How to replace Filter Origin in this PowerShell command with Windows Firewall's display name?
Get-WinEvent -FilterHashtable @{ LogName="Security"; Id=5152; } | ? { $_.Message -like "*Outbound*" -and -not($_.message -like "*ICMP*")} | select Message | ft -wrap
Found that in here, after running it, the results look like this:
filter origin has this ID which is Firewall's unique name but I want to see a more user friendly name so I can understand immediately which Firewall rule, based on its display name that I set, blocked this connection.
Update:
I want to do something like this. but it doesn't work like this and I need help fixing it. basically, I want to keep the same output format that the original script shows and only replace things like this {a42a62ec-83d9-4ab5-9d54-4dbd20cfab17} with their display name.
$data = (Get-WinEvent -FilterHashtable @{ LogName="Security"; Id=5152; } |
? { $_.Message -like "*Outbound*" -and -not($_.message -like "*ICMP*")}).message
$data -replace "(?<=Filter Origin:[^{]+){.+?}",{(Get-NetFirewallRule -Name $Matches[0]).DisplayName}
Did a quick google search and saw this documentation on troubleshooting firewalls, and it points to Get-NetFireWallRule being able to get the display name from the ID. That said, you can use some handy RegEx of (?<=Filter Origin:[^{]+){.+?} to get the unique ID and query its friendly name:
Get-WinEvent -FilterHashtable @{ LogName="Security"; Id=5152; } |
? { $_.Message -like "*Outbound*" -and $_.Message -notlike "*ICMP*" } |
Select TimeCreated, @{
Name = 'Msg'
Expression = {
if ($_.Message -match ($pattern = '(?<=Filter Origin:[^{]+){.+?}'))
{
$_.Message -replace $pattern, (Get-NetFirewallRule -Name $Matches[0]).DisplayName
}
else
{
$_.Message
}
}
} | Ft -Wrap
Placing it inside an if statement allows it to leave the message alone if no match was found for patterns that may be the unique ID. See RegEx101 for more info on the pattern itself.
- Connecting to remote server failed using WinRM from PowerShell
- VB.net string comparison with Powershell return output
- Laravel 4 + Iron: How to register a queue?
- PowerShell only accept Int
- "Run with PowerShell" gives execution policy error but running directly in PowerShell window does not
- How do I automatically create and use variable names?
- Loop through variables not through an Array
- Why and how are these two $null values different?
- Create file inside over 260 characters folder via AlphaFS module
- Install winget by the command line (powershell)
- PowerShell - ConvertTo-Json how to get ndjson result
- Getting a free drive letter
- Why does a PowerShell script not end when there is a non-zero exit code using the call operator?
- Calculating SHA1 hash algorithm in PowerShell V2.0
- bash script maybe syntax error not sure trying a until loop
- Powershell script is not efficient
- HTTP PUT a file in Powershell and capture response body?
- How to run a PowerShell script as a job in Jenkins
- POWERSHELL Forms: How to change button colors (fore- and backColor) on mouseover
- PowerShell - Get Reference to an dynamic created button
- I want to create a persistent mapped network drive with FTP
- How can I extract "Path to executable" of all services with PowerShell
- Init Script on databricks
- Az.cmd closes immediately
- Method invocation failed because [System.__ComObject] does not contain a method named 'Close' in Powershell v4.0
- Doing a remote delete using powershell and seeing the results of the operation (success/fail+exception)
- Start-Process (pnpm run build) This command cannot be run due to the error: %1 is not a valid Win32 application
- Error when calling 3rd party executable from Powershell when using an IDE
- Failing Script to keep teams user available
- Non-Interactive - Get-MgUser : Insufficient privileges to complete the operation