#####aid_begin
#description: event query - query the windows event system log for 104, 517, 1102
#id: aid2201232238
#processtype: query
#category: eventlog
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
# windows 7
# windows 8.*
# windows 10
# windows 11
# windows server 2008 r2
# windows server 2012
# windows server 2012 r2
# windows server 2016
# windows server 2019
#compatibleengine: |-
# powershell 2
# powershell 3
# powershell 4
# powershell 5.*
# powershell 7.*
#bgcommandlist: |-
# format-bgevent
# 1) get the windows event log event where id 104, 517, 1102
#notes: |-
# query the windows event system log.
# o event source: System
# o schema used: "sysmon.schema"
# o event dataset: "System"
# o eventid's: '104, 517, 1102'
#####aid_end
commands:
- Format-BGEvent -Logname System -ID '104,517,1102' -MaxEvents 1000
