beancurd1/AppLockerEventNotification.ps1

## AppLockerEventNotification.ps1
Param($eventFilePath)

# Get the first/latest event from "Forwarded Events" event log and
# Replace the field value and field name with meaningful value e.g. convert SID to proper user name and Full Name
$Event = Get-WinEvent -FilterHashtable @{Logname='ForwardedEvents'; Id=8004} -MaxEvents 1
If($Event.UserId.Value -eq $null)
{
    return
} else {
    $objSID = New-Object System.Security.Principal.SecurityIdentifier($Event.UserId.Value)
    $objUser = $objSID.Translate([System.Security.Principal.NTAccount])
    $userName = $objUser.Value
    $userFullName = ([adsi]"WinNT://$($objUser.Value.Replace("\", "/")),user").fullname
}
$msgBody = $Event | Select-Object -Property @{N='HostName'; E={$_.MachineName}},
                                            @{N='UserName'; E={$_.UserId}}, LogName, ProviderName,
                                            @{N='Event ID'; E={$_.Id}}, Message, ProcessId, ThreadId, TimeCreated, LevelDisplayName
$msgBody.UserName = "$userFullName ($userName)"

# This is a workaround of the "path couldn't be resolve" bug in Windows Forwarded Events log for events such as AppLocker events
# Need to config the Event Trigger to return the path from the XML view in event viewer
If ($msgBody.Message -like "*%11*") {
    $msgBody.Message = $msgBody.Message.Replace("%11","$eventFilePath")
}

# Convert the event object into HTML format for better formatting
# Send Noftifaction in HTML format with High priority
$messageParameters = @{
    Subject = "Event Provider: " + $msgBody.ProviderName
    Body = $msgBody | ConvertTo-Html -As List -PreContent "<h3><font face='Courier New'>Forwarded Event:</font></h3>" -Fragment | Out-String
    From = "USERORGROUP1@DOMAIN"
    To = "USERORGROUP2@DOMAIN"
    SmtpServer = "SMTPServer"
}
Send-MailMessage @messageParameters -BodyAsHtml -priority High
	Param($eventFilePath)

	# Get the first/latest event from "Forwarded Events" event log and
	# Replace the field value and field name with meaningful value e.g. convert SID to proper user name and Full Name
	$Event = Get-WinEvent -FilterHashtable @{Logname='ForwardedEvents'; Id=8004} -MaxEvents 1
	If($Event.UserId.Value -eq $null)
	{
	return
	} else {
	$objSID = New-Object System.Security.Principal.SecurityIdentifier($Event.UserId.Value)
	$objUser = $objSID.Translate([System.Security.Principal.NTAccount])
	$userName = $objUser.Value
	$userFullName = ([adsi]"WinNT://$($objUser.Value.Replace("\", "/")),user").fullname
	}
	$msgBody = $Event \| Select-Object -Property @{N='HostName'; E={$_.MachineName}},
	@{N='UserName'; E={$_.UserId}}, LogName, ProviderName,
	@{N='Event ID'; E={$_.Id}}, Message, ProcessId, ThreadId, TimeCreated, LevelDisplayName
	$msgBody.UserName = "$userFullName ($userName)"

	# This is a workaround of the "path couldn't be resolve" bug in Windows Forwarded Events log for events such as AppLocker events
	# Need to config the Event Trigger to return the path from the XML view in event viewer
	If ($msgBody.Message -like "%11") {
	$msgBody.Message = $msgBody.Message.Replace("%11","$eventFilePath")
	}

	# Convert the event object into HTML format for better formatting
	# Send Noftifaction in HTML format with High priority
	$messageParameters = @{
	Subject = "Event Provider: " + $msgBody.ProviderName
	Body = $msgBody \| ConvertTo-Html -As List -PreContent "<h3><font face='Courier New'>Forwarded Event:</font></h3>" -Fragment \| Out-String
	From = "USERORGROUP1@DOMAIN"
	To = "USERORGROUP2@DOMAIN"
	SmtpServer = "SMTPServer"
	}
	Send-MailMessage @messageParameters -BodyAsHtml -priority High