Format-BluGenieEvent

SYNOPSIS

Format a Windows System Event Log with new properties from the Message field

SYNTAX

Format-BluGenieEvent [[-Logname] <String>] [[-Schema] <String>] [-NoMsgPrefix] [-ClearGarbageCollecting] [-Export] [[-ExportPath] <String>] [[-ExcludeFilter] <String>] [-RemoveCache] [[-DBName] <String>] 
[[-DBTableName] <String>] [[-DBPath] <String>] [-Walkthrough] [-ReturnObject] [-OutUnEscapedJSON] [-OutYaml] [-OutJSON] [-PropsOnly] [[-EQLQuery] <String>] [[-SQLQuery] <String>] [-ForceEQLGenericQuery] [-Save] 
[[-SavePath] <String>] [[-UseInputFile] <String>] [[-MaxEvents] <Int32>] [[-ID] <String>] [[-AppendEventHash] <String>] [[-FormatView] <String>] [<CommonParameters>]

DESCRIPTION

Format a Windows System Event Log with new properties from the Message field

An Event has a Message that is one big string. This function will parse that information and convert any valid line item into a new Object Property and bind it back to the original PsObject.

You can parse any property table name via PowerShell, EQL, and SQL Queries

EXAMPLES

EXAMPLE 1

Command: Get-WinEvent -filterhashtable @{logname="Microsoft-Windows-Sysmon/Operational";id=10} -MaxEvents 1 | Select-Object -Property * | Convertto-Yaml

Description: This command will show what a normal event will look like using the Get-WinEvent command
Notes: We are pulling the SysMon Operational Event Data.  This will only work if you have SysMon Events being logged

EXAMPLE 2

Command: Format-BluGenieEvent -Event "Microsoft-Windows-Sysmon/Operational" -MaxEvents 1 -ID 10 -OutYaml

Description:  This command will return an Event with new properties named with a prefix (Msg) based on what is parsed from the (Message) field of the event
Notes: The Properties property is also updated with the Names and Values of the Message field

EXAMPLE 3

Command: Format-BluGenieEvent -Event "Microsoft-Windows-Sysmon/Operational" -MaxEvents 1 -ID 10 -Schema 'C:\Source\SysMon.Schema' -OutYaml

Description: This command will return an Event with properties remapped based on the Schema file selected
Notes:

EXAMPLE 4

Command: Format-BluGenieEvent -Event "Microsoft-Windows-Sysmon/Operational" -MaxEvents 1 -ID 10 -NoMsgPrefix -OutYaml

Description: This command will return an Event with the Message Properties appended to the Original Events Property Table without a (Msg) Prefix
Notes:

EXAMPLE 5

Command: Format-BluGenieEvent -Event "Microsoft-Windows-Sysmon/Operational" -MaxEvents 10 -ID 10 -PropsOnly -ReturnObject -FormatView JSON

Description: This command will return an Events Message Properties and Values only.  All the Normal PowerShell Property Tables are removed
Notes: The return is formated as JSON which looks identical to the output needed for EQL to work.

EXAMPLE 6

Command: Format-BluGenieEvent -Event 'Microsoft-Windows-Windows Defender/Operational' -MaxEvents 10 -ID 1013 -ReturnObject -OutJSON -PropsOnly

Description: This command will return Event Properties for Windows Defender ID 1013
Notes: This shows that not all properties from the Event Message are valuable, which is why you would pull all properties for this Event ID.

EXAMPLE 7

Command: Format-BluGenieEvent -Event 'Microsoft-Windows-Windows Defender/Operational' -ID 1000 -MaxEvents 1 -ReturnObject -NoMsgPrefix

Description: This command will return all Event Properties for Windows Defender ID 1000 including the Message Properties
Notes:

EXAMPLE 8

Command: Format-BluGenieEvent -Event "Microsoft-Windows-Sysmon/Operational" -ID 10 -MaxEvents 2 -PropsOnly -ExportPath C:\Source\SysMon_PoshPull.json -OutYaml

Description: This command will export the Event Properties to a JSON file
Notes:

EXAMPLE 9

Command: Format-BluGenieEvent -Event "Microsoft-Windows-Sysmon/Operational" -ID 1 -UseInputFile C:\Windows\Temp\BGSysMonEventBackup.evtx -ReturnObject -PropsOnly

Description: This command will query a Windows Evnet Log backp file instead of the Widnows Event Log
Notes: Currently this only supports 1 Input file at a time.  You can use an backup Windows Event in EVT, EVTX, and JSON format.

EXAMPLE 10

Command: Format-BluGenieEvent -UseInputFile 'Last:' -PropsOnly -OutYaml -EQLQuery "process where process_name in ('wsl.exe')"

Description: This command will query a Windows Event Log backup file using the last saved JSON file Format-BGEvent created.
Notes:

EXAMPLE 11

Command: Format-BluGenieEvent -Event "Microsoft-Windows-Sysmon/Operational" -ID 1 -MaxEvents 1000 -PropsOnly -EQLQuery "process where process_name in ('powershell_ise.exe')" -OutYaml

Description: This command will filter 1000 SysMon Event 1 ID's and parse the return using EQL and an EQLQuery as a string
Notes:

EXAMPLE 12

Command: Format-BluGenieEvent -Event "Microsoft-Windows-Sysmon/Operational" -ID 1 -MaxEvents 1000 -PropsOnly -EQLQuery "file:C:\Source\EQLQuery_Parse_Process_Name_for_PowerShell_ise.exe.eql" -OutYaml

Description: This command will filter 1000 SysMon Event 1 ID's and parse the return using EQL and an EQLQuery from a file
Notes:

EXAMPLE 13

Command: Format-BluGenieEvent -Event "Microsoft-Windows-Sysmon/Operational" -ID 1 -MaxEvents 1000 -PropsOnly -EQLQuery "process where process_name in ('notepad++.exe')" -OutYaml -RemoveCache

Description: This command will filter 1000 SysMon Event 1 ID's and parse the return using EQL.  The search is for Notepad++.exe and all Cached .JSON files for EQL will be removed.
Notes:

EXAMPLE 14

Command: Format-BluGenieEvent -Event "Microsoft-Windows-Sysmon/Operational" ID 3 -MaxEvents 1000 -PropsOnly -EQLQuery "network where process_name == '*code.exe'"

Description: This command will filter 1000 SysMon Event 3 ID's and parse the return using EQL.  The search is for VSCode.exe and uses EQL's built in schema names
Notes:

EXAMPLE 15

Command: Format-BluGenieEvent -Event "Microsoft-Windows-Sysmon/Operational" -ID 3 -MaxEvents 1000 -PropsOnly -EQLQuery "generic where Image == '*code.exe'" -ForceEQLGenericQuery

Description: This command will filter 1000 SysMon Event 3 ID's and parse the return using EQL.  This Query will use the EQL Generic process names
Notes:

EXAMPLE 16

Command: Format-BluGenieEvent -Event "Microsoft-Windows-Sysmon/Operational" -ID 3 -MaxEvents 1000 -PropsOnly -OutYaml -EQLQuery "generic where process_name == '*code.exe'" -ForceEQLGenericQuery -Schema .\Blubin\Modules\BluGenie\Configs\Schema\SysMon_ID3.Schema

Description: This command will filter 1000 SysMon Event 3 ID's and parse the return using EQL.  This Query will use the EQL schema process names but uses the -Schema switch to remap the Properties names
Notes:

EXAMPLE 17

Command: Format-BluGenieEvent -Event "Security" -ID 4688 -MaxEvents 1000 -OutYaml -DBPath C:\Source -SQLQuery "SELECT * FROM FormatBGEvent WHERE MsgNewProcessName LIKE '%GoogleUpdate.exe'"

Description: This command will filter 1000 Security Event 4688 ID's and parse the return using SQL.  The search is for a New Process Name being created called GoogleUpdate.exe.  The SQL Query is (String Text Based) and the DB is Cached to Disk
Notes:

EXAMPLE 18

Command: Format-BluGenieEvent -Event "Security" -ID 4688 -MaxEvents 1000 -OutYaml -DBPath C:\Source -SQLQuery 'file:C:\Source\WHERE_MsgNewProcessName_LIKE_GoogleUpdate.exe.sql'

Description: This command will Run a SQL Query using a File
Notes:

EXAMPLE 19

Command: Format-BluGenieEvent -Event "Security" -ID 4688 -MaxEvents 1000 -OutYaml -SQLQuery "SELECT * FROM FormatBGEvent WHERE MsgNewProcessName LIKE '%GoogleUpdate.exe'"

Description: This command will Run a SQL Query and process the DB in Memory
Notes:

EXAMPLE 20

Command: Format-BluGenieEvent -Event "Security" -ID 4688 -MaxEvents 1000 -OutYaml -PropsOnly -SQLQuery "SELECT * FROM FormatBGEvent WHERE NewProcessName LIKE '%GoogleUpdate.exe'"

Description: This command will filter (Message Properties Only) and parse the data using a SQL Query
Notes:

EXAMPLE 21

Command: Format-BluGenieEvent -Event "Security" -ID 4688 -MaxEvents 1000 -ReturnObject -PropsOnly -SQLQuery "SELECT * FROM FormatBGEvent WHERE NewProcessName LIKE '%GoogleUpdate.exe'"

Description: This command will returned data as an Object(s) while parsing data using a SQL Query
Notes:

EXAMPLE 22

Command: Format-BluGenieEvent -Event "Security" -ID 4688 -MaxEvents 1000 -OutYaml -DBPath C:\Source -SQLQuery "SELECT * FROM FormatBGEvent WHERE MsgNewProcessName LIKE '%GoogleUpdate.exe'"

Description: This command will remove the Cached DB from the local disk after the Query
Notes:

EXAMPLE 23

Command: Format-BluGenieEvent -Help

Description: Call Help Information
Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal Get-Help will be called with the -Full parameter

EXAMPLE 24

Command: Format-BluGenieEvent -WalkThrough

Description: Call Help Information [2]
Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal Get-Help will be called with the -Full parameter

PARAMETERS

Logname

-Logname <String>
   Description: The Event Log Name
   Notes: Same to command (Get-WinEvent)
   Alias: Event
   ValidateSet:
   
   Required?                    false
   Position?                    1
   Default value                
   Accept pipeline input?       false
   Accept wildcard characters?  false

Schema

-Schema <String>
   Description: Use a Schema file to change or remap any property name in any Windows Event your trying to Query
   Notes: Schema is in ( YAML ) Format
           Sample:
               Property_Name: New_Property_Name
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    2
   Default value                
   Accept pipeline input?       false
   Accept wildcard characters?  false

NoMsgPrefix

-NoMsgPrefix [<SwitchParameter>]
   Description: By Default the Event Message content is parsed and all properties have a Prefix called (Msg).  This option will force the
   normal propery names without (Msg).
   Notes:  By forcing the default name you could possibly overwrite normal event properties with content from the message information
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

ClearGarbageCollecting

-ClearGarbageCollecting [<SwitchParameter>]
   Description: Garbage Collection in Powershell to Speed up Scripts and help lower memory consumption
   Notes: This is enabled by default.  To disable use -ClearGarbageCollecting:$False
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

Export

-Export [<SwitchParameter>]
   Description: Enable the Export of Filtered data for later use
   Notes:  This is automatically set to true if -EQLQuery is used.
   Alias: Sv
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

ExportPath

-ExportPath <String>
   Description: The Path to Export / Save parsed event data to the local disk
   Notes: Default is $env:systemdrive\Windows\Temp\BGFE_<GUID>.json.  If this is changed (Make Sure) the Ext is (.json).  There is no code
   validation on the path and filename.
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    3
   Default value                $('{0}\Windows\Temp\BGFE_{1}.json' -f $env:SystemDrive, $(New-BluGenieUID))
   Accept pipeline input?       false
   Accept wildcard characters?  false

ExcludeFilter

-ExcludeFilter <String>
   Description: Use an ExcludeFilter Yaml file to remove items that you do not want to include in the Event Search.
   Notes: ExcludeFilter  is in ( YAML ) Format
           Sample:
               - Name: Image
                 Value: notepad\+\+\.exe
               - Name: Image
                 Value: NppLauncher\.exe
               - Name: Image
                 Value: eqllib\.exe
               - Name: CommandLine
                 Value: json
   Alias:
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    4
   Default value                
   Accept pipeline input?       false
   Accept wildcard characters?  false

RemoveCache

-RemoveCache [<SwitchParameter>]
   Description: Remove Cache data on completion
   Notes: Cache information is removed right before the data is returned to the calling process
       Items Removed:
           - JSON Output for EQL Query
           - SQLite DB if you do not use the -DBPath = ':MEMORY:' parameter.  Note: The DB in memory is the default option for SQL
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

DBName

-DBName <String>
   Description: Database name used when parsing using SQL and Setting the DBPath to a local disk path
   Notes: The default name is "BluGenie"
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    5
   Default value                BluGenie
   Accept pipeline input?       false
   Accept wildcard characters?  false

DBTableName

-DBTableName <String>
   Description: Database table name when parsing using SQL.
   Notes:  The default name is 'FormatBGEvent'
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    6
   Default value                FormatBGEvent
   Accept pipeline input?       false
   Accept wildcard characters?  false

DBPath

-DBPath <String>
   Description: Database Path when parsing using SQL
   Notes: The default path is located in memory (:MEMORY:)
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    7
   Default value                :MEMORY:
   Accept pipeline input?       false
   Accept wildcard characters?  false

Walkthrough

-Walkthrough [<SwitchParameter>]
   Description:  Start the dynamic help menu system to help walk through the current command and all of the parameters
   Notes:
   Alias: Help
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

ReturnObject

-ReturnObject [<SwitchParameter>]
   Description: Return information as an Object
   Notes: By default the data is returned as a Hash Table
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

OutUnEscapedJSON

-OutUnEscapedJSON [<SwitchParameter>]
   Description: Remove UnEsacped Char from the JSON information.
   Notes: This will beautify json and clean up the formatting.
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

OutYaml

-OutYaml [<SwitchParameter>]
   Description: Return detailed information in Yaml Format
   Notes: Only supported in Posh 3.0 and above
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

OutJSON

-OutJSON [<SwitchParameter>]
   Description: Return detailed information in JSON Format
   Notes: Only supported in Posh 3.0 and above
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

PropsOnly

-PropsOnly [<SwitchParameter>]
   Description: Used to only parse and display the Properties of an Event Message field.  No other event data will be captured.
   Notes: All Event messages properties begin with a title name followed by (:).
           Example (ProcessName: PowerShell_ISE.exe)
           (ProcessName) would be the name of the Property
           (PowerShell_ISE.exe) would be the assigned value
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

EQLQuery

-EQLQuery <String>
   Description: Use EQL Queries to parse the data
   Notes: To use a file instead of a Query String Type "file:<Full_File_Path>" Example: "file:C:\Windows\Temp\Query_4689_.eql"
           file: tells the Query to grab the content from a file.  The file extention can be anything.  The file is always treated as TEXT.
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    8
   Default value                
   Accept pipeline input?       false
   Accept wildcard characters?  false

SQLQuery

-SQLQuery <String>
   Description: Use SQL Queries to parse the data
   Notes: To use a file instead of a Query String Type "file:<Full_File_Path>" Example: "file:C:\Windows\Temp\Query_4689_.eql"
           file: tells the Query to grab the content from a file.  The file extention can be anything.  The file is always treated as TEXT.
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    9
   Default value                
   Accept pipeline input?       false
   Accept wildcard characters?  false

ForceEQLGenericQuery

-ForceEQLGenericQuery [<SwitchParameter>]
   Description: Force an EQL Generic Query even if EQL has a known Schema type
   Notes: By default BG will automatically determine if EQL has a known Schema. This should be used if you are looking for SysMon Events
   that don't have tracked ID's by EQL.  Currently only ID 1, 3, 5, 7, 11, 12, 13, 14 and 15 are known SysMon EQL managed events.
   Alias: FEGQ
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

Save

-Save [<SwitchParameter>]
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

SavePath

-SavePath <String>
   
   Required?                    false
   Position?                    10
   Default value                $('BGFE_{0}\Windows\Temp\{1}.json' -f $env:SystemDrive, $(New-BluGenieUID))
   Accept pipeline input?       false
   Accept wildcard characters?  false

UseInputFile

-UseInputFile <String>
   Description: Force Query from a previously saved file and not the Windows Event Log
   Notes:  You can use JSON, EVT or EVTX files.  If you type in "Last:", this will search for the last saved
   BGFE_<GUID>.json file from the default save location $env:systemdrive\Windows\Temp
   
           o JSON files cannot be filtered with the FilterHashTable.  They can only be filtered by EQL and SQL Queries.
           o EVT & EVTX backup log files can be filtered using the FilterHashTable Query String
   Alias: FIL
   ValidateSet:
   
   Required?                    false
   Position?                    11
   Default value                
   Accept pipeline input?       false
   Accept wildcard characters?  false

MaxEvents

-MaxEvents <Int32>
   
   Required?                    false
   Position?                    12
   Default value                0
   Accept pipeline input?       false
   Accept wildcard characters?  false

ID

-ID <String>
   Description: Query for a specific Event ID
   Notes:
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    13
   Default value                
   Accept pipeline input?       false
   Accept wildcard characters?  false

AppendEventHash

-AppendEventHash <String>
   Description: Query based on more Event Filter Hash Table information
   Notes: The Default is LogName, and ID
           Example: -AppendEventHash 'ProviderName="Application Error"; Data="iexplore.exe"'
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    14
   Default value                
   Accept pipeline input?       false
   Accept wildcard characters?  false

FormatView

-FormatView <String>
   Description: Automatically format the Return Object
   Notes: Yaml is only supported in Posh 3.0 and above
   Alias:
   ValidateSet: 'Table','Custom','CustomModified','None','JSON','OutUnEscapedJSON','CSV', 'Yaml'
   
   Required?                    false
   Position?                    15
   Default value                None
   Accept pipeline input?       false
   Accept wildcard characters?  false

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

PreviousExpand-BluGenieArchivePS2 NextGet-BluGenieADGroupMembers

Last updated 3 years ago