amnich/Get-FileAuditInfoDetails.ps1

## Get-FileAuditInfoDetails.ps1
Function Get-FileAuditInfoDetails {
  <#
      .SYNOPSIS
      Gets detailed information from Get-EventLog (Event 4663) or Get-FileAuditInfo
      like UserName, Filename and Action.
      .DESCRIPTION
      Gets detailed information from Get-EventLog (Event 4663) or Get-FileAuditInfo
      like UserName, Filename and Action.
      The original object is returned in EventObject property.

      .PARAMETER event
      Event from Get-EventLog or Get-FileAuditInfo

      .EXAMPLE
      Get-FileAuditInfo -Newest 10 -ComputerName SERVER -Search "TEST555" | Get-FileAuditInfoDetails

      TimeGenerated       UserName     Filename                 Action EventObject
      -------------       --------     --------                 ------ -----------
      2016-11-24 12:50:12 UserName    D:\SHARES\TEST555.txt     DELETE System.Diagnostics.EventLogEntry

      .EXAMPLE
      Get-EventLog -LogName Security -InstanceId 4663 -Newest 10 -Message "*TEST555*" -Computername SERVER) | Get-BGHFileAuditInfoDetails

      TimeGenerated       UserName     Filename                 Action EventObject
      -------------       --------     --------                 ------ -----------
      2016-11-24 12:50:12 UserName    D:\SHARES\TEST555.txt     DELETE System.Diagnostics.EventLogEntry
  #>

param (
	[Parameter(Position=0,ValueFromPipeline=$true)]
	$event
)
	PROCESS{
		$AccessMask = $event.ReplacementStrings[-3]
		switch ($AccessMask)
		{
		  "0x1" {$AccessMask = "FILE_READ_DATA"; break}
		  "0x2" {$AccessMask = "FILE_WRITE_DATA"; break}
		  "0x4" {$AccessMask = "FILE_APPEND_DATA"; break}
		  "0x10000" {$AccessMask = "DELETE"; break}
		  "0x20" {$AccessMask = "FILE_EXECUTE"; break}
		  "0x100" {$AccessMask = "FILE_WRITE_ATTRIBUTES"; break}
		  "0x40000" {$AccessMask = "WRITE_DAC"; break}
		  "0x80000" {$AccessMask = "WRITE_OWNER"; break}
		}
		[pscustomobject]@{
			TimeGenerated = $event.TimeGenerated
			UserName = ("{0}\{1}" -f $event.ReplacementStrings[2], $event.ReplacementStrings[1])
			Filename = $event.ReplacementStrings[6]
			Action = $AccessMask
			EventObject = $event
		}
	}
}
	Function Get-FileAuditInfoDetails {
	<#
	.SYNOPSIS
	Gets detailed information from Get-EventLog (Event 4663) or Get-FileAuditInfo
	like UserName, Filename and Action.
	.DESCRIPTION
	Gets detailed information from Get-EventLog (Event 4663) or Get-FileAuditInfo
	like UserName, Filename and Action.
	The original object is returned in EventObject property.

	.PARAMETER event
	Event from Get-EventLog or Get-FileAuditInfo

	.EXAMPLE
	Get-FileAuditInfo -Newest 10 -ComputerName SERVER -Search "TEST555" \| Get-FileAuditInfoDetails

	TimeGenerated UserName Filename Action EventObject
	------------- -------- -------- ------ -----------
	2016-11-24 12:50:12 UserName D:\SHARES\TEST555.txt DELETE System.Diagnostics.EventLogEntry

	.EXAMPLE
	Get-EventLog -LogName Security -InstanceId 4663 -Newest 10 -Message "TEST555" -Computername SERVER) \| Get-BGHFileAuditInfoDetails

	TimeGenerated UserName Filename Action EventObject
	------------- -------- -------- ------ -----------
	2016-11-24 12:50:12 UserName D:\SHARES\TEST555.txt DELETE System.Diagnostics.EventLogEntry
	#>

	param (
	[Parameter(Position=0,ValueFromPipeline=$true)]
	$event
	)
	PROCESS{
	$AccessMask = $event.ReplacementStrings[-3]
	switch ($AccessMask)
	{
	"0x1" {$AccessMask = "FILE_READ_DATA"; break}
	"0x2" {$AccessMask = "FILE_WRITE_DATA"; break}
	"0x4" {$AccessMask = "FILE_APPEND_DATA"; break}
	"0x10000" {$AccessMask = "DELETE"; break}
	"0x20" {$AccessMask = "FILE_EXECUTE"; break}
	"0x100" {$AccessMask = "FILE_WRITE_ATTRIBUTES"; break}
	"0x40000" {$AccessMask = "WRITE_DAC"; break}
	"0x80000" {$AccessMask = "WRITE_OWNER"; break}
	}
	[pscustomobject]@{
	TimeGenerated = $event.TimeGenerated
	UserName = ("{0}\{1}" -f $event.ReplacementStrings[2], $event.ReplacementStrings[1])
	Filename = $event.ReplacementStrings[6]
	Action = $AccessMask
	EventObject = $event
	}
	}
	}