Last active
June 29, 2019 02:00
-
-
Save watahani/bdfee5630590623dcf2675736e7e7452 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $mcMaxExport = 50000 | |
| $mcMaxImport = 50000 | |
| $mcStartTime = '2019/01/01 00:00' | |
| $mcFiles = Get-ChildItem -Path $mcEvtPath | Where-Object { $_.name -clike '*.evtx' } | |
| $SignInLogs = @() | |
| $SignInEvents = @{ } | |
| foreach ($mcFile in $mcFiles) { | |
| $mc412s = Get-WinEvent -FilterHashtable @{Path = $mcfile.FullName; LogName = "AD FS Auditing"; Level = 0; StartTime = $mcStartTime; id = "412" } -MaxEvents $mcMaxExport -ErrorAction SilentlyContinue | Sort-Object -Property TimeCreated | |
| foreach ($mc412 in $mc412s) { | |
| if ($mc412.Properties | ?{ $_.Value -eq "http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation"}) { | |
| $instanceId = $mc412.Properties[0].Value | |
| # http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation value might last of properties... | |
| $SignInEvents.$instanceId = New-Object PSObject | |
| $SignInEvents.$instanceId | Add-Member -MemberType NoteProperty -Name TimeCreated -force -Value $mc412.TimeCreated | |
| $SignInEvents.$instanceId | Add-Member -MemberType NoteProperty -Name instanceId -force -Value $instanceId | |
| $SignInEvents.$instanceId | Add-Member -MemberType NoteProperty -Name serviceName -force -Value $mc412.Properties[$mc412.Properties.Count -1].Value | |
| } | |
| } | |
| $mc501s = Get-WinEvent -FilterHashtable @{Path = $mcfile.FullName; LogName = "AD FS Auditing"; Level = 0; StartTime = $mcStartTime; id = "501" } -MaxEvents $mcMaxExport -ErrorAction SilentlyContinue | |
| $mc501s | ForEach-Object { | |
| $instanceId = $_.Properties[0].Value | |
| if(-not($SignInEvents.Keys.Contains($instanceId) | Where-Object {$_ -eq $true})){ | |
| return | |
| } | |
| echo "find $instanceId" | |
| if($SignInEvents[$instanceId].Properties){ | |
| $SignInEvents[$instanceId].Properties += $_.Properties | Select-Object -Skip 1; | |
| } else { | |
| $SignInEvents[$instanceId] | Add-Member NoteProperty -Name Properties -Force -Value ($_.Properties | Select-Object -Skip 1) | |
| } | |
| } | |
| foreach ($key in $SignInEvents.Keys){ | |
| $SignInEvents[$key].Properties = $($SignInEvents[$key].Properties | ?{ $_.Value -ne "-" } | ForEach-Object { $_.Value }) -Join "" | |
| $upnIndex = $SignInEvents[$key].Properties.IndexOf('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn') + 1 | |
| $SignInEvents[$key] | Add-Member -MemberType NoteProperty -Name UPN -force -Value $SignInEvents[$key].Properties[$upnIndex] | |
| $SignInLogs += $SignInEvents[$key] | |
| } | |
| } | |
| $SignInLogs | Sort-Object -Property TimeCreated | Select-Object TimeCreated, UPN, serviceName, Properties | ConvertTo-Csv | Out-File -Encoding UTF8 -FilePath .\test.csv |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment