Forum Discussion

joswil0805's avatar
joswil0805
Copper Contributor
Oct 08, 2024

powershell get-winevent script assistance

first time poster here, hoping i am doing this correctly! I am using the script below to send email alerts when there are more than 200 of event 6273 is logged under the security log within a 10 minute period. This script emails the most recent 100 events and works perfectly but includes much more information than we care to see as shown in the output below the code. We are basically just trying to get an email that allows us to quickly skim through the users from the latest 100 events to ensure they are not legitimate ad accounts and if they are, easily determine the offenders ip address and add it to the blocklist. How can i extract and email only the timestamp, accountname, and the calling station identifier formatted with some kind of line break between the entries from this thing?

  

$count = (Get-WinEvent -FilterHashtable @{logname='Security'; Id =6273; StartTime=(Get-Date).AddMinutes(-10)}).count

if ($count -gt 200)
{
    $EventId = 6273

$A = Get-WinEvent -MaxEvents 100  -FilterHashTable @{Logname = "Security" ; ID = $EventId; StartTime=(Get-Date).AddMinutes(-10)} -ErrorAction SilentlyContinue
$Message = $A.message


$EventID = $A.Id
$MachineName = $A.MachineName
$Source = $A.ProviderName


$EmailFrom = "email address removed for privacy reasons"
$EmailTo = "email address removed for privacy reasons"
$Subject ="Password guessing alert"
$Body = "`nMessage: $Message"
$SMTPServer = "webmail.mail.com"
$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 587)
$SMTPClient.EnableSsl = $true
$SMTPClient.Credentials = New-Object System.Net.NetworkCredential("email address removed for privacy reasons", "password");
$SMTPClient.Send($EmailFrom, $EmailTo, $Subject, $Body)
  
}else 
{
    Write-Host "Under 200 events"
    Exit
} 

Here is the output we currently have scheduled to email us each hour:

Message: Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID:S-1-0-0
Account Name:CASTRO
Account Domain:DOMAIN
Fully Qualified Account Name:DOMAIN\CASTRO

Client Machine:
Security ID:S-1-0-0
Account Name:-
Fully Qualified Account Name:-
Called Station Identifier:10.44.17.98
Calling Station Identifier:62.122.184.12

NAS:
NAS IPv4 Address:10.25.254.1
NAS IPv6 Address:-
NAS Identifier:-
NAS Port-Type:Virtual
NAS Port:2678272000

RADIUS Client:
Client Friendly Name:FTD
Client IP Address:10.25.254.1

Authentication Details:
Connection Request Policy Name:FTD-Authentication
Network Policy Name:-
Authentication Provider:Windows
Authentication Server:DC302.domain.com
Authentication Type:PAP
EAP Type:-
Account Session Identifier:-
Logging Results:Accounting information was written to the local log file.
Reason Code:16
Reason:Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID:S-1-0-0
Account Name:rlinda
Account Domain:DOMAIN
Fully Qualified Account Name:DOMAIN\rlinda

Client Machine:
Security ID:S-1-0-0
Account Name:-
Fully Qualified Account Name:-
Called Station Identifier:10.44.17.98
Calling Station Identifier:83.97.73.104

NAS:
NAS IPv4 Address:10.25.254.1
NAS IPv6 Address:-
NAS Identifier:-
NAS Port-Type:Virtual
NAS Port:2678267904

RADIUS Client:
Client Friendly Name:FTD
Client IP Address:10.25.254.1

Authentication Details:
Connection Request Policy Name:FTD-Authentication
Network Policy Name:-
Authentication Provider:Windows
Authentication Server:DC302.domain.com
Authentication Type:PAP
EAP Type:-
Account Session Identifier:-
Logging Results:Accounting information was written to the local log file.
Reason Code:16
Reason:Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
 
Upvote1Downvote0Go to commentsShare
  • sdtslmn's avatar
    sdtslmn
    Brass Contributor

    joswil0805 

     

    $count = (Get-WinEvent -FilterHashtable @{logname='Security'; Id = 6273; StartTime = (Get-Date).AddMinutes(-10)}).count
    
    if ($count -gt 200) {
        $A = Get-WinEvent -MaxEvents 100 -FilterHashTable @{Logname = "Security"; ID = 6273; StartTime = (Get-Date).AddMinutes(-10)} -ErrorAction SilentlyContinue
        $Message = $A | ForEach-Object {
            "Timestamp: $($_.TimeCreated)`nAccountName: $($_.Properties[1].Value)`nCalling Station: $($_.Properties[10].Value)`n"
        } -join "`n"
        
        # Email configuration
        $SMTPClient = New-Object Net.Mail.SmtpClient("smtp.mail.com", 587)
        $SMTPClient.EnableSsl = $true
        $SMTPClient.Credentials = New-Object System.Net.NetworkCredential("your-email", "password")
        $SMTPClient.Send("your-email", "recipient-email", "Password guessing alert", $Message)
    } else {
        Write-Host "Under 200 events"
    }