diff --git a/Create-CustomViews.ps1 b/Create-CustomViews.ps1 index 47dc308..4ccbdfe 100644 --- a/Create-CustomViews.ps1 +++ b/Create-CustomViews.ps1 @@ -1,7 +1,7 @@ <# .SYNOPSIS Name: Create-CustomViews.ps1 - Version: 1.0 + Version: 1.1 Author: Russell Tomkins - Microsoft Premier Field Engineer Blog: https://aka.ms/russellt @@ -114,11 +114,12 @@ Write-Host "`nLaunch Event Viwer (eventvwr.exe) and expand Custom Views to use t # ----------------------------------------------------------------------------------- # End of Script # ----------------------------------------------------------------------------------- + # SIG # Begin signature block # MIIgVAYJKoZIhvcNAQcCoIIgRTCCIEECAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCB/VO02N+v+VSl0 -# tGwogDsaIxQJgmLZrzI643/DGEptCaCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAXDgdxm3aFzoVL +# hgb3gu8EfY2H+SedmACMawllGvu/iaCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG # /o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQK # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNV # BAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBa @@ -270,22 +271,22 @@ Write-Host "`nLaunch Event Viwer (eventvwr.exe) and expand Custom Views to use t # U2lnbmluZyBDQQIQDhlON30mOhkOirPIWrUoYzANBglghkgBZQMEAgEFAKCBhDAY # BgorBgEEAYI3AgEMMQowCKACgAChAoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3 # AgEEMBwGCisGAQQBgjcCAQsxDjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEi -# BCDvPhlrWcNxAtf3BIrQEncYTV52S01nj9Oz1M8Gex9xrDANBgkqhkiG9w0BAQEF -# AASCAQC/ZN0OfQAI1xtaYtyjjohiK31f2wGlGsqAO+rO1fSUgYBLTHJEZ+OJZm0M -# SyHi7fqWk5X1pjhKgvo8mf367gr9WxYH7nxaLKNeOnqKwP7yE0XDGQ8S0GDfcTTC -# s87NZCgl6DmpqPnZPU6E57pd8Tq+lRdeIv4AZm6XHL1Me/vNkO1aqvkP5TCFw4ib -# nR6WQsHRADZVDkWhyHiWtrO6Tt+rmh6xsPDvN25uXARIMOwFvlBCGR9dm6MwmaLS -# 20z8VldFHCJHDKd9NfzVv+szr7bJmdyvHSTSaEyiZwtBMYBwyiYiqW+ubzcvzSn1 -# X7Mr8CvcEoYbMhPbttFLcFt33CgcoYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4 +# BCBex67HxE1Hfg/oybQqp3u7NxWsYfPmbeyDFdmp9QLb6jANBgkqhkiG9w0BAQEF +# AASCAQAo9pkmzqtbDItB2kwOAfqA2Gh22Y4QoukhtrERJpiOaCsE4aNhO4eMu6pJ +# Vcig5cVIiSdkMucGhsWJsvWgMNGnr3VFvwRvfwGI0PKb/XPbQANVzBrdFN1aoPTq +# +b/FEaAMtMM6bQ792VHY2EhzMA8ISk1p0IdSCZ4RhaNPOFMXywOqnpeoQkaUO4dR +# pRJN1CTPwwbI7QrGtWK9k4powpPQJ5EzD2L2HuxVPenBYM2ZlX8sT8B2hqfBbD0z +# Z3o2i/a08w4mgXwShsFuk1Yc1Xb28HZ2ENTyVZ6Hv96mKWwuFnyUpTkIG6LMLNrx +# R4HUEd63GKYyufFltxTcQhR2x7lZoYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4 # AgEBMHYwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG # A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJl # ZCBJRCBDQS0xAhADAZoCOv9YsWvW1ermF/BmMAkGBSsOAwIaBQCgXTAYBgkqhkiG -# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzAzMjgwMTE2NDBa -# MCMGCSqGSIb3DQEJBDEWBBSwUtmsplyZO3TrepLeZXvznI26TTANBgkqhkiG9w0B -# AQEFAASCAQAoFg9ZQPS0KlMkwPPjQgmmvpUeSnxC6Gj8vbr4kAwPo8EMo8OA1P4v -# JTI52L2/AB2JLTEVXknyVqEalx3yjSdutSi81aER0sgrZYca+dC2Mb8jQ3hyQtBh -# ZIeOHsUBlVZNbX5IrDsBg2czk57qFjUf5HA9IgWhipFR3jVM8SmUgZ/4KpBIlRpq -# thgSAhlvQxo6jSWmd27crnb9ODMKxd+aSuiUfIthD2nD5ziTwiZgdAuWy0cLMHR1 -# klxgX611h6r3q+z+/zRuT6EoKw8QR8KGx7PvBTNqq6bTg0hJGj3IiDxb+qTmMZ/W -# IH0mdI4Vyi8hVMeiDxSS8ev7dnHBWmBn +# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MDYxMjAwNTBa +# MCMGCSqGSIb3DQEJBDEWBBQjjsKnRRahp8E/oxtMOCizmT6raDANBgkqhkiG9w0B +# AQEFAASCAQAevhz5h1IaLpwLxoy4lKJ9KbOCHYS5afAlHms7cOSyTBF6wPtErp1+ +# dlKQePXSPQjEnVuunbACbjZ1M1sCRdECPXTxZJN/c6OVE6PzgMLqXukzttdAeF0I +# JMAv5LTt9mPBb0/Ix4t4YxpZahuIXAj1fp7Kbv+v6//+NidRNs0VPbhgIuBv9CVB +# 94ugKQWHu3fVPmRMTY7k5Grx/XsXBjQxQbVD7tAAizOAaCFioavYMfR9EsDu+lWA +# NbBe7BwayCqvyM/TMlKtvh+DIhDortznbJiUT04FKcWSDhn22xUflmt0UTvm5Z0b +# zStCeO2xNPsL24raX38FXEAanBBlVkx0 # SIG # End signature block diff --git a/Create-Manifest.ps1 b/Create-Manifest.ps1 index d6383b1..054f574 100644 --- a/Create-Manifest.ps1 +++ b/Create-Manifest.ps1 @@ -1,7 +1,7 @@ <# .SYNOPSIS Name: Create-Manifest.ps1 - Version: 1.0 + Version: 1.1 Author: Russell Tomkins - Microsoft Premier Field Engineer Blog: https://aka.ms/russellt @@ -75,7 +75,7 @@ $XmlWriter = New-Object System.XMl.XmlTextWriter($CustomEventsMAN,$null) # Set The Formatting $xmlWriter.Formatting = "Indented" $xmlWriter.Indentation = "4" -  + # Write the XML Decleration $xmlWriter.WriteStartDocument() @@ -147,8 +147,8 @@ Write-Host "`t `"c:\windows\system32\wevtutil.exe`" im `"$DLLPath\$BaseName.man` # SIG # Begin signature block # MIIgVAYJKoZIhvcNAQcCoIIgRTCCIEECAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDhYO0kNTmXVg0X -# zaC712EQ0yI3b4zJw4t2ZLNHGqcAVqCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCClCmr0opDAE+lP +# 3KmO1Yo/zh3Uyu3u6vT24xFcxuNZ9aCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG # /o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQK # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNV # BAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBa @@ -300,22 +300,22 @@ Write-Host "`t `"c:\windows\system32\wevtutil.exe`" im `"$DLLPath\$BaseName.man` # U2lnbmluZyBDQQIQDhlON30mOhkOirPIWrUoYzANBglghkgBZQMEAgEFAKCBhDAY # BgorBgEEAYI3AgEMMQowCKACgAChAoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3 # AgEEMBwGCisGAQQBgjcCAQsxDjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEi -# BCCRpix1a9H9IuIAPHIvplTdngpCzd5n+hDOLgWgyMhw6TANBgkqhkiG9w0BAQEF -# AASCAQAH3XZhlPwmFx6pGRieaqnVDTbha0w/Cx0QoENcMgmiyRtlm/UdDvObYgex -# U924uBjnW0rw4C/bRZx5KUfWdke8pVgwZScMNMSPAefgO0AacYArQEpqz4CUhjrD -# 09Qbl5oRU3grRIxcxCdPxCEm2a/obBina+RjIhCWHBiu7KYdv/kgvnj3r/oSGqSa -# XYBPwNuLJyT/gGbUZas21FzkjNo0en1lMZRMlWMOi8s2IC9XSxIAECY+bMCQ5oPM -# L27Gh2GAs++jD2lisl4eWAj0Taei9pU6dBKPPYx0KeLJBt93HoEP3336dsGYK/Vx -# BwkXYHnc/xiRYlYQ/S7+1x/vpOO7oYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4 +# BCAgSxj3/sCjD2c91lGljGzSQSzSR6JpgbNciSzyWDcFwjANBgkqhkiG9w0BAQEF +# AASCAQBOZx7FjhF/9BDJADEUgdaXB3tRpnCT9wLLby/LsBNI3Zcq2//ujc4ltmbt +# i1+fg2IT7nt/IWYS0s/XSMi4DQ0rdT3a/WeMIaQBa7zxytlqUFOmBdMoDc3AB/Nh +# l4sYYFwSHwWRDhNeNXZ+cb5+GjSBPn9Yy1sRxgC/Uap0VW9e1zRWDJtxpxG9ppWN +# pEZa8EMdS5s0TNV8bOI3XGu4uUnX5gUSyia1ISc9vls8Lb0wZFqk2wUz1sU2mTep +# 9n01bXJa0w+N2hunlVWXQUVLWwdU+9BkbS9gprUV4/5zZwqdgzT7aSonEn9U3HDw +# lM5ZkozbE15nP+qTDQ1wTzUvHELvoYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4 # AgEBMHYwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG # A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJl # ZCBJRCBDQS0xAhADAZoCOv9YsWvW1ermF/BmMAkGBSsOAwIaBQCgXTAYBgkqhkiG -# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzAzMjgwMTE2NDJa -# MCMGCSqGSIb3DQEJBDEWBBQ7hxrw8PNruzC2Y6MFb8hquPF8sDANBgkqhkiG9w0B -# AQEFAASCAQBPNKdmjU0j4DjdN5P50QtNe9WSGSzEv2aoPo8GQtTKtLqotJk6/uu3 -# kQu02FlZbEIpf0AFv6MK+5KWBj69XIr55f/T6cHi6GC3dLdaGWAh7k6HXcQbxGw7 -# 4V/15spMTCWXSwDOspmbmNI/qhGbGXaCHfKnNi+Kao3t8UGFleNIleQwHXtZbnbN -# QT/vIjimsuLEaEUsiUjAtNdkeNdjsQn4a+v+mdYIxwYbRhqYAXYkqSo9MjevuFpY -# ccZ1t+kZao11yECnBb2pzfbGnEDy3ny8nfY+gXIVPn654yRmqboTcF5pdiHXEwrd -# u79Zxxv4+rPqCah/Gcqtpyw67cKtdCMi +# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MDYxMjAwNTFa +# MCMGCSqGSIb3DQEJBDEWBBQFcCtVgUTgayMN3C3fDrfJxF1SLDANBgkqhkiG9w0B +# AQEFAASCAQChXxUj0qqDiQZlu0wRdPa/3YLpxT5gORcPNBKkUt7oUTIOzZGytfxN +# RJFjm40NAPqgEGcdEkDH6WMzZ7eEpE2T96l9d8d5nn3hbyr+OfWGvSJ81WRQ6P0W +# Gzx9448EEkWa7vTHXSCwVcLFWtYIXGP1o/Ijo94tplLrAR4tYWIrql+ECuy0AEVZ +# uAfZWdKsZTO43yzAvj/7sODAp2ZrTSnuL7tcGZW9i+7vGuAKOVNPQx6kUd+DsI7+ +# Kz7rchZdZjmcgfmhWnH3RMDxTxTDC8E8waHELEfmpJCEEMhcmE5EiJhUaVcnfQj6 +# Lxy7VK+G+/tXwAaOXcWA2YaQ21HShPW8 # SIG # End signature block diff --git a/Create-Subscriptions.ps1 b/Create-Subscriptions.ps1 index e5f6767..a7ff734 100644 --- a/Create-Subscriptions.ps1 +++ b/Create-Subscriptions.ps1 @@ -1,27 +1,28 @@ <# .SYNOPSIS Name: Create-Subscriptions.ps1 - Version: 1.0 + Version: 1.1 Author: Russell Tomkins - Microsoft Premier Field Engineer Blog: https://aka.ms/russellt - Bulk creation of Windows Event Collection Subscriptions from input CSV + Bulk creation of Windows Event Collection Subscriptions from an input CSV Source: https://www.github.com/russelltomkins/ProjectSauron .DESCRIPTION Leverages an input CSV file to bulk create WEC subscriptions for event delivery - to dedicated custom event channels + to dedicated custom event channels. Subscriptions are imported by disabled by default. + Use the -NoImport and -CreateEnabled switches to override the behaviour. Refer to this blog series for more details http://blogs.technet.microsoft.com/russellt/2017/03/23/project-sauron-part-1 .EXAMPLE - Create, Import and Enable the WEC subscriptions. + Create and Import the WEC subscriptions (disabled by default) Create-Subscriptions.ps1 -InputFile DCEvents.csv .EXAMPLE - Create, Import but don't enable the WEC subscriptions - Create-Subscriptions.ps1 -InputFile -CreateDisabled + Create, Import and force enable the WEC subscriptions + Create-Subscriptions.ps1 -InputFile -CreateEnabled .EXAMPLE Only create the WEC subscription files, do not import them. @@ -30,14 +31,11 @@ .PARAMETER InputFile A CSV file which must include a ChannelName, ChannelSymbol, QueryPath and the xPath Query itself - .PARAMETER LogRootPath - The location of .evtx event log files. Defaults to "D:\Logs" - - .PARAMETER OutputFile - The location of the output subscription .xml files. Defaults to "D:\Logs" + .PARAMETER OutputFolder + The location of the output subscription .xml files. Defaults to "\Subscriptions" under the current folder - .PARAMETER CreateDisabled - Creates and imports the subscriptions, but does not enable it + .PARAMETER CreateEnabled + Creates and imports the subscriptions but enables them immediately. .PARAMETER NoImport Creates the subscriptions files, but does not import them @@ -69,21 +67,21 @@ [CmdletBinding()] Param ( [Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][String]$InputFile, - [Parameter(Mandatory=$false)][String]$LogRootPath="D:\Logs", [Parameter(Mandatory=$false)][string]$OutputFolder=$PWD, - [Parameter(Mandatory=$false)][Switch]$CreateDisabled, - [Parameter(Mandatory=$false)][Switch]$NoImport) + [Parameter(Mandatory=$false)][Switch]$CreateEnabled, + [Parameter(Mandatory=$false)][Switch]$NoImport) + +# Configure and Start the Windows Event Collector Services except if we are not importing. +If (!($NoImport)){ + # Prepare and Start the Windows Event Collector Service + $WECService = Get-Service "Windows Event Collector" + $WECService | Set-Service -StartupType "Automatic" + $WECService | Start-Service +} # Import our Custom Events $CustomChannels = Import-CSV $InputFile -# Create and ACL the Log Roots Folder to allow Network Service access. -If(!(Test-Path $LogRootPath )){New-Item -Type Directory $LogRootPath} -$ACE = New-Object System.Security.AccessControl.FileSystemAccessRule("NETWORK SERVICE",'Modify','ContainerInherit,ObjectInherit','None','Allow') -$LogRootPathACL = (Get-Item $LogRootPath) | Get-ACL -$LogRootPathACL.AddAccessRule($ACE) -$LogRootPathACL | Set-ACL - # Loop through Chanel in input events. ForEach($Channel in $CustomChannels){ @@ -91,27 +89,19 @@ ForEach($Channel in $CustomChannels){ # Bind to the Event Channel $EventChannel = Get-WinEvent -ListLog $Channel.ChannelName - # Disable the channel to allow changes - If ($EventChannel.IsEnabled) { - $EventChannel.IsEnabled = $False - $EventChannel.SaveChanges() + # Do not proceed if we are importing and the logs are still disabled. + If(!($NoImport)) { + If (!($EventChannel.IsEnabled)) { + Write-Host "Error: Event Channel is not Enabled" -Foregroundcolor "Red" -BackGroundColor "Black" + Write-host "Execute `"Prepare-EventChannels.ps1`" to configure them prior to creating event subscriptions"-Foregroundcolor "Red" -BackGroundColor "Black" + Exit + } } - # Update the channel to our requried Values - $NewLogFilePath = $LogRootPath + "\" + $Channel.ChannelSymbol + ".evtx" - $EventChannel.LogFilePath = $NewLogFilePath - $EventChannel.LogMode = "AutoBackup" - $EventChannel.MaximumSizeInBytes = 1073741824 - $EventChannel.SaveChanges() - - # Enable the Log - $EventChannel.IsEnabled = $True - $EventChannel.SaveChanges() - # --- Create the Subscription XML's # Pre-pend the current Folder path and create the SubFolders $SubscriptionNamePath = $OutputFolder + "\Subscriptions" - If(!(Test-Path $SubscriptionNamePath)){New-Item -Type Directory $SubscriptionNamePath} + If(!(Test-Path $SubscriptionNamePath)){New-Item -Type Directory $SubscriptionNamePath | Out-Null} # Create our new XML File $xmlFilePath = $SubscriptionNamePath + "\" + $Channel.ChannelSymbol + ".xml" @@ -131,11 +121,11 @@ ForEach($Channel in $CustomChannels){ $xmlWriter.WriteElementString("SubscriptionId",$Channel.ChannelSymbol) $xmlWriter.WriteElementString("SubscriptionType","SourceInitiated") $xmlWriter.WriteElementString("Description",$Channel.ChannelName) - If($CreateDisabled){ - $xmlWriter.WriteElementString("Enabled","false") + If($CreateEnabled){ + $xmlWriter.WriteElementString("Enabled","true") } Else{ - $xmlWriter.WriteElementString("Enabled","true") + $xmlWriter.WriteElementString("Enabled","false") } $xmlWriter.WriteElementString("Uri","http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog") $xmlWriter.WriteElementString("ConfigurationMode","Custom") @@ -183,6 +173,7 @@ ForEach($Channel in $CustomChannels){ # Import the subscription to the server If(!($NoImport)){ + # Import the subscription to the server $command = "C:\Windows\System32\wecutil.exe" $action = "create-subscription" @@ -192,18 +183,19 @@ ForEach($Channel in $CustomChannels){ # If we didn't import, write out how to import manually If($NoImport){ - write-Host "Event Channels updated with required settings" write-Host "Subscription files located at $SubscriptionNamePath" - write-host "Import with wecutil.exe create-subscription .xml"} - + write-host "Import with `"wecutil.exe create-subscription .xml`""} +Else{ + write-Host "Event Channels created and imported. Use Event Viewer to enable subscriptions." +} # ----------------------------------------------------------------------------------- # End of Script # ----------------------------------------------------------------------------------- # SIG # Begin signature block # MIIgVAYJKoZIhvcNAQcCoIIgRTCCIEECAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCC0Osw/1T4Td6An -# uktM5rKr0UFEp2V+3sHBob/Pz2ZvRKCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDmRTCSV+qfcL+6 +# pOqLspQirwP7zaAf9qnDaQCuzmm48qCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG # /o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQK # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNV # BAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBa @@ -355,22 +347,22 @@ If($NoImport){ # U2lnbmluZyBDQQIQDhlON30mOhkOirPIWrUoYzANBglghkgBZQMEAgEFAKCBhDAY # BgorBgEEAYI3AgEMMQowCKACgAChAoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3 # AgEEMBwGCisGAQQBgjcCAQsxDjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEi -# BCDk1IB2qVR9RaXlfijXEmFLt+9dHQ5rQkHDcaX4FmgzfjANBgkqhkiG9w0BAQEF -# AASCAQByFSrKaw/KQws3vuIHuFkP8ed1mb/ZKExVBKACbvX8d5XjZXLfQMtWXKtP -# wsRV2vDpsDJRzE5iqjpGNwRTMflRprkwU0MgpFpZd3VzUX+9PlXPUin/H07Ik8Kv -# djn7YzppOMvx7UTeBbMLhMJPJsnaISyffCgeBtEU1zi1I0Fkwy3fUS8Q4A3klQJd -# pWhgUr9esMMr7YQo0z58T4Qhz4EZyLSyrxKhwuxg+belv6/dClgqxdXB9cqge3/2 -# J14Pkp2ih2VJy6w+oKfu0G4dp1C/Neh/zzNsjGx5YfwYo1yQKnHnp4YZ9X/oNrwH -# DJooWpB+uwngpFsyd3LKFm1tErhAoYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4 +# BCBdRdQcl3uoARDQBCqg/cwdZleMA9onGTt8ho1IDiiCqDANBgkqhkiG9w0BAQEF +# AASCAQB82JthTsuUn9nAfJm4u94njOdCcya64ThMcwTw6gjtOMmW8lys7gnoxCvB +# hOBF+DVlOcBp0LUMN4yYZM8M9HxSjZTdQ0efzcEQZRfnhF5MvRyWSwnfG+dhaC2U +# 26WTx3F9CPiJhZlbbC13jcZmlkGmP+5tY7kXnn+QTIqO9KO4Se9BYkRR8u4lH5JS +# 3NwEzvyWauHblG5jpAY6gGGb63xl/bC1lc2NEkcRwE+bkPjPyp8k4P4CjGsseouJ +# VuLqLv8PP2nk1SAoYzTPj3qPLPhi9UuLV9rk4AWTLPbro1qbrGim0LAS9ccKknBG +# 9NCZa6tmIVjcW5Lql7UKsjmn6wlnoYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4 # AgEBMHYwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG # A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJl # ZCBJRCBDQS0xAhADAZoCOv9YsWvW1ermF/BmMAkGBSsOAwIaBQCgXTAYBgkqhkiG -# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzAzMjgwMTE2NDZa -# MCMGCSqGSIb3DQEJBDEWBBT9yDxcEWrXneHdE8PrXR3ZC/CcrDANBgkqhkiG9w0B -# AQEFAASCAQBMCoNP712CMHL+XJV/OIkJrpashiwLxFPL6KKyggEfcKwRA5k2zNSz -# Mt3B8UiOyl9Qocmxex7T0rwGxRxrcSgFYlKwSngdAKqABTzApFaXzZ6NAhn9eJAd -# zYql9frJD2sAam9My5MhMoGqwbYlKlLlTas1j/maimIZm9/JGgpLqKOBxxKRjF+G -# O+RXU38IZW0DjL64UAKXzB/C9Ybns3R2JYzhwdy5fxGnKb4JLVsV6IiM/oLtAMv9 -# Y2FgI9pz0CU6NGsM/eo1thaMNcN3zU2CpcOryiLEHH51t3z5O53aZ5oXHLBG6c5Q -# xGQyvvmL3sBDQcpl/SfhASHvTwlkLdCw +# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MDYxMjAwNTNa +# MCMGCSqGSIb3DQEJBDEWBBQUSafeu49EHQNcvAKNKKEXcURbrjANBgkqhkiG9w0B +# AQEFAASCAQBt8bsMZ+lx7gSEFFX1I3cRmEsv7JmDxsE8z/SJDd/l9Ua2Tf6hnTnl +# U6hhIV7VQAEDLq9CaATkug3QjykqDYRWOWHAKZz3ngSulxfN/AQLrZP1tLByxfxW +# 8pCinR0sIO+jggioo1EcMJeajEEtUrWJU/280MWcEgs8ghlQedfoDPMxxoWwBZv9 +# 2ovdiXp4qTkvq0bMEt/p19doeYeQJC68cFUob2l3MN4bvkFW1AmrmhuRvr3VckY+ +# GglJxeANfnFKHHwjsi6WEWzNY2m7SJUwuaF7PrcAi2eNq9t2rMUpQrBts6xlfrbw +# 9lOStks/uV58iNSRQfFxEqX1lSHbkO5O # SIG # End signature block diff --git a/Pre-Canned/DCEvents - Custom Views.zip b/Pre-Canned/DCEvents - Custom Views.zip deleted file mode 100644 index 7eb30e5..0000000 Binary files a/Pre-Canned/DCEvents - Custom Views.zip and /dev/null differ diff --git a/Pre-Canned/DCEvents.dll b/Pre-Canned/DCEvents.dll deleted file mode 100644 index 4246f33..0000000 Binary files a/Pre-Canned/DCEvents.dll and /dev/null differ diff --git a/Pre-Canned/DCEvents.man b/Pre-Canned/DCEvents.man deleted file mode 100644 index e1b15bf..0000000 --- a/Pre-Canned/DCEvents.man +++ /dev/null @@ -1,94 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/Pre-Canned/read.me b/Pre-Canned/read.me deleted file mode 100644 index 939fa84..0000000 --- a/Pre-Canned/read.me +++ /dev/null @@ -1,2 +0,0 @@ -Contains examples pre-built as part of the development process. -Use at your own risk. diff --git a/Prepare-EventChannels.ps1 b/Prepare-EventChannels.ps1 new file mode 100644 index 0000000..f346310 --- /dev/null +++ b/Prepare-EventChannels.ps1 @@ -0,0 +1,278 @@ +<# + .SYNOPSIS + Name: Prep-EventChannels.ps1 + Version: 1.1 + Author: Russell Tomkins - Microsoft Premier Field Engineer + Blog: https://aka.ms/russellt + + Preparation of event channels to receive event collection subscriptions from an input CSV + Source: https://www.github.com/russelltomkins/ProjectSauron + + .DESCRIPTION + Leverages an input CSV file to prepare the custom event channels created by Create-Manifest.ps1 + + Refer to this blog series for more details + http://blogs.technet.microsoft.com/russellt/2017/03/23/project-sauron-part-1 + + .EXAMPLE + Prepare the Event Chanenls using the Input CSV file. + Create-Subscriptions.ps1 -InputFile DCEvents.csv + + .PARAMETER InputFile + A CSV file which must include a ChannelName, ChannelSymbol, QueryPath and the xPath Query itself + + .PARAMETER LogRootPath + The location of .evtx event log files. Defaults to "D:\Logs" + + LEGAL DISCLAIMER + This Sample Code is provided for the purpose of illustration only and is not + intended to be used in a production environment. THIS SAMPLE CODE AND ANY + RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER + EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. We grant You a + nonexclusive, royalty-free right to use and modify the Sample Code and to + reproduce and distribute the object code form of the Sample Code, provided + that You agree: (i) to not use Our name, logo, or trademarks to market Your + software product in which the Sample Code is embedded; (ii) to include a valid + copyright notice on Your software product in which the Sample Code is embedded; + and (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and + against any claims or lawsuits, including attorneys fees, that arise or result + from the use or distribution of the Sample Code. + + This posting is provided "AS IS" with no warranties, and confers no rights. Use + of included script samples are subject to the terms specified + at http://www.microsoft.com/info/cpyright.htm. + #> +# ----------------------------------------------------------------------------------- +# Main Script +# ----------------------------------------------------------------------------------- + +# Prepare the Input Paremeters +[CmdletBinding()] + Param ( + [Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][String]$InputFile, + [Parameter(Mandatory=$false)][String]$LogRootPath="D:\Logs") + +# Import our Custom Events +$CustomChannels = Import-CSV $InputFile + +# Create The Folder +If(!(Test-Path $LogRootPath )){New-Item -Type Directory $LogRootPath | Out-Null} + +# Add an ACE to allow LOCAL SERVICE to modify the folder +$ACE = New-Object System.Security.AccessControl.FileSystemAccessRule("LOCAL SERVICE",'Modify','ContainerInherit,ObjectInherit','None','Allow') +$LogRootPathACL = (Get-Item $LogRootPath) | Get-ACL +$LogRootPathACL.AddAccessRule($ACE) +$LogRootPathACL | Set-ACL + +# Enable NTFS compression to save disk space +$Query = "select * from CIM_Directory where name = `"$($LogRootPath.Replace('\','\\'))`"" +$Results = Invoke-CimMethod -Query $Query -MethodName Compress + +# Loop through Chanell form the InputCSV +ForEach($Channel in $CustomChannels){ + + # --- Setup the Event Channels --- + # Bind to the Event Channel + $EventChannel = Get-WinEvent -ListLog $Channel.ChannelName -ErrorAction "SilentlyContinue" + If ($EventChannel -eq $Null){ + Write-Host "`nError: Event channel not loaded:`"$($Channel.ChannelName)`"" -ForeGroundColor Red + Write-Host "`nEnsure the manifest and dll has been loaded with wevtutil.exe im `n" -foregroundColor Green + Exit + } + + # Disable the channel to allow changes + If ($EventChannel.IsEnabled) { + $EventChannel.IsEnabled = $False + $EventChannel.SaveChanges() + } + + # Update the channel to our requried Values + $NewLogFilePath = $LogRootPath + "\" + $Channel.ChannelSymbol + ".evtx" + $EventChannel.LogFilePath = $NewLogFilePath + $EventChannel.LogMode = "AutoBackup" + $EventChannel.MaximumSizeInBytes = 1073741824 + $EventChannel.SaveChanges() + + # Enable the Log + $EventChannel.IsEnabled = $True + $EventChannel.SaveChanges() +} +# ----------------------------------------------------------------------------------- +# End of Script +# ----------------------------------------------------------------------------------- +# SIG # Begin signature block +# MIIgVAYJKoZIhvcNAQcCoIIgRTCCIEECAQExDzANBglghkgBZQMEAgEFADB5Bgor +# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCeQjMRHWwBGMg0 +# u4WEWqkl6YBDK1kW3ZwEIa7LdxvYwaCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG +# /o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQK +# EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNV +# BAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBa +# Fw0zMTExMTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2Vy +# dCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lD +# ZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +# AQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71IDkoWGAM+IDaqRWVMmE8 +# tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJSYd+fINcf +# 4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1 +# lhb+WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqi +# uhOCEe05F52ZOnKh5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplaz +# vbKX7aqn8LfFqD+VFtD/oZbrCF8Yd08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGG +# MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXroq/0ksuCMS1Ri6enIZ3zbcgP +# MB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqGSIb3DQEBBQUA +# A4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS +# TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf +# 6WXvh+DfwWdJs13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFv +# hsb6ZGjrgS2U60K3+owe3WLxvlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+ +# S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76jRslbWyPpbdhAbHSoyahEHGdreLD +# +cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFLDCCBBSgAwIBAgIQDhlON30mOhkOirPI +# WrUoYzANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGln +# aUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhE +# aWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBTaWduaW5nIENBMB4XDTE3MDMy +# NzAwMDAwMFoXDTE4MDQwNDEyMDAwMFowaTELMAkGA1UEBhMCQVUxEzARBgNVBAgT +# ClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRgwFgYDVQQKEw9SdXNzZWxs +# IFRvbWtpbnMxGDAWBgNVBAMTD1J1c3NlbGwgVG9ta2luczCCASIwDQYJKoZIhvcN +# AQEBBQADggEPADCCAQoCggEBAL9yEH4Y+mOkq5qq1yIMMQxZks06om9d6ifoWnQZ +# LwleCoIohbxLcc9RsAsY3b0E0alY/WGBbvxrAXDsfNtV2oRBwq4I1wRbrazuYdec +# V/ON+0cOKvSN3df9AJmbw53MBqlOLJr+f3IyLan40iY2PCt/N12zKVvPnFtoP+Lr +# QwLkUTMT+5LdmGl0UfaLkgno7EG+7CXKL1QDIw1NLiYkw1fxlcu8+MOslqV6ZFVm +# rhrM+Q0tzvVtq4DWSyn63U8j8Ij9cjnPpG3mABFN1dpu31yFBYogcPvFfQzx013f +# s4GI4mu70CDCy1vbi3oSa3jjiqExysDXcOHhZ4RVZ3xKUAsCAwEAAaOCAcUwggHB +# MB8GA1UdIwQYMBaAFFrEuXsqCqOl6nEDwGD5LfZldQ5YMB0GA1UdDgQWBBSiIVol +# K54Mdi8hZEbQ+ZcbWmjObTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB +# BQUHAwMwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDovL2NybDMuZGlnaWNlcnQuY29t +# L3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwNaAzoDGGL2h0dHA6Ly9jcmw0LmRpZ2lj +# ZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3JsMEwGA1UdIARFMEMwNwYJYIZI +# AYb9bAMBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9D +# UFMwCAYGZ4EMAQQBMIGEBggrBgEFBQcBAQR4MHYwJAYIKwYBBQUHMAGGGGh0dHA6 +# Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBOBggrBgEFBQcwAoZCaHR0cDovL2NhY2VydHMu +# ZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRENvZGVTaWduaW5nQ0Eu +# Y3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAPLir+VRKD+MIfvl +# S7s8KtE6sBOx2JCNewUh4JVtmQECTTpvKvx25TYO23MrApApfhc8qa2mkHNpyjMX +# U7SZog3mNSIJlQrhiF1Y6xNafqbDz31qGU/booX2AHV1yfJbXNWw2tTnbukdhFO/ +# 2vSKdUqJZbYp2A+dx5zemxvtf46CTy4PxrcKmn+Umd+Cil3O3TlDTy0LGfzPTL1f +# IOAqtc4bbge6pMn5BwV0dxOZ4JTIsXlFzzIKjjOUNX/+0/iGoYAXvkyOA0wdEiDN +# qug5CTbskpE/ltGa0XCSkglk2j4431JgUC+ew2YgSsEq0dukmdUjz3HpdvrMEYfg +# T5PcXa4wggUwMIIEGKADAgECAhAECRgbX9W7ZnVTQ7VvlVAIMA0GCSqGSIb3DQEB +# CwUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNV +# BAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQg +# SUQgUm9vdCBDQTAeFw0xMzEwMjIxMjAwMDBaFw0yODEwMjIxMjAwMDBaMHIxCzAJ +# BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5k +# aWdpY2VydC5jb20xMTAvBgNVBAMTKERpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBD +# b2RlIFNpZ25pbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD4 +# 07Mcfw4Rr2d3B9MLMUkZz9D7RZmxOttE9X/lqJ3bMtdx6nadBS63j/qSQ8Cl+YnU +# NxnXtqrwnIal2CWsDnkoOn7p0WfTxvspJ8fTeyOU5JEjlpB3gvmhhCNmElQzUHSx +# KCa7JGnCwlLyFGeKiUXULaGj6YgsIJWuHEqHCN8M9eJNYBi+qsSyrnAxZjNxPqxw +# oqvOf+l8y5Kh5TsxHM/q8grkV7tKtel05iv+bMt+dDk2DZDv5LVOpKnqagqrhPOs +# Z061xPeM0SAlI+sIZD5SlsHyDxL0xY4PwaLoLFH3c7y9hbFig3NBggfkOItqcyDQ +# D2RzPJ6fpjOp/RnfJZPRAgMBAAGjggHNMIIByTASBgNVHRMBAf8ECDAGAQH/AgEA +# MA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAKBggrBgEFBQcDAzB5BggrBgEFBQcB +# AQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBDBggr +# BgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNz +# dXJlZElEUm9vdENBLmNydDCBgQYDVR0fBHoweDA6oDigNoY0aHR0cDovL2NybDQu +# ZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNybDA6oDigNoY0 +# aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENB +# LmNybDBPBgNVHSAESDBGMDgGCmCGSAGG/WwAAgQwKjAoBggrBgEFBQcCARYcaHR0 +# cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAKBghghkgBhv1sAzAdBgNVHQ4EFgQU +# WsS5eyoKo6XqcQPAYPkt9mV1DlgwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6ch +# nfNtyA8wDQYJKoZIhvcNAQELBQADggEBAD7sDVoks/Mi0RXILHwlKXaoHV0cLToa +# xO8wYdd+C2D9wz0PxK+L/e8q3yBVN7Dh9tGSdQ9RtG6ljlriXiSBThCk7j9xjmMO +# E0ut119EefM2FAaK95xGTlz/kLEbBw6RFfu6r7VRwo0kriTGxycqoSkoGjpxKAI8 +# LpGjwCUR4pwUR6F6aGivm6dcIFzZcbEMj7uo+MUSaJ/PQMtARKUT8OZkDCUIQjKy +# NookAv4vcn4c10lFluhZHen6dGRrsutmQ9qzsIzV6Q3d9gEgzpkxYz0IGhizgZtP +# xpMQBvwHgfqL2vmCSfdibqFT+hKUGIUukpHqaGxEMrJmoecYpJpkUe8wggZqMIIF +# UqADAgECAhADAZoCOv9YsWvW1ermF/BmMA0GCSqGSIb3DQEBBQUAMGIxCzAJBgNV +# BAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdp +# Y2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IEFzc3VyZWQgSUQgQ0EtMTAeFw0x +# NDEwMjIwMDAwMDBaFw0yNDEwMjIwMDAwMDBaMEcxCzAJBgNVBAYTAlVTMREwDwYD +# VQQKEwhEaWdpQ2VydDElMCMGA1UEAxMcRGlnaUNlcnQgVGltZXN0YW1wIFJlc3Bv +# bmRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNkXfx8s+CCNeDg +# 9sYq5kl1O8xu4FOpnx9kWeZ8a39rjJ1V+JLjntVaY1sCSVDZg85vZu7dy4XpX6X5 +# 1Id0iEQ7Gcnl9ZGfxhQ5rCTqqEsskYnMXij0ZLZQt/USs3OWCmejvmGfrvP9Enh1 +# DqZbFP1FI46GRFV9GIYFjFWHeUhG98oOjafeTl/iqLYtWQJhiGFyGGi5uHzu5uc0 +# LzF3gTAfuzYBje8n4/ea8EwxZI3j6/oZh6h+z+yMDDZbesF6uHjHyQYuRhDIjegE +# YNu8c3T6Ttj+qkDxss5wRoPp2kChWTrZFQlXmVYwk/PJYczQCMxr7GJCkawCwO+k +# 8IkRj3cCAwEAAaOCAzUwggMxMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAA +# MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMIIBvwYDVR0gBIIBtjCCAbIwggGhBglg +# hkgBhv1sBwEwggGSMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5j +# b20vQ1BTMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBm +# ACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABp +# AHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAg +# AEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAg +# AFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAg +# AHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBu +# AGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBp +# AG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMAsGCWCGSAGG/WwDFTAfBgNV +# HSMEGDAWgBQVABIrE5iymQftHt+ivlcNK2cCzTAdBgNVHQ4EFgQUYVpNJLZJMp1K +# Knkag0v0HonByn0wfQYDVR0fBHYwdDA4oDagNIYyaHR0cDovL2NybDMuZGlnaWNl +# cnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEQ0EtMS5jcmwwOKA2oDSGMmh0dHA6Ly9j +# cmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRENBLTEuY3JsMHcGCCsG +# AQUFBwEBBGswaTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t +# MEEGCCsGAQUFBzAChjVodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl +# cnRBc3N1cmVkSURDQS0xLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAnSV+GzNNsiaB +# XJuGziMgD4CH5Yj//7HUaiwx7ToXGXEXzakbvFoWOQCd42yE5FpA+94GAYw3+pux +# nSR+/iCkV61bt5qwYCbqaVchXTQvH3Gwg5QZBWs1kBCge5fH9j/n4hFBpr1i2fAn +# PTgdKG86Ugnw7HBi02JLsOBzppLA044x2C/jbRcTBu7kA7YUq/OPQ6dxnSHdFMoV +# XZJB2vkPgdGZdA0mxA5/G7X1oPHGdwYoFenYk+VVFvC7Cqsc21xIJ2bIo4sKHOWV +# 2q7ELlmgYd3a822iYemKC23sEhi991VUQAOSK2vCUcIKSK+w1G7g9BQKOhvjjz3K +# r2qNe9zYRDCCBs0wggW1oAMCAQICEAb9+QOWA63qAArrPye7uhswDQYJKoZIhvcN +# AQEFBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG +# A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJl +# ZCBJRCBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTIxMTExMDAwMDAwMFowYjEL +# MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 +# LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJlZCBJRCBDQS0x +# MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6IItmfnKwkKVpYBzQHDS +# nlZUXKnE0kEGj8kz/E1FkVyBn+0snPgWWd+etSQVwpi5tHdJ3InECtqvy15r7a2w +# cTHrzzpADEZNk+yLejYIA6sMNP4YSYL+x8cxSIB8HqIPkg5QycaH6zY/2DDD/6b3 +# +6LNb3Mj/qxWBZDwMiEWicZwiPkFl32jx0PdAug7Pe2xQaPtP77blUjE7h6z8rwM +# K5nQxl0SQoHhg26Ccz8mSxSQrllmCsSNvtLOBq6thG9IhJtPQLnxTPKvmPv2zkBd +# XPao8S+v7Iki8msYZbHBc63X8djPHgp0XEK4aH631XcKJ1Z8D2KkPzIUYJX9BwSi +# CQIDAQABo4IDejCCA3YwDgYDVR0PAQH/BAQDAgGGMDsGA1UdJQQ0MDIGCCsGAQUF +# BwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCDCCAdIG +# A1UdIASCAckwggHFMIIBtAYKYIZIAYb9bAABBDCCAaQwOgYIKwYBBQUHAgEWLmh0 +# dHA6Ly93d3cuZGlnaWNlcnQuY29tL3NzbC1jcHMtcmVwb3NpdG9yeS5odG0wggFk +# BggrBgEFBQcCAjCCAVYeggFSAEEAbgB5ACAAdQBzAGUAIABvAGYAIAB0AGgAaQBz +# ACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAYwBvAG4AcwB0AGkAdAB1AHQAZQBz +# ACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAgAG8AZgAgAHQAaABlACAARABpAGcAaQBD +# AGUAcgB0ACAAQwBQAC8AQwBQAFMAIABhAG4AZAAgAHQAaABlACAAUgBlAGwAeQBp +# AG4AZwAgAFAAYQByAHQAeQAgAEEAZwByAGUAZQBtAGUAbgB0ACAAdwBoAGkAYwBo +# ACAAbABpAG0AaQB0ACAAbABpAGEAYgBpAGwAaQB0AHkAIABhAG4AZAAgAGEAcgBl +# ACAAaQBuAGMAbwByAHAAbwByAGEAdABlAGQAIABoAGUAcgBlAGkAbgAgAGIAeQAg +# AHIAZQBmAGUAcgBlAG4AYwBlAC4wCwYJYIZIAYb9bAMVMBIGA1UdEwEB/wQIMAYB +# Af8CAQAweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5k +# aWdpY2VydC5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0 +# LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcnQwgYEGA1UdHwR6MHgwOqA4 +# oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJv +# b3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2Vy +# dEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0OBBYEFBUAEisTmLKZB+0e36K+Vw0r +# ZwLNMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqGSIb3DQEB +# BQUAA4IBAQBGUD7Jtygkpzgdtlspr1LPUukxR6tWXHvVDQtBs+/sdR90OPKyXGGi +# nJXDUOSCuSPRujqGcq04eKx1XRcXNHJHhZRW0eu7NoR3zCSl8wQZVann4+erYs37 +# iy2QwsDStZS9Xk+xBdIOPRqpFFumhjFiqKgz5Js5p8T1zh14dpQlc+Qqq8+cdkvt +# X8JLFuRLcEwAiR78xXm8TBJX/l/hHrwCXaj++wc4Tw3GXZG5D2dFzdaD7eeSDY2x +# aYxP+1ngIw/Sqq4AfO6cQg7PkdcntxbuD8O9fAqg7iwIVYUiuOsYGk38KiGtSTGD +# R5V3cdyxG0tLHBCcdxTBnU8vWpUIKRAmMYIETDCCBEgCAQEwgYYwcjELMAkGA1UE +# BhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj +# ZXJ0LmNvbTExMC8GA1UEAxMoRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENvZGUg +# U2lnbmluZyBDQQIQDhlON30mOhkOirPIWrUoYzANBglghkgBZQMEAgEFAKCBhDAY +# BgorBgEEAYI3AgEMMQowCKACgAChAoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3 +# AgEEMBwGCisGAQQBgjcCAQsxDjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEi +# BCAoJ3Ugifl5F59BKjDXweFVW5z11Ch8mfqEg/wr2w7P6TANBgkqhkiG9w0BAQEF +# AASCAQBo7eP+G0VbuTFm3+I0Vs97zSFbX9/IUZKKgVr5cRmIJPLyorPn4DsK4Cu9 +# fyPugt3E5HazZUVXfS0t1fCpfUJ7Y0dMyqyJQdZlkB7qRVcPiKJqIBTv2gJM8tKE +# RTsiEtpL2uDi/yTtQr593XOa+R+Iv+3kHty/ac2wfBpdHXxj5B7eKv+rpfobc6Ov +# LzlFC8rvS2LAIxlF4GzmJ5TxLHE2gzaPE+iYHwIsknaWpr9ADiJzdD5lB+e/T+r3 +# qCQpA5aSqsWy7RzwJ7aX3ZPuU1Nye98qRsB85P0L07k5ynjyPyifTYdscVGGowsG +# RWhV6Uwp396dvrr/GSyV+fiosvYLoYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4 +# AgEBMHYwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG +# A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJl +# ZCBJRCBDQS0xAhADAZoCOv9YsWvW1ermF/BmMAkGBSsOAwIaBQCgXTAYBgkqhkiG +# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MDYxMjAwNTJa +# MCMGCSqGSIb3DQEJBDEWBBQ7GxFbm/id7zUPbivMC9oCc0q/BTANBgkqhkiG9w0B +# AQEFAASCAQB8PcnzSkBk4/kYQkFDrGOMOf2LSuNihoAqbl2BZTzwXR91y67eyvJS +# tth/ZuH3EZI3WUAxQB0XboEKmrRP8x21phSNcvzMaUFtm2MZhVPSxDmBrYQumpKw +# /SryyV4XTFBCr+ngMDGPAv9JX7Mg1GDqdATyfKmyv4UZkJ5qliwKS4xRqyOg3j59 +# WH2T2hOC7FuA2CIeYNPT/yddcdFWpiCZoXa8VFXew5Yki/mUNkP6Pqd3B2egL1qU +# pX40VtVA0Bpqm7POI2AUmgkcyHsCg5za3jqQktQ73Hqs5n6FwdXEDY4shP+RpL9O +# 3GbEF/zaPvTXNvbq5AD+9GnPBx7xxcgd +# SIG # End signature block diff --git a/README.md b/README.md index 48a28f5..a25bdfc 100644 --- a/README.md +++ b/README.md @@ -4,21 +4,25 @@ The purpose of these project is to provide organisations without access to expen The catalyst for this project and primary working example was to provide a mechanism to allow Domain Controllers to centrally store and archive the large number of audit events they generate for archival and lookup purposes. -The 3 core components can be leveraged to allow you to build your own solutions as well. +The 4 core scripts can be used to build your own solutions as well. Custom View Creation - Create a custom view tree that allows you to easily extract specific events Manifest Creation - Creates an event channel manifest file for .dll compilation to create dedicated event channels (logs) for storage of events in management .evtx files + Event Channel Preparation - Enables the custom event channels, configures their default size and enables auto-archive. Subscription Creation - Creates the windows event collection subscription files to forward and store events in the appproiate log file. -Getting Started - Domain Controller Events -A Pre-Built version of the Manifest and DLL is available and directly matches up to the provided Custom Subscriptions, Custom Views and export scripts. Refer to the following blog post for more details +Getting Started - DC Events +Some people will happily just use the pre-provided solution and thats cool. Check out the latest release for pre-compiled Custom Views, Event Channel manifest and DLL that can quickly be used. + +Refer to the following blog post for more details http://blogs.technet.microsoft.com/russellt/2017/03/23/project-sauron-part-1 1. Create or use an existing import csv to definie the custom event channels and xPath queries 2. Compile a new or reuse an existing .manifest and .dll file to define the custom event channels 3. Load the custom events channel .manifest and .dll into your Windows Event Collector -4. Load your the correspondign WEC subscriptions into the central Windows Event Collector Server -5. Configure the machines to pull subscriptions from the WEC Subscription server -6. Refer to the event logs +4. Prepare the event channels +5. Load your the correspondign WEC subscriptions into the central Windows Event Collector Server +6. Configure the machines to pull subscriptions from the WEC Subscription server +7. Begin leveraging your new centralised event logs. Domain Controller Event Data Sources Account Management https://technet.microsoft.com/en-us/library/dd941622(v=ws.10).aspx