Eventlog Analysis using Windows tool - Powershell
Windows Powershell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration framework. Powershell runs on Windows, Linux, and MacOS.
Powershell makes the lives of administrators easier in managing their endpoints and servers. Why Powershell? Powershell is built on the .NET Common Language Runtime (CLR) which it makes possible for us to work on any technology we work with.
From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero by using no additional tools and using built-in in Windows like Powershell that has the ability to query and parse event logs, which can be of great use for the responder.
Bread crumbs during an incident needs to be followed in a time specific manner, responders cannot risk the time they will consume wondering inside thousands of event logs where time to resolve the incident is critical. To aid this is to sort logs based on the time they were created.
To put this to use, we can run the following syntax: Get-EventLog -Logname <log_name> | Sort-Object TimeCreated
We can also sort time based on the hours, minutes or even seconds. We will use [starttime] and [endtime] in this case.
To put this to use, we can run the following syntax:
Get-WinEvent -FilterHashTable @{Logname='<log_name>’;starttime=[datetime]”<time>”;endtime=[datetime]”<endtime>”}
In this case, we will try to sort time ranging from 5:06:33 PM to 5:09:01 PM
