-
-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
odd results without adequate description in report. #55
Comments
Well, I've not spent much time on each and every report and surely all can be optimized. Generally, each and every report has its own definition so no coding is required (unless we want more options). All those 3 definitions below have one thing in common - same EventID, Security Log. Now depending on needs, I'm filtering out stuff based on conditions. PSWinReporting/Private/Parameters/Script.ReportDefinitions.ps1 Lines 145 to 176 in fb3be60
Compare this to: PSWinReporting/Private/Parameters/Script.ReportDefinitions.ps1 Lines 177 to 227 in fb3be60
Notice Overwrite/OverwriteByField - on how and what they do. Overwrite lets you do If/else/Then on static values. Overwrite by field is If/else/then based on fields rather than a static value. So, for example, it's possible to tell if field Action contains value 'A directory service object was moved' put the value from OldObjectDN into field 'Organizational Unit' Compare this to: PSWinReporting/Private/Parameters/Script.ReportDefinitions.ps1 Lines 566 to 718 in fb3be60
This one is actually 3 different types combined into one report. Now if you want to debug issues like that my recommendation would take a look at this: https://github.com/EvotecIT/PSWinReporting/blob/master/Examples/RunMe-FindEventsExtended.ps1 Basically, you tell Find-Events to use $Definitions, $Target, $Times so you don't need to run the whole PSWinReporting to "work" on the report. You can tell it to scan only one server, remove Filters, remove Fields and see what is provided and how you can optimize things. You can play with overwrites and see how they work and based on that you could enhance the report to a degree you're happy with it. I would be more than happy to get more detailed/better reports out of this :-) Using Ignore should be your last resort thou. It's not really great implementation. As for the last request - if you have an idea on how to combine them I'm all ears :-) I mean from even technical perspective how do you imagine combining 10 Events combined into 1 entry so that it's readable :-) When we have proposed output we can talk implementation. |
as for combining details ona created/deleted user, we can look specifically for a user creation/deletion and in the user details report, we can look for the relevant user object and combine those field values that match that user at approximately the same time. My original question though wasn't about weeding out found logs, but about defining log values better. under AD user changes, I'm getting values of %%1794 in the "Password Last Set" column, and don't know what that means.
just having trouble translating these values to something meaningful. |
Ok, well the list is incomplete:
That's all I have. We need to build this hashtable. with proper values. The way I did before was google... https://system32.eventsentry.com/security/event/4741 - take a look it has some of your values. The issue is that I read this XML: and the values that you mention are in there usually with percent sign which makes it hard for me to translate as I'm clueless as you are about it. What you can do is try to check what Message value holds Maybe you will find the information you need. Here's something I found: https://social.technet.microsoft.com/Forums/windows/en-US/541bad5d-19eb-4de5-8ef7-1b144f0b6113/translate-xxxx-values-in-events?forum=w7itprosecurity |
Roger that. I’ll do some homework on the non-sensical values I’m seeing and send you my findings to hopefully help flesh out your wonderful script.
Sent from my phone.
… On Jun 27, 2019, at 3:03 PM, Przemysław Kłys ***@***.***> wrote:
Ok, well the list is incomplete:
Function ConvertFrom-OperationType {
param ([string] $OperationType)
$Known = @{'%%14674' = 'Value Added'
'%%14675' = 'Value Deleted'
'%%14676' = 'Unknown'
}
foreach ($id in $OperationType) { if ($name = $Known[$id]) { return $name } }
return $OperationType
}
That's all I have. We need to build this hashtable. with proper values. The way I did before was google...
https://system32.eventsentry.com/security/event/4741 - take a look it has some of your values.
The issue is that I read this XML:
and the values that you mention are in there usually with percent sign which makes it hard for me to translate as I'm clueless as you are about it. What you can do is try to check what Message value holds
Maybe you will find the information you need. Here's something I found: https://social.technet.microsoft.com/Forums/windows/en-US/541bad5d-19eb-4de5-8ef7-1b144f0b6113/translate-xxxx-values-in-events?forum=w7itprosecurity
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
so I've modified PSWinReporting/Examples/RunMe-Reporting.ps1 to fit my needs, and am getting strange results.
First, because I'm not sure how pertinent it is, here's the output of auditpol on my domain controllers:
Under the section for "AD Computer Changes Detailed" happened, I have results that show these things, but I wish there was a more adequate explanation listed:
under Field Value:
TERMSRV/<PC Name>
-- Terminal Server?CmRcService/<PC Name>
(directly followed byCmRcService/<PC FQDN>
) -- Config Manager Remote Service?WSMAN/<PC Name>
-- Web Services for Management?even if I add those to ignore, I'm still left with unclear results:
Action: A directory service object was modified
Field Changed: objectClass
Field Value: 1.2.840.113556.1.3.30 -- Computer?
Action: A directory service object was modified
Field Changed: userAccountControl
Field Value: 4096 (and another for 4098)
Action: A directory service object was modified
Action Details: Value Deleted (followed by another entry that says "Value Added")
Who: NT AUTHORITY\SYSTEM
Field Changed: userCertificate
Field Value: %%14672 -- DNS changes?
Here is my sterilized copy with my modifications (I added a ton of notes to keep track of the windows events and what they mean.
The last thing I would request is to somehow consolidate all changes that occur when a user is created or deleted. Having a dozen lines to show all the things that were created/modified when a user is created is a little cumbersome to read. I should emphasize I AM NOT COMPLAINING I love the tool and its potential, just a humble request.
The text was updated successfully, but these errors were encountered: