mySYSMON/sysmon1-stats-count-by-image.ps1

## sysmon1-stats-count-by-image.ps1
$events = Get-WinEvent -FilterHashtable `
@{ `
    logname='Microsoft-Windows-Sysmon/Operational'; `
    id=1; `
    StartTime=(Get-Date).AddHours(-1); `
    EndTime=get-date `
}
$dict = @{}
foreach ($log in $events)
{
    [xml]$xmllog = $log.toXml()
    $tmp = $xmllog.event.eventdata.data | where Name -eq 'image' | select '#text'
    $image = $tmp.'#text'
    $value = $dict[$image]
    if ($value -eq $null)
    {
         $value = 1
         $dict.add($image,$value)
    }
    else
    {
        $value = $value + 1
        $dict[$tmp] = $value
    }
}
$dict.GetEnumerator() | sort -Property value -Descending
# RUN LIKE THIS
# sysmon1-stats-count-by-image.ps1 | format-list
	$events = Get-WinEvent -FilterHashtable `
	@{ `
	logname='Microsoft-Windows-Sysmon/Operational'; `
	id=1; `
	StartTime=(Get-Date).AddHours(-1); `
	EndTime=get-date `
	}
	$dict = @{}
	foreach ($log in $events)
	{
	[xml]$xmllog = $log.toXml()
	$tmp = $xmllog.event.eventdata.data \| where Name -eq 'image' \| select '#text'
	$image = $tmp.'#text'
	$value = $dict[$image]
	if ($value -eq $null)
	{
	$value = 1
	$dict.add($image,$value)
	}
	else
	{
	$value = $value + 1
	$dict[$tmp] = $value
	}
	}
	$dict.GetEnumerator() \| sort -Property value -Descending
	# RUN LIKE THIS
	# sysmon1-stats-count-by-image.ps1 \| format-list