When I filter Windows Security logs by EventId and Security Id (SID) Seperately, I get the output. Now I want to merge the two filters. I want to filter by EventId and SID both. If SID is 'System' It should filter it out. How do I merge the two filters. Here is the code for Filtering EventIds:
Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx" | where {$_.Id -eq 4624 -or $_.Id -eq 4634 -or $_.Id -eq 4778 -or $_.Id -eq 4779 -or $_.Id -eq 4608 -or $_.Id -eq 4609 -or $_.Id -eq 4800 -or $_.Id -eq 4801 -or $_.Id -eq 4802 -or $_.Id -eq 4803 -or $_.Id -eq 4688 -or $_.Id -eq 4689} |?{$_.TimeCreated -gt (Get-Date).AddHours(-1)} | select @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, @{Name="Source";Expression={$_."Id"}}, Message, UserName
Here is the code for Filtering based of SID:
$out += Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx" -FilterXPath '*[EventData[Data[@Name="SubjectUserSid"] = "S-1-5-21-1004336348-1383384898-1417001333-892045"]]' |?{$_.TimeCreated -gt (Get-Date).AddHours(-1)} | select @{Name="TimeGenerated";Expression={$_."TimeCreated"}}, @{Name="Source";Expression={$_."Id"}}, Message, UserName
It's just another calculated property you add to the first block. No reason for the separate code block.
So, try this to get the combined data you are after. We, just take you code as is and use the .Net Xml namespace to get the sid or any other item(s) you choose. You can of course filter as you like on the final collection.
Clear-Host
Get-WinEvent -path "C:\Windows\System32\winevt\Logs\Security.evtx" `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select @{Name="TimeGenerated";Expression={$_."TimeCreated"}},
@{Name="Source";Expression={$_."Id"}},
@{Name="SubjectUserSidValue";Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},Message `
-First 9 `
| Format-table -AutoSize
TimeGenerated Source SubjectUserSidValue Message
------------- ------ ------------------- -------
1/31/2018 5:27:16 AM 4634 S-1-5-18 An account was logged off....
1/31/2018 5:27:16 AM 4624 S-1-0-0 An account was successfully logged on....
1/31/2018 5:27:16 AM 4634 S-1-5-18 An account was logged off....
1/31/2018 5:27:16 AM 4624 S-1-0-0 An account was successfully logged on....
1/31/2018 5:27:07 AM 4634 S-1-5-18 An account was logged off....
1/31/2018 5:27:07 AM 4624 S-1-0-0 An account was successfully logged on....
1/31/2018 5:27:07 AM 4624 S-1-0-0 An account was successfully logged on....
1/31/2018 5:26:31 AM 4634 S-1-5-21-3... An account was logged off....
1/31/2018 5:26:29 AM 4634 S-1-5-18 An account was logged off....
Update as per OP additional question
This is what you can grab by array position from the XML.
Name #text
---- -----
SubjectUserSid S-1-5-18
SubjectUserName 2012DC$
SubjectDomainName CONTOSO
SubjectLogonId 0x3e7
TargetUserSid S-1-0-0
TargetUserName postanote
TargetDomainName CONTOSO
Status 0xc000015b
FailureReason %%2308
SubStatus 0x0
LogonType 4
LogonProcessName Advapi
AuthenticationPackageName Negotiate
WorkstationName 2012DC
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x390
ProcessName C:\Windows\System32\svchost.exe
IpAddress -
IpPort -
So, updating the script becomes...
Clear-Host
Get-WinEvent -path 'C:\Windows\System32\winevt\Logs\Security.evtx' `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select @{Name='TimeGenerated';Expression={$_.'TimeCreated'}},
@{Name='Source';Expression={$_.'Id'}},
@{Name='SubjectUserSidValue';Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},
@{Name='TargetUserName';Expression={([xml]$_.ToXml()).Event.EventData.Data[1].'#text'}},
@{Name='LogonProcessName';Expression={([xml]$_.ToXml()).Event.EventData.Data[11].'#text'}} `
-First 100 `
| Format-table -AutoSize
* Updating again to reflect the OP next question... *
As per your last question / request Then, for the other values, the update becomes this.
How to collect the full info before parsing...
$Event = Get-WinEvent ...
$Event | Select -Property *
$EventXML = [xml]$Event.ToXml()
$EventXML.Event.EventData.Data
Clear-Host
Get-WinEvent -path 'C:\Windows\System32\winevt\Logs\Security.evtx' `
| Where {$_.Id -match '4624|4634|4778|4779|4608|4609|4800|4801|4802|4803|4688|4689'} `
| Where {$_.TimeCreated -gt (Get-Date).AddHours(-1)} `
| select @{Name='TimeGenerated';Expression={$_.'TimeCreated'}},
@{Name='EventID';Expression={$_.'Id'}},
@{Name='TaskCategory';Expression={$_.'TaskDisplayName'}},
@{Name='SubjectUserSid';Expression={([xml]$_.ToXml()).Event.EventData.Data[0].'#text'}},
@{Name='AccountName';Expression={([xml]$_.ToXml()).Event.EventData.Data[1].'#text'}},
@{Name='LogonProcessName';Expression={([xml]$_.ToXml()).Event.EventData.Data[11].'#text'}} `
-First 9 `
| Format-table -AutoSize
TimeGenerated EventID TaskCategory SubjectUserSid AccountName LogonProcessName
------------- ------- ------------ -------------- ----------- ----------------
2/2/2018 2:41:03 AM 4634 Logoff S-1-5-21-376... spadmin
2/2/2018 2:40:53 AM 4624 Logon S-1-0-0 - -
2/2/2018 2:40:51 AM 4634 Logoff S-1-5-21-376... SKY01$
2/2/2018 2:40:37 AM 4634 Logoff S-1-5-18 DC01$
...