Situatie
PowerShell script to retrieve security-related events from the Windows Event Log, specifically from the Security log.
# Define the log name and security-related event IDs (adjust as needed)
$logName = “Security”
$securityEventIDs = @(4624, 4625, 4672, 4688, 4634, 4648, 4768, 4776) # Common security event IDs
# Get security events from the Windows Event Log
$securityEvents = Get-WinEvent -LogName $logName -MaxEvents 50 | Where-Object { $_.Id -in $securityEventIDs }
# Display the results
if ($securityEvents) {
foreach ($event in $securityEvents) {
Write-Output “———————————-”
Write-Output “Time: $($event.TimeCreated)”
Write-Output “Event ID: $($event.Id)”
Write-Output “Message: $($event.Message)”
}
} else {
Write-Output “No security events found.”
}
| Event ID | Description |
|---|
| 4624 | Successful login |
| 4625 | Failed login |
| 4672 | Special privileges assigned (admin logins) |
| 4688 | A new process was created |
| 4634 | Logoff event |
| 4648 | Explicit credential logon (RunAs) |
| 4768 | Kerberos authentication (TGT request) |
| 4776 | NTLM authentication attempt |
Leave A Comment?