EventMonitor.Windows

1.0.3

Real-time Windows security event monitoring with zero-polling architecture. Uses EventLogWatcher
for instant OS-level event delivery, a self-healing watchdog, and pluggable telemetry sinks.

Monitors 40+ event IDs across 17 groups: logon/logoff, failed authentication (brute force),
account management, group membership changes, privilege escalation, process executi
Real-time Windows security event monitoring with zero-polling architecture. Uses EventLogWatcher
for instant OS-level event delivery, a self-healing watchdog, and pluggable telemetry sinks.

Monitors 40+ event IDs across 17 groups: logon/logoff, failed authentication (brute force),
account management, group membership changes, privilege escalation, process execution,
persistence (services/tasks), audit tampering, PowerShell script logging, SSH, RDP, WinRM
(lateral movement), Windows Defender, firewall rule changes, network shares, and system health.

Features: monitoring levels (Minimum/Standard/High/Custom), JSONL event journal for AI/SIEM,
configurable log retention, 21 exported functions, local-first with optional cloud telemetry.

Zero external dependencies beyond one Microsoft DLL. Install, register, and forget.
Requires PowerShell 7.4+, Windows 10/11 or Server 2016+, administrator privileges.
Show more

Minimum PowerShell version

7.4

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name EventMonitor.Windows

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name EventMonitor.Windows

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

(c) 2026-present Rakesh Navale. All rights reserved.

Package Details

Author(s)

  • Rakesh Navale

Tags

Windows Security EventMonitor EventLog SIEM ApplicationInsights Telemetry RDP SSH WinRM Logon AuditLog ThreatDetection Defender Firewall BruteForce ScheduledTask PowerShell7

Functions

Register-EventMonitor Unregister-EventMonitor Uninstall-EventMonitor Start-EventMonitor Stop-EventMonitor Enable-EventMonitor Disable-EventMonitor Get-EventMonitor Invoke-EventMonitor Get-WindowsEventsAndSessions Get-MonitoredEventCategories Set-MonitoringLevel Get-MonitoringConfig Get-EventGroups Set-EventJournal Set-EMLogLevel Get-EventHistory Show-EventMonitorHelp Register-TelemetrySink Unregister-TelemetrySink Get-TelemetrySinks

PSEditions

Core

Dependencies

This module has no dependencies.

Release Notes

1.0.1 - Initial public release
* Event-driven architecture via EventLogWatcher (zero polling, real-time detection)
* Self-healing watchdog with auto-restart, catch-up sweep, health telemetry
* 40+ Windows event IDs across 17 groups (Logon, Logoff, SSH, RDP, Account,
 Group, Privilege, Process, Persistence, Audit, PowerShell, NetworkShare,
 NetworkFirewall, SystemHealth, WinRM, Defender + custom)
* 4 monitoring levels: Minimum (4 groups), Standard (13), High (17), Custom
* 21 exported functions including monitoring config, event history, telemetry sinks
* Pluggable telemetry sinks: App Insights built-in, add webhook/SIEM/email/custom
* JSONL event journal for AI tools, SIEM, and offline analysis
* Data stored in C:\ProgramData\WindowsEventMonitor\ (survives module updates)
* Connection string via env var, file, or parameter (ACL-protected)
* Auto-restart on crash (3 retries), AtStartup trigger, idempotent registration
* Application Insights SDK 3.0.0 (net9.0), PowerShell 7.4+ required

FileList

Version History

Version Downloads Last updated
1.0.3 (current version) 0 3/9/2026