EventLog/Export-WinEvent.ps1

function Export-WinEvent {
    <#
    .SYNOPSIS
        Export events that match a given query in to a Evtx file.
    .DESCRIPTION
        Export events that match a given query in to a Evtx file. Supports as source a log by Log Name or from another Evtx file. Query has to be in XPath format.
    .EXAMPLE
        PS C:\> [string]$query = $($Output = Get-SysmonProcessAccess -TargetImage "C:\WINDOWS\system32\lsass.exe" -verbose -MaxEvents 1) 4>&1
        PS C:\> Export-WinEvent -SourcePath "Microsoft-Windows-Sysmon/Operational" -Path C:\LSASSProcessAccess.evtx -Query $query
 
        Capture the XPath query from one of the Sysmon PSGumshoe functions and use that to export the resulting events into a file.
        Technique also works with Get-WinEvent.
    .INPUTS
        System.String
    .NOTES
        Xpath Query EventLog use and limitations https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events
    #>

    [CmdletBinding(DefaultParameterSetName = "Local")]
    param (
        # Source to export from.
        [Parameter(Mandatory=$true)]
        [String]
        $SourcePath,

        # Type of source. (File or EventLog)
        [Parameter(Mandatory=$false)]
        [ValidateSet("FilePath","LogName")]
        [String]
        $SourceType ="LogName",

        # Specifies a path to one or more locations.
        [Parameter(Mandatory = $false,
                   Position = 1,
                   ValueFromPipeline = $true,
                   ValueFromPipelineByPropertyName = $true)]
        [Alias("PSPath")]
        [ValidateNotNullOrEmpty()]
        [string[]]
        $Path,

        # The query used to select the events to export. Only the events returned from the query will be exported. Queries are represented in MS Eventlog XPath.
        [Parameter(Mandatory = $true)]
        [String]
        $Query,

        # Clear a given EventLog from the specified computer. Type the NetBIOS name, an Internet Protocol (IP) address, or the fully qualified domain name of the computer.
        # To get events and event logs from remote computers, the firewall port for the event log service must be configured to allow remote access.
        [Parameter(Mandatory = $true,
                   ValueFromPipelineByPropertyName = $true,
                   ParameterSetName = 'Remote')]
        [string]
        $ComputerName,

        # Specifies a user account that has permission to perform this action.
        #
        # Type a user name, such as User01 or Domain01\User01. Or, enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will
        # be prompted for a password. If you type only the parameter name, you will be prompted for both a user name and a password.
        [Parameter(Mandatory = $false,
                   ParameterSetName = 'Remote')]
        [Management.Automation.PSCredential]
        [Management.Automation.CredentialAttribute()]
        $Credential
        
    )
    
    begin {
        
    }
    
    process {

        switch ($PSCmdlet.ParameterSetName) {
            "Local" { 
                $EvtSession = [System.Diagnostics.Eventing.Reader.EventLogSession]::New()
            }
            "Remote" { 
                if ($PSBoundParameters.Keys -contains "Credential") {
                    $EvtSession = [System.Diagnostics.Eventing.Reader.EventLogSession]::New($ComputerName, $Credential.Username, $Credential.GetNetworkCredential().password )
                } else {
                    $EvtSession = [System.Diagnostics.Eventing.Reader.EventLogSession]::New($ComputerName)
                }
             }
            Default {}
        }

        $EvtSession.ExportLog($SourcePath, [System.Diagnostics.Eventing.Reader.PathType]::$SourceType, $Query, $Path)
        
    }
    
    end {
        
    }
}