PowerShell script to retrieve security-related events

Configurare noua (How To)

Situatie

PowerShell script to retrieve security-related events from the Windows Event Log, specifically from the Security log.

# Define the log name and security-related event IDs (adjust as needed)
$logName = “Security”
$securityEventIDs = @(4624, 4625, 4672, 4688, 4634, 4648, 4768, 4776) # Common security event IDs

# Get security events from the Windows Event Log
$securityEvents = Get-WinEvent -LogName $logName -MaxEvents 50 | Where-Object { $_.Id -in $securityEventIDs }

# Display the results
if ($securityEvents) {
foreach ($event in $securityEvents) {
Write-Output “———————————-”
Write-Output “Time: $($event.TimeCreated)”
Write-Output “Event ID: $($event.Id)”
Write-Output “Message: $($event.Message)”
}
} else {
Write-Output “No security events found.”
}

Event ID Description
4624 Successful login
4625 Failed login
4672 Special privileges assigned (admin logins)
4688 A new process was created
4634 Logoff event
4648 Explicit credential logon (RunAs)
4768 Kerberos authentication (TGT request)
4776 NTLM authentication attempt

Solutie

Tip solutie

Permanent

Voteaza

(8 din 12 persoane apreciaza acest articol)

Despre Autor

Leave A Comment?