Parses audit/block events from the Windows Defender Attack Surface Reduction rules into PowerShell objects for easier troubleshooting during rollout

asr-log-parser.ps1

$ASRGuidMatrix = @{'56a863a9-875e-4185-98a7-b882c64b5ce5' ='Block abuse of exploited vulnerable signed drivers';
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c' = 'Block Adobe Reader from creating child processes';
'd4f940ab-401b-4efc-aadc-ad5f3c50688a' = 'Block all Office applications from creating child processes';
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2' = 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)';
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550' = 'Block executable content from email client and webmail';
'01443614-cd74-433a-b99e-2ecdc07bfc25' = 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion';
'5beb7efe-fd9a-4556-801d-275e5ffc04cc'='Block execution of potentially obfuscated scripts';
'd3e037e1-3eb8-44c8-a917-57927947596d'='Block JavaScript or VBScript from launching downloaded executable content';
'3b576869-a4ec-4529-8536-b80a7769e899'='Block Office applications from creating executable content';
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84'='Block Office applications from injecting code into other processes';
'26190899-1602-49e8-8b27-eb1d0a1ce869'='Block Office communication application from creating child processes';	
'e6db77e5-3df2-4cf1-b95a-636979351e5b'='Block persistence through WMI event subscription';
'd1e49aac-8f56-4280-b9ba-993a6d77406c'='Block process creations originating from PSExec and WMI commands';
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4'='Block untrusted and unsigned processes that run from USB';
'92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b'='Block Win32 API calls from Office macros';
'c1db55ab-c21a-4637-bb3f-a12568109d35'='Use advanced protection against ransomware'}

$Logs = Get-WinEvent @{ProviderName='Microsoft-Windows-Windows Defender';ID=1122,1121}

$out = @()

foreach($L in $Logs)
{
    $Guid = (($L.message |sls -Pattern "ID: (?<rex>[0-9a-zA-Z-]*)").Matches.Groups | ? {$_.name -eq "rex"}).value

    if($Logs.ID -eq 1121)
    {
        $action = "BLOCK"
    }
    if($Logs.ID -eq 1122)
    {
        $action = "AUDIT"
    }

    $pso = [PSCustomObject]@{
        ID = $Guid
        Rule = $ASRGuidMatrix[$Guid]
        Action = $action
        Time = (($L.message |sls -Pattern "Detection time: (?<rex>.*)").Matches.Groups | ? {$_.name -eq "rex"}).value
        User = (($L.message |sls -Pattern "User: (?<rex>.*)").Matches.Groups | ? {$_.name -eq "rex"}).value
        Path = (($L.message |sls -Pattern "Path: (?<rex>.*)").Matches.Groups | ? {$_.name -eq "rex"}).value
        ProcessName = (($L.message |sls -Pattern "Process Name: (?<rex>.*)").Matches.Groups | ? {$_.name -eq "rex"}).value
        TargetCmdLine = (($L.message |sls -Pattern "Target Commandline: (?<rex>.*)").Matches.Groups | ? {$_.name -eq "rex"}).value
        ParentCmdLine = (($L.message |sls -Pattern "Parent Commandline: (?<rex>.*)").Matches.Groups | ? {$_.name -eq "rex"}).value
        InvolvedFile = (($L.message |sls -Pattern "Involved File: (?<rex>.*)").Matches.Groups | ? {$_.name -eq "rex"}).value
        InheritanceFlags = (($L.message |sls -Pattern "Inheritance Flags: (?<rex>.*)").Matches.Groups | ? {$_.name -eq "rex"}).value
        SecurityIntelligenceVersion = (($L.message |sls -Pattern "Security intelligence Version: (?<rex>.*)").Matches.Groups | ? {$_.name -eq "rex"}).value
        EngineVersion = (($L.message |sls -Pattern "Engine Version: (?<rex>.*)").Matches.Groups | ? {$_.name -eq "rex"}).value
        ProductVersion = (($L.message |sls -Pattern "Product Version (?<rex>.*)").Matches.Groups | ? {$_.name -eq "rex"}).value
    }

    $out += $pso
}

$out |select Time,Rule,Action,User,Path,ProcessName,TargetCmdLine,ParentCmdLine