Read specific Event Ids from the Security eventlog

#@
#Event ID     What it means
#4618     A monitored security event pattern has occurred.
#4649     A replay attack was detected. May be a harmless false positive due to misconfiguration error.
#4765     SID History was added to an account.
#4766     An attempt to add SID History to an account failed.

#4794     An attempt was made to set the Directory Services Restore Mode.
#4897     Role separation enabled
#4964     Special groups have been assigned to a new logon.
#5124     A security setting was updated on the OCSP Responder Service
#4624     Successful account log on
#4625     Failed account log on
#4634     An account logged off
#4648     A logon attempt was made with explicit credentials#4719     System audit policy was changed.
#4964     A special group has been assigned to a new log on
#1102     Audit log was cleared. This can relate to a potential attack
#4720     A user account was created
#4722     A user account was enabled
#4723     An attempt was made to change the password of an account
#4725     A user account was disabled
#4728     A user was added to a privileged global group
#4732     A user was added to a privileged local group
#4756     A user was added to a privileged universal group
#4738     A user account was changed
#4740     A user account was locked out
#4767     A user account was unlocked
#4735     A privileged local group was modified
#4737     A privileged global group was modified
#4755     A privileged universal group was modified
#4772     A Kerberos authentication ticket request failed
#4777     The domain controller failed to validate the credentials of an account.
#4782     Password hash an account was accessed
#4616     System time was changed
#4657     A registry value was changed
#4697     An attempt was made to install a service
#4698, 4699, 4700, 4701, 4702     Events related to Windows scheduled tasks being created, modified, deleted, enabled or disabled
#4946     A rule was added to the Windows Firewall exception list
#4947     A rule was modified in the Windows Firewall exception list
#4950     A setting was changed in Windows Firewall
#4954     Group Policy settings for Windows Firewall has changed
#5025     The Windows Firewall service has been stopped
#5031     Windows Firewall blocked an application from accepting incoming traffic
#5152, 5153     A network packet was blocked by Windows Filtering Platform
#5155     Windows Filtering Platform blocked an application or service from listening on a port
#5157     Windows Filtering Platform blocked a connection
#5447     A Windows Filtering Platform filter was changed

$cvar1 = Get-Date
$cvar2 = $cvar1.AddDays(-1)
Get-EventLog -Log Security -After $cvar2 | where-Object instanceid -in (4618,4649,4765,4766,4766,4794,4897,4964,5124,4625,4719,4964,1102,4720,4722,4723,4725,4728,4732,4756,4738,4740,4767,4735,4737,4755,4772,4777,4782,4616,4657,4697,4698,4699,4700,4701,4702,4946,4947,4950,4954,5025,5031,5152,5153,5155,5157,5447) | Sort-Object -Property instanceid | Format-Table -AutoSize
#with successfull logons/logoffs 4624,4648,4634
#Get-EventLog -Log Security -After $cvar2 | where-Object instanceid -in (4618,4649,4624,4765,4766,4766,4794,4897,4964,5124,4625,4634,4648,4719,4964,1102,4720,4722,4723,4725,4728,4732,4756,4738,4740,4767,4735,4737,4755,4772,4777,4782,4616,4657,4697,4698,4699,4700,4701,4702,4946,4947,4950,4954,5025,5031,5152,5153,5155,5157,5447) | Sort-Object -Property instanceid | Format-Table -AutoSize
#check one by one
#Get-EventLog -Log Security -After $cvar2 | where-Object instanceid -in (4625) | Sort-Object -Property instanceid | Format-Table -AutoSize

Leave a Reply

Your email address will not be published. Required fields are marked *