RamblingCookieMonster/Get-WinEventData and Sysmon.ps1

## Get-WinEventData and Sysmon.ps1
    # Download and dot source Get-WinEventData
        # https://gallery.technet.microsoft.com/scriptcenter/Get-WinEventData-Extract-344ad840
        . "\\path\to\Get-WinEventData.ps1"

    # Download and Set up Sysmon as desired
        # http://technet.microsoft.com/en-us/sysinternals/dn798348
        # http://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon

    #Use Get-WinEvent and Get-WinEventData to obtain events and extract XML data from them - let's see all the properties behind one!
        Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational";id=3} |
            Get-WinEventData |
            Select-Object -first 1 -Property *

            <#
                ...
                EventDataUtcTime             : 10/8/2014 10:41 PM
                EventDataProcessGuid         : {00000000-A3D1-5435-0000-001094C60700}
                EventDataProcessId           : 5248
                EventDataImage               : C:\Program Files (x86)\Plex\Plex Media Server\PlexDlnaServer.exe
                EventDataUser                : *************\*************
                EventDataProtocol            : tcp
                EventDataInitiated           : false
                EventDataSourceIsIpv6        : false
                EventDataSourceIp            : 127.0.0.1
                EventDataSourceHostname      : *************
                EventDataSourcePort          : 12804
                EventDataSourcePortName      :
                EventDataDestinationIsIpv6   : false
                EventDataDestinationIp       : 127.0.0.1
                EventDataDestinationHostname : *************
                EventDataDestinationPort     : 12805
                EventDataDestinationPortName :
                ...
            #>

        # Work with the extracted data as desired - look for activity involving plex
        Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational"} |
            Get-WinEventData |
            Where-Object{$_.EventDataImage -like "*plex*"} |
            Select-Object EventDataSourceIP, EventDataDestinationIP

            <#
                EventDataSourceIp EventDataDestinationIp
                ----------------- ----------------------
                127.0.0.1         127.0.0.1
                127.0.0.1         127.0.0.1
                192.168.1.4       192.168.1.4
                192.168.1.4       192.168.1.4
                127.0.0.1         127.0.0.1
                127.0.0.1         127.0.0.1
                127.0.0.1         127.0.0.1
                127.0.0.1         127.0.0.1
                192.168.1.4       192.168.1.115
                192.168.1.4       192.168.1.115
                192.168.1.4       192.168.1.115
            #>

        # Work with the extracted data as desired -  filter on port
            Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational"} |
                Get-WinEventData |
                Where-Object{$_.EventDataDestinationPort -eq 443} |
                Select-Object EventDataImage, EventDataSourceIP, EventDataDestinationIP

                <#
                    EventDataImage                                                                                                   EventDataSourceIp EventDataDestinationIp
                    --------------                                                                                                   ----------------- ----------------------
                    C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20605_x64__ekyb3d8bb\LiveComm.exe     192.168.1.4       208.125.145.225
                    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe                                                      192.168.1.4       74.125.225.69
                    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe                                                      192.168.1.4       74.125.228.75
                    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe                                                      192.168.1.4       74.125.225.87
                    C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20605_x64__ekyb3d8bb\LiveComm.exe     192.168.1.4       208.125.145.225
                    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe                                                      192.168.1.4       74.125.228.76
                    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe                                                      192.168.1.4       74.125.225.87
                    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe                                                      192.168.1.4       199.96.57.7
                #>
	# Download and dot source Get-WinEventData
	# https://gallery.technet.microsoft.com/scriptcenter/Get-WinEventData-Extract-344ad840
	. "\\path\to\Get-WinEventData.ps1"

	# Download and Set up Sysmon as desired
	# http://technet.microsoft.com/en-us/sysinternals/dn798348
	# http://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon

	#Use Get-WinEvent and Get-WinEventData to obtain events and extract XML data from them - let's see all the properties behind one!
	Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational";id=3} \|
	Get-WinEventData \|
	Select-Object -first 1 -Property *

	<#
	...
	EventDataUtcTime : 10/8/2014 10:41 PM
	EventDataProcessGuid : {00000000-A3D1-5435-0000-001094C60700}
	EventDataProcessId : 5248
	EventDataImage : C:\Program Files (x86)\Plex\Plex Media Server\PlexDlnaServer.exe
	EventDataUser : ***********\***********
	EventDataProtocol : tcp
	EventDataInitiated : false
	EventDataSourceIsIpv6 : false
	EventDataSourceIp : 127.0.0.1
	EventDataSourceHostname : *************
	EventDataSourcePort : 12804
	EventDataSourcePortName :
	EventDataDestinationIsIpv6 : false
	EventDataDestinationIp : 127.0.0.1
	EventDataDestinationHostname : *************
	EventDataDestinationPort : 12805
	EventDataDestinationPortName :
	...
	#>

	# Work with the extracted data as desired - look for activity involving plex
	Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational"} \|
	Get-WinEventData \|
	Where-Object{$_.EventDataImage -like "plex"} \|
	Select-Object EventDataSourceIP, EventDataDestinationIP

	<#
	EventDataSourceIp EventDataDestinationIp
	----------------- ----------------------
	127.0.0.1 127.0.0.1
	127.0.0.1 127.0.0.1
	192.168.1.4 192.168.1.4
	192.168.1.4 192.168.1.4
	127.0.0.1 127.0.0.1
	127.0.0.1 127.0.0.1
	127.0.0.1 127.0.0.1
	127.0.0.1 127.0.0.1
	192.168.1.4 192.168.1.115
	192.168.1.4 192.168.1.115
	192.168.1.4 192.168.1.115
	#>

	# Work with the extracted data as desired - filter on port
	Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational"} \|
	Get-WinEventData \|
	Where-Object{$_.EventDataDestinationPort -eq 443} \|
	Select-Object EventDataImage, EventDataSourceIP, EventDataDestinationIP

	<#
	EventDataImage EventDataSourceIp EventDataDestinationIp
	-------------- ----------------- ----------------------
	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20605_x64__ekyb3d8bb\LiveComm.exe 192.168.1.4 208.125.145.225
	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 192.168.1.4 74.125.225.69
	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 192.168.1.4 74.125.228.75
	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 192.168.1.4 74.125.225.87
	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20605_x64__ekyb3d8bb\LiveComm.exe 192.168.1.4 208.125.145.225
	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 192.168.1.4 74.125.228.76
	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 192.168.1.4 74.125.225.87
	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 192.168.1.4 199.96.57.7
	#>