robert-moses/Windows-Event-Alerting.ps1

## Windows-Event-Alerting.ps1
# Well Known SIDs of interest
# SID: S-1-5-32-544
# Name: Administrators
#
# SID: S-1-5-21domain-512
# Name: Domain Admins
#
# Test lockout - EventID: 4740
(1..6)| %{ runas /user:DQGSOCAS4681\test1 cmd}

#
# Get Event Logs
# get-eventlog -log security | where-object {$_.EventID -match "^680$|^528$|^672$|^4768$|^4776$" –AND $_.UserName -notmatch 'SYSTEM|NETWORKSERVICE|LOCAL SERVICE|ANONYMOUS LOGON' –AND $_.TimeGenerated -gt [datetime]::today } | sort-object -property TimeGenerated | select-object -last 100 | Format-Table -AutoSize –Wrap
get-eventlog -log security | where-object {$_.EventID -match "^4740$" –AND $_.UserName -notmatch 'SYSTEM|NETWORKSERVICE|LOCAL SERVICE|ANONYMOUS LOGON' –AND $_.TimeGenerated -gt [datetime]::today } | sort-object -property TimeGenerated | select-object -last 100 | Format-Table -AutoSize –Wrap
	# Well Known SIDs of interest
	# SID: S-1-5-32-544
	# Name: Administrators
	#
	# SID: S-1-5-21domain-512
	# Name: Domain Admins
	#
	# Test lockout - EventID: 4740
	(1..6)\| %{ runas /user:DQGSOCAS4681\test1 cmd}

	#
	# Get Event Logs
	# get-eventlog -log security \| where-object {$_.EventID -match "^680$\|^528$\|^672$\|^4768$\|^4776$" –AND $_.UserName -notmatch 'SYSTEM\|NETWORKSERVICE\|LOCAL SERVICE\|ANONYMOUS LOGON' –AND $_.TimeGenerated -gt [datetime]::today } \| sort-object -property TimeGenerated \| select-object -last 100 \| Format-Table -AutoSize –Wrap
	get-eventlog -log security \| where-object {$_.EventID -match "^4740$" –AND $_.UserName -notmatch 'SYSTEM\|NETWORKSERVICE\|LOCAL SERVICE\|ANONYMOUS LOGON' –AND $_.TimeGenerated -gt [datetime]::today } \| sort-object -property TimeGenerated \| select-object -last 100 \| Format-Table -AutoSize –Wrap