the time difference we only want the events in the last hour and it's just frozen for me here give me two seconds hopefully it'll come back there you go all right so time created so what we want to do is an open and close square bracket here just giving me a little bit of delays here it seems that we've lost connection so let me just make the connection again and i will be right back oh it's actually came back right away uh so that was weird maybe just something on my network that caused a little bit of delay here so we have time created and then we're going to want to do the time difference so that is going to be time dip and we're going to want to reference the at this sometime because that is the attribute now here we are going to do a less than or equals now this is actually in milliseconds so just to go over the millisecond calculations that i'm doing this is going to be we want um one hour the one hour has 60 minutes each minute has 60 seconds each second has 1000 milliseconds so we have i believe that is the right number uh so that should be three million and six hundred thousand three million and six hundred so if we run this now now we only get the events within the last hour so that is super awesome so what we're going to go ahead and do is let's just go ahead and let's store this into a variable called events and since this is the get win event we are actually just going to simply copy from our script that we just did for the get win event to create that log so we're just going to paste this in here and let's just go ahead and let's run this entire thing it should just work right away so there it is um so it's just as fast as the filter xml now this might be a little bit harder to build at first uh but here is where we definitely get um interesting uh so let's say we wanted to build out our query to only get us the admin account we don't want we don't care about test we don't care about uh one two three we don't care about full test all we really want to do is we want to investigate people that are trying the admin account so the way that we would do that is we would come back into our xpath so we have our event so first let's just look at here so we have our event in event data we have a target username which is admin so this is what we're going to want to pick and this is in a data tag with the attribute of name and the attribute name value is target username and it's going to be equal to admin so let's come back into our powershell so now we know we have one closing bracket to get into system so we want to get back into just between system um because it's at that same level so it's right at the same level of system and event data are at the same level inside of node so we want to be at this level so let's make sure that we only have one square bracket left at the end so this is where we're going to put our event to data so let's do and event data and then open and close square brackets now in here it's going to be a data and then our name is going to be target username so let's go ahead and let's do uh data and the data is going to be at name equals target username and this is not going to be within that same square bracket so we need to actually go out one square bracket at the same level as data here and it's going to be equal to single quote single quote and then in here we're going to put admin and let's just go ahead and let's run this all right and let's just run it entirely so in here now we only get our admins so now this could be very very useful let's say you built this out in a script here and let's just do this um username equals read host and then we're going to put a prompt enter the username to search for i think it actually puts a colon by itself so we have our username here and then in here instead of admin we're going to do a dollar sign open and close parentheses to be able to put in a variable in here and we're going to put in our username so now if we run this entire script as you can see it prompts me for the username so let's just put in test and it only gets me the events was test so i could run it again search for admin and it will only give me the admins that have a bad login so this could be a super useful tool to give a help desk or anything like that or if you just want to search for very very specific people that are failing you just add a little prompt at the beginning and you specify this target username now there is wild cards uh so if we just do we start this i believe the wild card in x path is a star i could be wrong on this uh in yes so i'm not sure if it actually allows you to do wild cards or not in xpath i could be totally wrong on that but let me just see if this works yeah so i don't think that you could do wild cards um but even then like having that um having that variable to add into your search definitely really really helped and of course if you wanted a wild card you might not really even need this target username um so that's what i would probably do now of course there are a lot of resources online for xpath i am definitely not a xpath expert i just kind of know how to do the xpath filters on event viewer um but there's a lot of other uses for xpath in different things like you can use it in cellium for web automation as we've seen in our video and all we did back then was just copy the xpath from our developer tools so those are all different uses of xpath and there's a lot of different um operators you can use in xpath but that is i would say probably one of the most versatile ways to do searches in the event viewer is definitely with get win event and then do a filter xpath um it's fairly easy to build out we'll be taking a look at the filter hash table in the next video so that one is just using a hash table that you build out in powershell and then you apply it to the get win event similarly to how you would do the filterxml uh but i just wanted to really do the xml and xpath together because they kind of go hand in hand because if we look at this uh this rule here like event system provider at name event id and we go into the xml it is a very very similar um query so if you ever struggle with how to do uh your xpath if you do the xml query and look at that select path it could probably give you a lot of hints on how to actually handle your xpath and create your xpath so that's pretty much about about it for the getwin event with filterxml and filterxpath if you guys have any questions or any comments leave them down below and hit the like button and the subscribe button hit that notification bell to be notified when the next video comes out and i will see you on the next video

Info

Channel: JackedProgrammer

Views: 4,277

Rating: undefined out of 5

Keywords: powershell basics, powershell, windows powershell, programming, coding, scripting, powershell scripting, powershell scripting tutorial, powershell tutorial, event viewer, event logs, get-eventlog, log, events, xml, xpath, filter by xml, filter by xpath

Id: TJNoAq7of2s

Channel Id: undefined

Length: 27min 58sec (1678 seconds)

Published: Thu Jan 27 2022