# Get-BluGenieAuditProcessTracking ### Get-BluGenieAuditProcessTracking ### SYNOPSIS Format a System Event Log with new properties from the Message field ### SYNTAX ``` Get-BluGenieAuditProcessTracking [[-QueryType] ] [[-Algorithm] ] [-Signature] [-OnDisk] [-ShowAllValues] [-ClearGarbageCollecting] [-UseCache] [[-CachePath] ] [-RemoveCache] [[-DBName] ] [[-DBPath] ] [-UpdateDB] [-ForceDBUpdate] [-NewDBTable] [-Walkthrough] [-ReturnObject] [-OutUnEscapedJSON] [-OutYaml] [[-FormatView] ] [] ``` ### DESCRIPTION Format a System Event Log with new properties from the Message field An Event has a Message that is one big string. The function will parse that information and convert any valid line item into a new Object Property and bind it back to the original Object. ### EXAMPLES #### EXAMPLE 1 ``` Command: Get-BluGenieAuditProcessTracking ``` ``` Description: This will return a Hash Table with a specific list of captured event Properties Notes: ``` #### EXAMPLE 2 ``` Command: Get-BluGenieAuditProcessTracking -ShowAllValues ``` ``` Description: This will return a Hash Table with all captured event Properties Notes: ``` #### EXAMPLE 3 ``` Command: Get-BluGenieAuditProcessTracking -ReturnObject ``` ``` Description: This will return a Object with a specific list of captured event Properties Notes: ``` #### EXAMPLE 4 ``` Command: Get-BluGenieAuditProcessTracking -QueryType OnCreated -Signature ``` ``` Description: This will return a Hash Table with a specific list of captured event Properties including the Authentication Information Notes: ``` #### EXAMPLE 5 ``` Command: Get-BluGenieAuditProcessTracking -UseCache ``` ``` Description: Cache found objects to disk to not over tax Memory resources Notes: By default the Cache location is %SystemDrive%\Windows\Temp ``` #### EXAMPLE 6 ``` Command: Get-BluGenieAuditProcessTracking -UseCache -RemoveCache ``` ``` Description: Remove Cache data Notes: By default the Cache information is removed right before the data is returned to the caller ``` #### EXAMPLE 7 ``` Command: Get-BluGenieAuditProcessTracking -UseCache -CachePath $Env:Temp ``` ``` Description: Change the Cache path to the current users Temp directory Notes: By default the Cache location is %SystemDrive%\Windows\Temp ``` #### EXAMPLE 8 ``` Command: Get-BluGenieAuditProcessTracking -UseCache -ClearGarbageCollecting ``` ``` Description: Scan large directories and limit the memory used to track data Notes: ``` #### EXAMPLE 9 ``` Command: Get-BluGenieAuditProcessTracking -Help ``` ``` Description: Call Help Information Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal Get-Help will be called with the -Full parameter ``` #### EXAMPLE 10 ``` Command: Get-BluGenieAuditProcessTracking -WalkThrough ``` ``` Description: Call Help Information [2] Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal Get-Help will be called with the -Full parameter ``` #### EXAMPLE 11 ``` Command: Get-BluGenieAuditProcessTracking -OutUnEscapedJSON ``` ``` Description: Return a detailed function report in an UnEscaped JSON format Notes: The OutUnEscapedJSON is used to Beautify the JSON return and not Escape any Characters. Normal return data is a Hash Table. ``` #### EXAMPLE 12 ``` Command: Get-BluGenieAuditProcessTracking -OutYaml ``` ``` Description: Return a detailed function report in YAML format Notes: The OutUnEscapedJSON is used to Beautify the JSON return and not Escape any Characters. Normal return data is a Hash Table. ``` #### EXAMPLE 13 ``` Command: Get-BluGenieAuditProcessTracking -ReturnObject ``` ``` Description: Return Output as a Object Notes: The ReturnObject is used to return a PowerShell Object. Normal return data is a Hash Table. This parameter is also used with the FormatView ``` #### EXAMPLE 14 ``` Command: Get-BluGenieAuditProcessTracking -ReturnObject -FormatView Yaml ``` ``` Description: Output PSObject information in Yaml format Notes: Current formats supported by default are ('Table','Custom','CustomModified','None','JSON','OutUnEscapedJSON','CSV', 'Yaml') Default is set to (None) and normal PSObject. ``` ### PARAMETERS #### QueryType ``` -QueryType Description: Specifies the type of Events to Query for Notes: The acceptable values for this parameter are: - OnCreated : Query On Created Events Only - OnExited : Query On Exited Events Only - OnAll = (Default) : Query On All Event types (Created and Exited) If no value is specified, or if the parameter is omitted, the default value is (OnAll). Alias: ValidateSet:'OnCreated','OnExited','OnAll' Required? false Position? 1 Default value OnAll Accept pipeline input? false Accept wildcard characters? false ``` #### Algorithm ``` -Algorithm Description: Specifies the cryptographic hash to use for computing the hash value of the contents of the specified file. Notes: The acceptable values for this parameter are: - SHA1 - SHA256 - SHA384 - SHA512 - MACTripleDES - MD5 = (Default) - RIPEMD160 If no value is specified, or if the parameter is omitted, the default value is (MD5). Alias: ValidateSet:'MACTripleDES','MD5','RIPEMD160','SHA1','SHA256','SHA384','SHA512' Required? false Position? 2 Default value MD5 Accept pipeline input? false Accept wildcard characters? false ``` #### Signature ``` -Signature [] Description: Validate Signature information of the process if the item is still on disk. Notes: Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### OnDisk ``` -OnDisk [] Description: Verify if the flagged process is still on disk Notes: Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### ShowAllValues ``` -ShowAllValues [] Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### ClearGarbageCollecting ``` -ClearGarbageCollecting [] Description: Garbage Collection in Powershell to Speed up Scripts and help lower memory consumption Notes: This is enabled by default. To disable use -ClearGarbageCollecting:$False Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### UseCache ``` -UseCache [] Description: Cache found objects to disk. This is to not over tax Memory resources with found artifacts Notes: By default the Cache location is %SystemDrive%\Windows\Temp Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### CachePath ``` -CachePath Description: Path to store the Cache information Notes: By default the Cache location is %SystemDrive%\Windows\Temp Alias: ValidateSet: Required? false Position? 3 Default value $('{0}\Windows\Temp\{1}.log' -f $env:SystemDrive, $(New-BluGenieUID)) Accept pipeline input? false Accept wildcard characters? false ``` #### RemoveCache ``` -RemoveCache [] Description: Remove Cache data on completion Notes: Cache information is removed right before the data is returned to the calling process Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### DBName ``` -DBName Description: Database Name (Without extention) Notes: The default name is set to 'BluGenie' Alias: ValidateSet: Required? false Position? 4 Default value BluGenie Accept pipeline input? false Accept wildcard characters? false ``` #### DBPath ``` -DBPath Description: Path to either Save or Update the Database Notes: The default path is $('{0}\BluGenie' -f $env:ProgramFiles) Example: C:\Program Files\BluGenie Alias: ValidateSet: Required? false Position? 5 Default value $('{0}\BluGenie' -f $env:ProgramFiles) Accept pipeline input? false Accept wildcard characters? false ``` #### UpdateDB ``` -UpdateDB [] Description: Save return data to the Sqlite Database Notes: Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### ForceDBUpdate ``` -ForceDBUpdate [] Description: Force an update of the return data to the Sqlite Database Notes: By default only new items are saved. The primary key is ( FullName ) Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### NewDBTable ``` -NewDBTable [] Description: Delete and Recreate the Database Table Notes: Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### Walkthrough ``` -Walkthrough [] Description: Start the dynamic help menu system to help walk through the current command and all of the parameters Notes: Alias: Help ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### ReturnObject ``` -ReturnObject [] Description: Return information as an Object Notes: By default the data is returned as a Hash Table Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### OutUnEscapedJSON ``` -OutUnEscapedJSON [] Description: Remove UnEsacped Char from the JSON information. Notes: This will beautify json and clean up the formatting. Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### OutYaml ``` -OutYaml [] Description: Return detailed information in Yaml Format Notes: Only supported in Posh 3.0 and above Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### FormatView ``` -FormatView Description: Automatically format the Return Object Notes: Yaml is only supported in Posh 3.0 and above Alias: ValidateSet: 'Table','Custom','CustomModified','None','JSON','OutUnEscapedJSON','CSV', 'Yaml' Required? false Position? 6 Default value None Accept pipeline input? false Accept wildcard characters? false ``` #### CommonParameters This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about\_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://manuals.blusapphire.io/blugenie/full-function-list/get-blugenieauditprocesstracking.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.