Eventlog Analysis using Windows tool - Powershell
Windows Powershell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration framework. Powershell runs on Windows, Linux, and MacOS.
Powershell makes the lives of administrators easier in managing their endpoints and servers. Why Powershell? Powershell is built on the .NET Common Language Runtime (CLR) which it makes possible for us to work on any technology we work with.
From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero by using no additional tools and using built-in in Windows like Powershell that has the ability to query and parse event logs, which can be of great use for the responder.
Why Baseline? It is like answering the question, “How can I detect abnormal behavior when I don’t know what is normal?” Baseline is one of the best ways to know what is normal and abnormal inside the organization, especially on endpoints and critical systems. It is having a clear understanding of what normal looks like. Getting a baseline from time to time gives the organization the ability to detect abnormal behavior through different baseline comparisons gathered on different timelines.
How do we baseline events on your endpoint? We can run a powershell script to identify all the event logs from the desired endpoint.
There are two methods:
1. Save the .evtx file to your hard drive and run a powershell script to parse all the event logs.
2. Without exporting the .evtx file, parse directly to an event log.
To use both methods, you can run the following syntax:
(1) Get-WinEvent -FilterHashTable @{Logname='<event_log>’ | Group-Object id -NoElement | Sort-Object count
(2) Get-WinEvent -Path <path_to_.evtx> | Group-Object id -NoElement | Sort-Object count
Running both script gives us the same result.
