Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: russelltomkins/Project-Sauron
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 1.1
Choose a base ref
...
head repository: russelltomkins/Project-Sauron
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: master
Choose a head ref
  • 14 commits
  • 6 files changed
  • 1 contributor

Commits on Apr 6, 2017

  1. Add .gitignore

    russelltomkins committed Apr 6, 2017
    Copy the full SHA
    21735b8 View commit details

Commits on Apr 19, 2017

  1. Copy the full SHA
    2a66e1c View commit details

Commits on Apr 26, 2017

  1. Merge pull request #2 from russelltomkins/Development

    Added 4769 Kerberos Ticket events to DC_AL_CVS_LOGON
    russelltomkins authored Apr 26, 2017
    Copy the full SHA
    56f35e5 View commit details

Commits on Apr 27, 2017

  1. Update README.md

    russelltomkins authored Apr 27, 2017
    Copy the full SHA
    d1ad3ce View commit details
  2. Add .gitignore

    russelltomkins committed Apr 27, 2017
    Copy the full SHA
    b456da9 View commit details
  3. Copy the full SHA
    84b0099 View commit details
  4. 1.2 Version Updates

    russelltomkins committed Apr 27, 2017
    Copy the full SHA
    7815017 View commit details
  5. Merge pull request #3 from russelltomkins/Development

    Updates for 1.2
    russelltomkins authored Apr 27, 2017
    Copy the full SHA
    af47fc1 View commit details

Commits on Apr 28, 2017

  1. Typo in script

    Typo fixed and re-signed.
    russelltomkins committed Apr 28, 2017
    Copy the full SHA
    ae6aabc View commit details
  2. Merge pull request #4 from russelltomkins/Development

    Typo in Create-Subscription.ps1
    russelltomkins authored Apr 28, 2017
    Copy the full SHA
    64a2526 View commit details

Commits on May 8, 2017

  1. 1.3 Updates

    Updated Account Logon short names to DC_AL_LS from DC_AL_CVS
    russelltomkins committed May 8, 2017
    Copy the full SHA
    04f5240 View commit details
  2. Copy the full SHA
    02b252c View commit details
  3. Update README.md

    russelltomkins authored May 8, 2017
    Copy the full SHA
    2f30a0b View commit details

Commits on May 9, 2017

  1. Updated blog link.

    russelltomkins authored May 9, 2017
    Copy the full SHA
    9decf5e View commit details
Showing with 91 additions and 79 deletions.
  1. +1 −0 .gitignore
  2. +7 −7 Create-CustomViews.ps1
  3. +20 −20 Create-Manifest.ps1
  4. +34 −21 Create-Subscriptions.ps1
  5. +17 −7 DCEvents.csv
  6. +12 −24 README.md
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Pre-Built\
14 changes: 7 additions & 7 deletions Create-CustomViews.ps1
Original file line number Diff line number Diff line change
@@ -281,12 +281,12 @@ Write-Host "`nLaunch Event Viwer (eventvwr.exe) and expand Custom Views to use t
# AgEBMHYwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG
# A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJl
# ZCBJRCBDQS0xAhADAZoCOv9YsWvW1ermF/BmMAkGBSsOAwIaBQCgXTAYBgkqhkiG
# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MDYxMjAwNTBa
# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MjcxMzI2NTJa
# MCMGCSqGSIb3DQEJBDEWBBQjjsKnRRahp8E/oxtMOCizmT6raDANBgkqhkiG9w0B
# AQEFAASCAQAevhz5h1IaLpwLxoy4lKJ9KbOCHYS5afAlHms7cOSyTBF6wPtErp1+
# dlKQePXSPQjEnVuunbACbjZ1M1sCRdECPXTxZJN/c6OVE6PzgMLqXukzttdAeF0I
# JMAv5LTt9mPBb0/Ix4t4YxpZahuIXAj1fp7Kbv+v6//+NidRNs0VPbhgIuBv9CVB
# 94ugKQWHu3fVPmRMTY7k5Grx/XsXBjQxQbVD7tAAizOAaCFioavYMfR9EsDu+lWA
# NbBe7BwayCqvyM/TMlKtvh+DIhDortznbJiUT04FKcWSDhn22xUflmt0UTvm5Z0b
# zStCeO2xNPsL24raX38FXEAanBBlVkx0
# AQEFAASCAQCclzjqREwCjRhgLSXNCnTn3ginsyBRX5199V5lTHM1km5/G7NCSMeK
# TEgc0r+1leh1IRJ1N4XDSQRDK3uustzVzetZk49z2iDDNnA3D2l5wwIowEnTzEmi
# LO4YtQ0WtHNF7WLx73isutQyf2Id7bUy41pKmgWMnnUF11sf64BG6ZGsKIv2kYXE
# D24Pf8EbVL9prmBRPrSWILRtA8xXoyFtlFPH4zweglJPQ6m5uouXRHTgvnr6d5UY
# mC9USr4L1p+PZEk6S5RAy0QoPctT2KjvZzq3emIsvpY/qJZrT0wkBHJVpijR7Gpn
# aHqUWhSNU2a8MuoKR7ajwlCh8fVfv40c
# SIG # End signature block
40 changes: 20 additions & 20 deletions Create-Manifest.ps1
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<#
<#
.SYNOPSIS
Name: Create-Manifest.ps1
Version: 1.1
@@ -119,10 +119,10 @@ $xmlWriter.WriteStartElement("instrumentation")
$xmlWriter.WriteEndElement() # Closing events
$xmlWriter.WriteEndElement() # Closing Instrumentation
$xmlWriter.WriteEndElement() # Closing instrumentationManifest
 

# End the XML Document
$xmlWriter.WriteEndDocument()
 

# Finish The Document
$xmlWriter.Finalize
$xmlWriter.Flush()
@@ -147,8 +147,8 @@ Write-Host "`t `"c:\windows\system32\wevtutil.exe`" im `"$DLLPath\$BaseName.man`
# SIG # Begin signature block
# MIIgVAYJKoZIhvcNAQcCoIIgRTCCIEECAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCClCmr0opDAE+lP
# 3KmO1Yo/zh3Uyu3u6vT24xFcxuNZ9aCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCAz875ReOXG/tv
# zTHsBCsL3pUtOzV1o4CS9g/FpRzpnaCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG
# /o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQK
# EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNV
# BAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBa
@@ -300,22 +300,22 @@ Write-Host "`t `"c:\windows\system32\wevtutil.exe`" im `"$DLLPath\$BaseName.man`
# U2lnbmluZyBDQQIQDhlON30mOhkOirPIWrUoYzANBglghkgBZQMEAgEFAKCBhDAY
# BgorBgEEAYI3AgEMMQowCKACgAChAoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3
# AgEEMBwGCisGAQQBgjcCAQsxDjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEi
# BCAgSxj3/sCjD2c91lGljGzSQSzSR6JpgbNciSzyWDcFwjANBgkqhkiG9w0BAQEF
# AASCAQBOZx7FjhF/9BDJADEUgdaXB3tRpnCT9wLLby/LsBNI3Zcq2//ujc4ltmbt
# i1+fg2IT7nt/IWYS0s/XSMi4DQ0rdT3a/WeMIaQBa7zxytlqUFOmBdMoDc3AB/Nh
# l4sYYFwSHwWRDhNeNXZ+cb5+GjSBPn9Yy1sRxgC/Uap0VW9e1zRWDJtxpxG9ppWN
# pEZa8EMdS5s0TNV8bOI3XGu4uUnX5gUSyia1ISc9vls8Lb0wZFqk2wUz1sU2mTep
# 9n01bXJa0w+N2hunlVWXQUVLWwdU+9BkbS9gprUV4/5zZwqdgzT7aSonEn9U3HDw
# lM5ZkozbE15nP+qTDQ1wTzUvHELvoYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4
# BCCBZH5LnhW1onlsB9QZnEUfx9z3/zhBvlSwPjQtkT5OeDANBgkqhkiG9w0BAQEF
# AASCAQAbStzdKqUtm/4bowcmeKfHPkBjBs/Hv0iT+ah9xnK9jgSfG6gs3sHYY0ec
# 2dAmYXfKHcbwtrmuIL3Chyzzo9kyBuKzsslSbjMFU87icX4t04IbORIsv7EH4mml
# KX6pPMSfz2S5VHf1YoIBH7UXsH3lb1WMA/rqJ8yrcZKg1WST9LYUqv4fsH7BHBYE
# LJcqbbVds0I9OsMSDy7UGXVM/Jzw5rH/1O0x/H3NLbPkBSZZ6f5jsJaeaOTS5M5f
# zQDGKb+zjyNMFYQHaWxuAky1kzqRuWlYe1csKoXbBvxfeXP68DxnoeGnsbJ9epyC
# hyBjzo99p8mXQAUJ2z9venmvHqV7oYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4
# AgEBMHYwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG
# A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJl
# ZCBJRCBDQS0xAhADAZoCOv9YsWvW1ermF/BmMAkGBSsOAwIaBQCgXTAYBgkqhkiG
# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MDYxMjAwNTFa
# MCMGCSqGSIb3DQEJBDEWBBQFcCtVgUTgayMN3C3fDrfJxF1SLDANBgkqhkiG9w0B
# AQEFAASCAQChXxUj0qqDiQZlu0wRdPa/3YLpxT5gORcPNBKkUt7oUTIOzZGytfxN
# RJFjm40NAPqgEGcdEkDH6WMzZ7eEpE2T96l9d8d5nn3hbyr+OfWGvSJ81WRQ6P0W
# Gzx9448EEkWa7vTHXSCwVcLFWtYIXGP1o/Ijo94tplLrAR4tYWIrql+ECuy0AEVZ
# uAfZWdKsZTO43yzAvj/7sODAp2ZrTSnuL7tcGZW9i+7vGuAKOVNPQx6kUd+DsI7+
# Kz7rchZdZjmcgfmhWnH3RMDxTxTDC8E8waHELEfmpJCEEMhcmE5EiJhUaVcnfQj6
# Lxy7VK+G+/tXwAaOXcWA2YaQ21HShPW8
# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MjcxMzI4NTZa
# MCMGCSqGSIb3DQEJBDEWBBQYe1EBmfCyrVtJc5bOQ7EEe1tR+zANBgkqhkiG9w0B
# AQEFAASCAQA1O0ow+OyJeUFbdHvCQRJ5jKrxYWmglJvKZN2SSa/DHvvcffnmqRO/
# b7CjwJrZKULDf7r+QTmba2QeRff0VdybnFIZqv+0vUR7TEKhiU1Db7Ekjhwh/mIP
# G00wgFyfr+aim8oSrWVIoQ3j2YQketG/GfF+r7zYL2TN9q81z9Sk3cCeVm+e5iS9
# FqtirVu2yNK85F/4gCTfbHi1bz7dVrSwoXfiZZ/gTKPajA6biQQXOZGV684YwqiD
# Cz8re1vhtD5dOB4QJsgbnx95iioVbkDn7Yfe80IWghECA487xAtnlVb8RN+uC9m0
# qessUvZkWtTKQUz1xmX6HP/DfNfWPmvG
# SIG # End signature block
55 changes: 34 additions & 21 deletions Create-Subscriptions.ps1
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<#
.SYNOPSIS
Name: Create-Subscriptions.ps1
Version: 1.1
Version: 1.2
Author: Russell Tomkins - Microsoft Premier Field Engineer
Blog: https://aka.ms/russellt
@@ -19,11 +19,16 @@
.EXAMPLE
Create and Import the WEC subscriptions (disabled by default)
Create-Subscriptions.ps1 -InputFile DCEvents.csv
.EXAMPLE
Create, Import and force enable the WEC subscriptions
Create-Subscriptions.ps1 -InputFile <inputfile.csv> -CreateEnabled
.EXAMPLE
Create and Import the WEC subscriptions (disabled by default). Tell the server to
send existing and new events that that match the subscription
Create-Subscriptions.ps1 -InputFile DCEvents.csv -ReadExistingEvents
.EXAMPLE
Only create the WEC subscription files, do not import them.
Create-Subscriptions.ps1 -InputFile <inputfile.csv> -NoImport
@@ -40,6 +45,10 @@
.PARAMETER NoImport
Creates the subscriptions files, but does not import them
.PARAMETER ReadExistingEvents
Creates the subscriptions files and instructs the servers to send existing events that match the criteria
through to the collector.
LEGAL DISCLAIMER
This Sample Code is provided for the purpose of illustration only and is not
intended to be used in a production environment. THIS SAMPLE CODE AND ANY
@@ -69,7 +78,8 @@
[Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][String]$InputFile,
[Parameter(Mandatory=$false)][string]$OutputFolder=$PWD,
[Parameter(Mandatory=$false)][Switch]$CreateEnabled,
[Parameter(Mandatory=$false)][Switch]$NoImport)
[Parameter(Mandatory=$false)][Switch]$NoImport,
[Parameter(Mandatory=$false)][Switch]$ReadExistingEvents)

# Configure and Start the Windows Event Collector Services except if we are not importing.
If (!($NoImport)){
@@ -145,7 +155,10 @@ ForEach($Channel in $CustomChannels){
$xmlWriter.WriteCData('<QueryList><Query Id="0" Path="' + $Channel.QueryPath + '">' + $Channel.Query + '</Query></QueryList>')
$xmlWriter.WriteEndElement() # Closing Query

$xmlWriter.WriteElementString("ReadExistingEvents","True")
If ($ReadExistingEvents){
$xmlWriter.WriteElementString("ReadExistingEvents","True")}
Else{
$xmlWriter.WriteElementString("ReadExistingEvents","False")}
$xmlWriter.WriteElementString("TransportName","HTTP")
$xmlWriter.WriteElementString("ContentFormat","events")
$xmlWriter.WriteStartElement("locale")
@@ -194,8 +207,8 @@ Else{
# SIG # Begin signature block
# MIIgVAYJKoZIhvcNAQcCoIIgRTCCIEECAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDmRTCSV+qfcL+6
# pOqLspQirwP7zaAf9qnDaQCuzmm48qCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDOn+KCY+jIibk5
# yxihjrxQTYqPwbc8olUALOThxWlZbKCCG14wggO3MIICn6ADAgECAhAM5+DlF9hG
# /o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQK
# EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNV
# BAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBa
@@ -347,22 +360,22 @@ Else{
# U2lnbmluZyBDQQIQDhlON30mOhkOirPIWrUoYzANBglghkgBZQMEAgEFAKCBhDAY
# BgorBgEEAYI3AgEMMQowCKACgAChAoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3
# AgEEMBwGCisGAQQBgjcCAQsxDjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEi
# BCBdRdQcl3uoARDQBCqg/cwdZleMA9onGTt8ho1IDiiCqDANBgkqhkiG9w0BAQEF
# AASCAQB82JthTsuUn9nAfJm4u94njOdCcya64ThMcwTw6gjtOMmW8lys7gnoxCvB
# hOBF+DVlOcBp0LUMN4yYZM8M9HxSjZTdQ0efzcEQZRfnhF5MvRyWSwnfG+dhaC2U
# 26WTx3F9CPiJhZlbbC13jcZmlkGmP+5tY7kXnn+QTIqO9KO4Se9BYkRR8u4lH5JS
# 3NwEzvyWauHblG5jpAY6gGGb63xl/bC1lc2NEkcRwE+bkPjPyp8k4P4CjGsseouJ
# VuLqLv8PP2nk1SAoYzTPj3qPLPhi9UuLV9rk4AWTLPbro1qbrGim0LAS9ccKknBG
# 9NCZa6tmIVjcW5Lql7UKsjmn6wlnoYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4
# BCA76aHF9UWkQLZ7VsXY3Q9Fe4yEw+YT4gVlPnHWa+mnKTANBgkqhkiG9w0BAQEF
# AASCAQCQP5F8EtnYjLB8DvaAqSszCmKlAXN6XxGCPTBSAfW+Atqs/GsgfK3BPRNo
# 2xruqCYrUHZzuWRWmiuxWUrZCl+KSu6FkbTzYSRspDjNEutWH+kHaIXnX+UcQZg3
# V0DTm1PzkFjMYY/ICapQHio/ZCfrsGh29imoeVS5K8aUMA9UYo/6mD/Wro6Mn0cR
# LtI1OBLOXxIeJmXxT0mU9CswOeVsAUc8x+Lv87rGSfjh/TUQhNm/q6Sm9UFbkn35
# IG5TIA+wVJtkdQ79tv8XH+m/fMXoCHsSvpB3eEvf+9lFGULVGXNHYtOmiS4C+Sud
# XwS9KjqnxoNmu8FeHdbwCDjxHeu0oYICDzCCAgsGCSqGSIb3DQEJBjGCAfwwggH4
# AgEBMHYwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG
# A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgQXNzdXJl
# ZCBJRCBDQS0xAhADAZoCOv9YsWvW1ermF/BmMAkGBSsOAwIaBQCgXTAYBgkqhkiG
# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MDYxMjAwNTNa
# MCMGCSqGSIb3DQEJBDEWBBQUSafeu49EHQNcvAKNKKEXcURbrjANBgkqhkiG9w0B
# AQEFAASCAQBt8bsMZ+lx7gSEFFX1I3cRmEsv7JmDxsE8z/SJDd/l9Ua2Tf6hnTnl
# U6hhIV7VQAEDLq9CaATkug3QjykqDYRWOWHAKZz3ngSulxfN/AQLrZP1tLByxfxW
# 8pCinR0sIO+jggioo1EcMJeajEEtUrWJU/280MWcEgs8ghlQedfoDPMxxoWwBZv9
# 2ovdiXp4qTkvq0bMEt/p19doeYeQJC68cFUob2l3MN4bvkFW1AmrmhuRvr3VckY+
# GglJxeANfnFKHHwjsi6WEWzNY2m7SJUwuaF7PrcAi2eNq9t2rMUpQrBts6xlfrbw
# 9lOStks/uV58iNSRQfFxEqX1lSHbkO5O
# 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA0MjgwMTUwMTZa
# MCMGCSqGSIb3DQEJBDEWBBQBBcreF3L9iR0egP4MwRQoaRQeozANBgkqhkiG9w0B
# AQEFAASCAQBkHn11CW51J+u2ABgHPbvj0ViUmHMpC/Nc6ovibNK8RBf1+bBJTW5V
# h5T2xdZ2TFTSuqY8GA4xSsncPVggWViQ1wO2YqOz0Zd5OlFMu5wCykizsNzgEpbT
# iv7szM8gF9aa9UXj1CGX9Abng6e5J0hqAgqWOaDiGKEelay/FbhtIIs2TbgiljxX
# X5CmjXyipf9fvEUKIA16nlEIfGYDEWvm8J5Hz5pMzBZ1bDt29Aiob2iSx7cDC+GX
# RoKER1WluntE0+e9smbOmwwWXmf+BiQ5/tNVpN/WXS55yXYFT7LYO6NPiLMKxuR3
# ick/KbWydOBbJuC/lQnOjlUiKAktqDSS
# SIG # End signature block
Loading