I would do this, this way. But different strokes, different folks.
Just a couple comments:
[xml]$xml = gc .\ExampleEvent.xml
$result = $xml.Objs.Obj.MS.S.'#text'
$result = $result.Replace( '_x000D_', "`r" ).Replace( '_x000A_',
"`n" ).Replace( '_x0009_', "`t" )
$result
A member was added to a security-enabled global group.
Subject:
Security ID: S-1-5-21-335783171-3454459487-4016881208-105143
Account Name: AdminTest
Account Domain: DOMAIN
Logon ID: 0x49856394
Member:
Security ID: S-1-5-21-335783171-3454459487-4016881208-140732
Account Name: CN=SmithTest\, John,OU=Test OU,DC=domain,DC=org
Group:
Security ID: S-1-5-21-335783171-3454459487-4016881208-140733
Group Name: Test User Add Group
Group Domain: DOMAIN
Additional Information:
Privileges: -
Parsing $result is a trivial exercise left for the reader. :)
In regards to processing SIDs:
function ConvertTo-DomainUser
{
Param(
[Parameter( Mandatory = $true ) ]
[string] $sid
)
$objSID = New-Object System.Security.Principal.SecurityIdentifier( $sid )
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount] )
$objUser.Value
}
Enjoy!
From: [email protected] [mailto:[email protected]] On
Behalf Of Orlebeck, Geoffrey
Sent: Thursday, July 28, 2016 4:46 PM
To: '[email protected]'
Subject: [powershell] Parsing Event Log XML and RegEx Issue:
All:
I was attempting to monitor several sensitive AD groups for user
additions/removals. I ended up configuring our monitoring solution to handle
it, but I feel I was 95% of the way there with PowerShell. Because I spent so
much time I want to see this through to the end. I'm attempting to pull this
type of information directly from the Security Event Log on our DCs. I have
been able to retrieve the majority of the information I want but I am failing
to convert the distinguished name of the user into their SamAccountname. I am
attempting to gather the following information to pass back to me: Date, Domain
Controller, SamAccountname added, SamAccountname performing the add, and the
group name user was added to.
Here is the part of my script that gathers the relevant information I'm looking
for:
# Gather security event info
[xml]$xml = Get-Content C:\Testevent.xml
# Event Time
$Time = $xml.Objs.Obj.Props.DT.'#text'
$Date = (Get-Date $Time -Format g)
# DC Logging Event
$SrvObj = $xml.Objs.Obj.Props.S | ? {$_.N -like "MachineName"}
$Server = $SrvObj.'#text'
# Store properties of Event Data
$GroupObject = $xml.Objs.obj.props.Obj | ? {$_.N -like "Properties"}
# Output
$Properties = @{Date = $Date
Server = $Server
Group = $GroupObject.lst.Obj[2].Props.s.'#text'
AddedBy = $GroupObject.lst.Obj[6].Props.s.'#text'
UserAdded = $GroupObject.lst.obj[0].props.s.'#text'}
# Store properties in Custom PSObject
$Obj = New-Object -TypeName PSObject -Property $Properties
My output looks like this:
[cid:[email protected]]
Where I am having an issue is $GroupObject.lst.obj[0].props.s.'#text' returns
the following:
CN=Smith\, John,CN=Users,OU=Example Department,DC=domain,DC=org
However, when I do a Get-ADUser, the distinguished name is like this:
CN=JS1234,CN=Users,OU=Example Department,DC=domain,DC=org
So I cannot simply filter based on the returned output because it doesn't match
the DN returned by Get-ADUser. My initial thought was to take
"$GroupObject.lst.obj[0].props.s.'#text'" and via regular expressions get
Firstname, Lastname, and OU. I should be able to leverage splatting on the
filter command for Get-ADUser and extract the SamAccountname. The regular
expression is where I am failing. I am able to grab the last name, but
outputting just the first name and then just the OU is where I have not been
successful. Having the "\," after SmithTest is what's tripping me up when I try
to remove "CN=SmithTest\, John,".
If anyone has regex guidance or alternative ideas on how to accomplish the
above (for instance, I get the ObjectSID, but I have also failed to convert
that into SamAccountname). I'm open to see how others would tackle this. I'm
including the XML file containing a single event I have been using to test in
case it's helpful.
Thank you.
Confidentiality Notice: This is a transmission from Community Hospital of the
Monterey Peninsula. This message and any attached documents may be confidential
and contain information protected by state and federal medical privacy
statutes. They are intended only for the use of the addressee. If you are not
the intended recipient, any disclosure, copying, or distribution of this
information is strictly prohibited. If you received this transmission in error,
please accept our apologies and notify the sender. Thank you.
