tag:blogger.com,1999:blog-8710533.post5129977210600988527..comments2024-01-04T17:58:17.158-07:00Comments on Eric Conrad: Long Tail Analysis of Windows Event LogsEric Conradhttp://www.blogger.com/profile/04946059331360224891noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-8710533.post-59415232693090952122015-05-26T16:32:18.577-06:002015-05-26T16:32:18.577-06:00Hey Eric,
Just been playing with this a bit and I...Hey Eric,<br /><br />Just been playing with this a bit and I found out the following after some google time, though on sharing since I've found it useful:<br /><br />PS C:\Windows\system32> $logSource = 'Security'<br />PS C:\Windows\system32> Get-EventLog $logSource |<br />>> group InstanceId |<br />>> % {<br />>> $count = $_.count<br />>> $_.group[0] |<br />>> select `<br />>> InstanceID, `<br />>> @{name='Count'; exp={$count}}, `<br />>> @{name='Message'; exp={($_.Message -split "`n")[0]}}<br />>> } |<br />>> sort count |<br />>> ft -auto<br />>><br /><br />InstanceId Count Message<br />---------- ----- -------<br /> 5154 1 The Windows Filtering Platform has permitted an application or service to listen on a port for inco...<br /> 4658 2 The handle to an object was closed....<br /> 4696 8 A primary token was assigned to process....<br /> 4656 9 A handle to an object was requested....<br /> 4702 16 A scheduled task was updated....<br /> 4985 36 The state of a transaction has changed....<br /> 5157 101 The Windows Filtering Platform has blocked a connection....<br /> 5152 123 The Windows Filtering Platform blocked a packet....<br /> 5156 1713 The Windows Filtering Platform has allowed a connection....<br /> 5158 3365 The Windows Filtering Platform has permitted a bind to a local port....<br /> 4689 24424 A process has exited....<br /> 4688 24425 A new process has been created....<br /><br />It adds the extra message field so it give you an idea what you are dealing with quite easily. Also, I can see this "as-is" better for SIEM or Dashboard consumption...<br /><br /><br /><br />Maxiaahttps://www.blogger.com/profile/11195463067297423390noreply@blogger.com