Get-ApplockerWinEvent

1.0

Get-ApplockerWinEvent.ps1

<#PSScriptInfo
 
.Version
    1.0
.Guid
    9be00d5e-0fd8-4b87-be0a-28e97bdd67b7
.Author
    Thomas J. Malkewitz @dotps1
.Tags
    Applocker, WinEvent
.ProjectUri
    https://github.com/dotps1/PSFunctions
 
#>

<#
 
.Synopsis
    Gets Applocker related events.
.Description
    Gets Applocker events based on given critera from the local or remote machine(s).
.Inputs
    System.String
.Outputs
    System.Diagnostics.Eventing.Reader.EventLogRecord
.Parameter Name
    System.String
    The name of the system to get Applocker data against.
.Parameter EventType
    System.String
    The type of Applocker events to get, the default value is all events from the Microsoft-Windows-AppLocker log provider.
.Parameter LogName
    System.String
    The specific log to pull events from, the default value is all logs from the Microsoft-Windows-AppLocker log provider.
.Parameter Credential
    System.Management.Automation.PSCredential
    Credential object used for authentication.
.Parameter MaxEvents
    System.Int
    The maximum number of EventLogRecord objects to return.
.Parameter Oldest
    System.Management.Automation.SwitchParameter
    Returns EventLogRecord objects from oldest to newest.
.Parameter StartTime
    System.DateTime
    The starting range to get EventLogRecord objects from.
.Parameter EndTime
    System.DateTime
    The ending range to get EventLogRecord objects from.
.Example
    PS C:\> Get-ApplockerWinEvent -MaxEvents 2
 
 
        ProviderName: Microsoft-Windows-AppLocker
 
    TimeCreated Id LevelDisplayName Message
    ----------- -- ---------------- -------
    10/5/2017 8:17:59 AM 8005 Information %OSDRIVE%\USERS\dotps1\DOCUMENTS\GITHUB\PSFUNCTIONS\FUNCTIONS\GET-APPLOCKERWINEVENT.PS1 was allowed to run.
    10/5/2017 8:15:10 AM 8002 Information %PROGRAMFILES%\GIT\MINGW64\BIN\GIT.EXE was allowed to run.
.Example
    PS C:\> Get-ApplockerWinEvent -MaxEvents 2 -Oldest -LogName ExeAndDll -Credential (Get-Credential) -ComputerName myremotebox
 
 
        ProviderName: Microsoft-Windows-AppLocker
 
    TimeCreated Id LevelDisplayName Message
    ----------- -- ---------------- -------
    10/5/2017 7:33:43 AM 8002 Information %OSDRIVE%\USERS\dotps1\APPDATA\LOCAL\MICROSOFT\ONEDRIVE\ONEDRIVESTANDALONEUPDATER.EXE was prevented from running.
    10/5/2017 7:33:43 AM 8002 Information %PROGRAMFILES%\GIT\CMD\GIT.EXE was allowed to run.
.Notes
    When running against a remote machine, and the results are: "No events were found that match the specified selection criteria.", you may just need to authenticate.
    Run the command and use the -Credential parameter.
.Link
    https://dotps1.github.io
.Link
    https://www.powershellgallery.com/packages/Get-ApplockerWinEvent
.Link
    https://grposh.github.io
 
#>


[CmdletBinding()]
[OutputType(
    [System.Diagnostics.Eventing.Reader.EventLogRecord]
)]

param(
    [Parameter(
        ValueFromPipeline = $true
    )]
    [Alias(
        "ComputerName"
    )]
    [String[]]
    $Name = $env:COMPUTERNAME,

    [Parameter()]
    [ValidateSet(
        "All", "Allowed", "Audit", "Blocked"
    )]
    [String]
    $EventType = "All",

    [Parameter()]
    [ValidateSet(
        "ExeAndDll", "MsiAndScript", "PackagedAppExecution", "PackagedAppDeployment"
    )]
    [String]
    $LogName,

    [Parameter()]
    [PSCredential]
    $Credential = [PSCredential]::Empty,

    [Parameter()]
    [Int]
    $MaxEvents,

    [Parameter()]
    [Switch]
    $Oldest,

    [Parameter()]
    [DateTime]
    $StartTime = [DateTime]::MinValue,

    [Parameter()]
    [DateTime]
    $EndTime = [DateTime]::MaxValue
)

begin {
    $filterHashTable = @{
        ProviderName = "Microsoft-Windows-AppLocker"
        StartTime = $StartTime
        EndTime = $EndTime
    }

    switch ($EventType) {
        "Allowed" {
            $filterHashTable.Add(
                "Id", @(
                    8002, 8005, 8020, 8023
                )
            )
        }

        "Audit" {
            $filterHashTable.Add(
                "Id", @(
                    8003, 8006, 8021, 8024
                )
            )
        }

        "Blocked" {
            $filterHashTable.Add(
                "Id", @(
                    8004, 8007, 8022, 8025
                )
            )
        }
    }

    switch ($LogName) {
        "ExeAndDll" {
            $filterHashTable.Add(
                "LogName", "Microsoft-Windows-AppLocker/EXE and DLL"
            )
        }

        "MsiAndScript" {
            $filterHashTable.Add(
                "LogName", "Microsoft-Windows-AppLocker/MSI and Script"
            )
        }

        "PackagedAppExecution" {
            $filterHashTable.Add(
                "LogName", "Microsoft-Windows-AppLocker/Packaged app-Execution"
            )
        }

        "PackagedAppDeployment" {
            $filterHashTable.Add(
                "LogName", "Microsoft-Windows-AppLocker/Packaged app-Deployment"
            )
        }
    }
}

process {
    foreach ($nameValue in $Name) {
        $getWinEventParameters = @{
            ComputerName = $nameValue
            Credential = $Credential
            FilterHashTable = $filterHashTable
            ErrorAction = "Stop"
        }

        if ($MaxEvents -gt 0) {
            $getWinEventParameters.Add(
                "MaxEvents", $MaxEvents
            )
        }

        if ($Oldest.IsPresent) {
            $getWinEventParameters.Add(
                "Oldest", $Oldest
            )
        }

        try {
            $output = Get-WinEvent @getWinEventParameters

            Write-Output -InputObject $output
        } catch {
            $PSCmdlet.ThrowTerminatingError(
                $_
            )
        }
    }
}