Public/Get-EventFromWEC.ps1
|
function Get-EventFromWEC { [CmdletBinding()] param ( [Parameter(Mandatory=$false, HelpMessage = 'Name of file with definitions')] [string[]] $WEDefinitionName, [Parameter(Mandatory=$false, HelpMessage = 'Time range definition')] [ValidateSet('PastHour', 'CurrentHour', 'PastDay', 'CurrentDay', 'CurrentMonth', 'PastMonth', 'PastQuarter', 'CurrentQuarter', 'CurrentDayMinusDayX', 'CurrentDayMinuxDaysX', 'CustomDate', 'Last3days', 'Last7days', 'Last14days', 'Everything')] [string] $Times, [Parameter(Mandatory = $false, HelpMessage = 'Days for specific Times parameter')] [int32] $Days, [Parameter(Mandatory = $false, HelpMessage = 'DateTime for specific Times parameter')] [DateTime] $DateFrom, [Parameter(Mandatory = $false, HelpMessage = 'DateTime for specific Times parameter')] [DateTime] $DateTo, [Parameter(Mandatory = $false, HelpMessage = 'Path were definitions are stored')] [ValidateScript( { Test-Path -Path $_ -PathType Container })] [string] $WEDefinitionPath, [Parameter(Mandatory = $false, HelpMessage = 'Name of WEC server', ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [string] $ComputerName, [Parameter(Mandatory = $false, HelpMessage = 'Should extracted logs be sent to Azure LA', ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [switch] $WriteToAzureLog, [Parameter(Mandatory = $false, HelpMessage = 'Name for Table to store Events in Azure Log Analytics', ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [string] $ALTableIdentifier, [Parameter(Mandatory = $false, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [string] $ALWorkspaceID, [Parameter(Mandatory = $false, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [string] $WorkspacePrimaryKey, [Parameter(Mandatory=$false,HelpMessage = 'Path with Cache File')] [string] $WECacheExportFile, [Parameter(Mandatory = $false, HelpMessage = 'Output Events to Pipe', ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] [switch] $PassThru ) begin { if ($PSBoundParameters.ContainsKey('WEDefinitionPath')) { $WEDefinitionPathFinal = $WEDefinitionPath } else { $WEDefinitionPathFinal = Get-Item -Path "$PSScriptRoot\..\Configuration\Definitions" } if($PSBoundParameters.ContainsKey('ComputerName')){ $ComputerToQuery = $ComputerName } else { $ComputerToQuery = $env:ComputerName } } process { if($PSBoundParameters.ContainsKey('WEDefinitionName')){ $WEDefinitionSet = $WEDefinitionName } else { $WEDefinitionSet = Get-WEDefinitionList -WEDefinitionPath $WEDefinitionPathFinal } Write-Verbose "Will proces with definitions: {$($WEDefinitionSet -join ',')}" #region Set Time $setWESearchTimeSplat = @{} if($PSBoundParameters.ContainsKey('Times')) { $setWESearchTimeSplat.Times = $Times if($PSBoundParameters.ContainsKey('Days')) { $setWESearchTimeSplat.Days = $Days } if($PSBoundParameters.ContainsKey('DateFrom')) { $setWESearchTimeSplat.DateFrom = $DateFrom } if($PSBoundParameters.ContainsKey('DateTo')) { $setWESearchTimeSplat.DateTo = $DateTo } $TimesSet = Set-WESearchTime @setWESearchTimeSplat } elseif(-not ($PSBoundParameters.ContainsKey('Times'))) { $TimesSet = Set-WESearchTime -Times 'Everything' } #endregion foreach ( $definition in $WEDefinitionSet) { $Definitions = Get-WEDefinition -WEDefinitionName $definition -WEDefinitionPath $WEDefinitionPathFinal $FindEventsSplat = @{ Definitions = $Definitions.SearchDefinition Times = $TimesSet Target = Set-WESearchTarget -computerName $ComputerToQuery -LogName $Definitions.LogName } if ($PSBoundParameters.ContainsKey('WECacheExportFile')){ $FindEventsSplat.Times = Get-WESearchTimeFromCache -Path $WECacheExportFile -WEDefinition $definition } if ($PSBoundParameters.ContainsKey('Verbose')) { $FindEventsSplat.Verbose = $true } $invocationStartTime = [DateTime]::UtcNow $FindEvents = Find-Events @FindEventsSplat $invocationEndTime = [DateTime]::UtcNow if ($FindEvents) { $WECEvent = @{ $definition = $FindEvents } if ($PSBoundParameters.ContainsKey('WriteToAzureLog')) { $writeEventToLogAnalyticsSplat = @{ WECEvent = $WECEvent ALTableIdentifier = $ALTableIdentifier ALWorkspaceID = $ALWorkspaceID WorkspacePrimaryKey = $WorkspacePrimaryKey invocationStartTime = $invocationStartTime invocationEndTime = $invocationEndTime } if($PSBoundParameters.ContainsKey('WECacheExportFile')){ $writeEventToLogAnalyticsSplat.WECacheExportFile= $WECacheExportFile } Write-EventToLogAnalytics @writeEventToLogAnalyticsSplat } if ($PSBoundParameters.ContainsKey('WECacheExportFile') -and (-not ($PSBoundParameters.ContainsKey('WriteToAzureLog')))) { $updateWECacheExportFileSplat = @{ Path = $WECacheExportFile LastRunTime = $invocationEndTime WEDefinition = $definition LastExportStatus = 'NoExport' } Update-WECacheExportFile @updateWECacheExportFileSplat } if ($PSBoundParameters.ContainsKey('PassThru')) { $WECEvent } } else { Write-Verbose 'No Events found' } } } } |