Skip to content

Instantly share code, notes, and snippets.

@captainGeech42

captainGeech42/powershell_parser.kql

Last active October 27, 2021 08:21
Show Gist options
  • Save captainGeech42/5974b1fce3e269a4d667d94edbc30153 to your computer and use it in GitHub Desktop.
Save captainGeech42/5974b1fce3e269a4d667d94edbc30153 to your computer and use it in GitHub Desktop.
Download ZIP
PowerShell Event Log Parser for Azure Sentinel (EID 4103/4104)
Raw
powershell_parser.kql
let EventData = Event
| where Source == "Microsoft-Windows-PowerShell"
| extend RenderedDescription = tostring(split(RenderedDescription, ":")[0])
| project TimeGenerated,
Source,
EventID,
Computer,
UserName,
EventData,
RenderedDescription
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| project-away EventData,
EvData;
let POWERSHELL_PIPELINE_4103=() {
let processEvents = EventData
| where EventID == 4103
| extend Lines = split(EventDetail.[0].["#text"], " ")
| extend Severity = split(Lines.[0], "=").[1]
| extend HostName = split(Lines.[1], "=").[1]
| extend HostVersion = split(Lines.[2], "=").[1]
| extend HostID = split(Lines.[3], "=").[1]
| extend HostApplication = split(Lines.[4], "=").[1]
| extend EngineVersion = split(Lines.[5], "=").[1]
| extend RunspaceID = split(Lines.[6], "=").[1]
| extend PipelineID = split(Lines.[7], "=").[1]
| extend CommandName = split(Lines.[8], "=").[1]
| extend CommandType = split(Lines.[9], "=").[1]
| extend ScriptName = split(Lines.[10], "=").[1]
| extend CommandPath = split(Lines.[11], "=").[1]
| extend SequenceNumber = split(Lines.[12], "=").[1]
| extend User = split(Lines.[13], "=").[1]
| extend ConnectedUser = split(Lines.[14], "=").[1]
| extend ShellID = split(Lines.[15], "=").[1]
| project-away EventDetail, Lines
;
processEvents;
};
let POWERSHELL_REMOTE_COMMAND_4104=() {
let processEvents = EventData
| where EventID == 4104
| extend MessageNumber = EventDetail.[0].["#text"]
| extend MessageTotal = EventDetail.[1].["#text"]
| extend ScriptBlockText = EventDetail.[2].["#text"]
| extend ScriptBlockID = EventDetail.[3].["#text"]
| extend Path = EventDetail.[4].["#text"]
| project-away EventDetail
;
processEvents;
};
(union isfuzzy=true
POWERSHELL_PIPELINE_4103,
POWERSHELL_REMOTE_COMMAND_4104
)
| extend Details = column_ifexists("Details", ""),
RuleName = column_ifexists("RuleName", ""),
PreviousCreationUtcTime=column_ifexists("PreviousCreationUtcTime", ""),
Hashes = column_ifexists("Hashes", ""),
Hash = column_ifexists("Hash", "")
| project TimeGenerated,
Source,
Computer,
UserName,
EventID,
Severity,
HostName,
HostVersion,
HostID,
HostApplication,
EngineVersion,
RunspaceID,
PipelineID,
CommandName,
CommandType,
ScriptName,
CommandPath,
SequenceNumber,
User,
ConnectedUser,
ShellID,
MessageNumber,
MessageTotal,
ScriptBlockText,
ScriptBlockID,
Path
@jasonkasih
Copy link

Thanks for this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment