WindowsEventMonitor

0.0.4

WindowsEventMonitor.psd1

                                #

# Module manifest for module 'EMCommon'

#

# Generated by: ranavale

#

# Generated on: 7/26/2023

#

@{

# Script module or binary module file associated with this manifest.

RootModule = '.\EventMonitor\EMCommon.psm1'

# Version number of this module.

ModuleVersion = '0.0.4'

# Supported PSEditions

# CompatiblePSEditions = @()

# ID used to uniquely identify this module

GUID = 'd64b1d3c-f77a-448e-87a7-becbe286563b'

# Author of this module

Author = 'ranavale'

# Company or vendor of this module

CompanyName = 'Microsoft'

# Copyright statement for this module

Copyright = '(c) Microsoft. All rights reserved.'

# Description of the functionality provided by this module

Description = @'

The scheduled task will be triggered on any user logon to vm as well as every given $repetitionIntervalInMin intervals 

that watches the windows events triggered by logon and logoff events as well as netstat and quser query results 

to infer if there are any active rdp or ssh session connected to vm.

# Windows VM event monitor

# This tool contains the scripts that can run as scheduled task under System account and are capable or reading the windows event log and put it to Log Analytics.

# Logon indication events:

Gets the details of the latest windows logoff related events and returns the latest event among those events. The list of events considered to be logoff related are

- `OpenSSHApplication`: OpenSSH/Operational This OpenSSH application event is generated when SSH connected

- `4648`: This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials..

- `4624`: This event generates when a logon session is created (on destination machine). It generates on the computer that was accessed, where the session was created.

- `5140`: This event generates every time network share object was accessed.

- `4801`: This event is generated when workstation was unlocked.

- `4634`: This is not a logoff event but session end event, disabled as it gets fired for both logon/logoff

# Logoff indication events:

Gets the details of the latest windows logoff related events and returns the latest event among those events. The list of events considered to be logoff related are

- `OpenSSHApplication`: OpenSSH/Operational This OpenSSH application event is generated when SSH disconnect is requested

- `4647`: This event is generated when a logoff is initiated. No further user-initiated activity can occur for related logon ref.

- `4779`: This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching.

- `4689`: This event is generated when process is terminated. (Disabled for calculations as netstat provides if any ssh connection is active.

# Active Sessions and SSH connection:

`quser` Event Monitor gathers the data about which users and active sessions exist on the machine. It will send the log with each session's idle time. `netstat -b` gives the indication if there is any active ssh connection to the machine.

# Miscellaneous windows events:

In addition to logon and logoff related events this tools is `capable of tracking miscellaneous windows event` that can be dynamically provided as input to task while its registration.

`Version: Scripts to VM Event Monitor`

'@

# Minimum version of the PowerShell engine required by this module

# PowerShellVersion = ''

# Name of the PowerShell host required by this module

# PowerShellHostName = ''

# Minimum version of the PowerShell host required by this module

# PowerShellHostVersion = ''

# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only.

# DotNetFrameworkVersion = ''

# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only.

# ClrVersion = ''

# Processor architecture (None, X86, Amd64) required by this module

# ProcessorArchitecture = ''

# Modules that must be imported into the global environment prior to importing this module

# RequiredModules = @()

# Assemblies that must be loaded prior to importing this module

# RequiredAssemblies = @()

# Script files (.ps1) that are run in the caller's environment prior to importing this module.

# ScriptsToProcess = @()

# Type files (.ps1xml) to be loaded when importing this module

# TypesToProcess = @()

# Format files (.ps1xml) to be loaded when importing this module

# FormatsToProcess = @()

# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess

# NestedModules = @()

# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.

FunctionsToExport = @('Register-VMMonitorTask', 'Unregister-EventMonitor', 'Start-EventMonitor', 'Stop-EventMonitor', 'Enable-EventMonitor', 'Disable-EventMonitor', 'Get-EventMonitor')

# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.

CmdletsToExport = @()

# Variables to export from this module

VariablesToExport = '*'

# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export.

AliasesToExport = @()

# DSC resources to export from this module

# DscResourcesToExport = @()

# List of all modules packaged with this module

# ModuleList = @()

# List of all files packaged with this module

# FileList = @()

# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.

PrivateData = @{

    PSData = @{

        # Tags applied to this module. These help with module discovery in online galleries.

        Tags = @("Windows", "EventMonitor","ConnectionMonitor", "PowerShell", "VirtualMachineMonitor", "Security", "EventLogs")

        # A URL to the license for this module.

        LicenseUri = 'https://dev.azure.com/ranavale/EngSys/_git/WindowsEventMonitor?version=GBmain&path=/LICENSE'

        # A URL to the main website for this project.

        ProjectUri = 'https://dev.azure.com/ranavale/EngSys/_git/WindowsEventMonitor?version=GBmain'

        # A URL to an icon representing this module.

        # IconUri = ''

        # ReleaseNotes of this module

        ReleaseNotes = @'

0.0.1 20230723

* Initial beta release to PS Gallery

'@

        # Prerelease string of this module

        # Prerelease = ''

        # Flag to indicate whether the module requires explicit user acceptance for install/update/save

        RequireLicenseAcceptance = $true

        # External dependent modules of this module

        # ExternalModuleDependencies = @()

    } # End of PSData hashtable

} # End of PrivateData hashtable

# HelpInfo URI of this module

# HelpInfoURI = ''

# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.

# DefaultCommandPrefix = ''

}