EventLog/Get-SysmonNetworkConnect.ps1
function Get-SysmonNetworkConnect { <# .SYNOPSIS Get Sysmon Network Connect events (EventId 3). .DESCRIPTION The network connection event logs TCP/UDP connections on the machine. It is disabled by default. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status. Events are cached and logged every 15 seconds. .EXAMPLE PS C:\> <example usage> Explanation of what the example does .INPUTS System.IO.FileInfo .OUTPUTS Sysmon.EventRecord.NetworkConnect .NOTES https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90003 #> [CmdletBinding(DefaultParameterSetName = 'Local')] param ( # Log name for where the events are stored. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [string] $LogName = 'Microsoft-Windows-Sysmon/Operational', # Process GUID for the process whose connection is logged. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [string[]] $ProcessGuid, # Pocess Id of the process whose connection is logged. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [string[]] $ProcessId, # Full path of process image that generated the connection. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [string[]] $Image, # User under whose context the connection was made. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [string[]] $User, # Protocol type of the connection. Either TCP or UDP. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [string[]] [ValidateSet('UDP','TCP')] $Protocol, # Was the connection initiated by the process. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [string] [ValidateSet('true','false')] $Initiated, # Is the source IP an IPv6 addres. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [string] [ValidateSet('true','false')] $SourceIsIpv6, # Source IP address. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [string[]] $SourceIp, # Source hostname. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [string[]] $SourceHostName, # Source port number for the connection. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [int[]] $SourcePort, # Source port name for the connection. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [string[]] $SourcePortName, # Destination port number for the connection. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [string[]] $DestinationPort, # Is the destination an IPv6 address. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [string[]] [ValidateSet('true','false')] $DestinationIsIpv6, # Destination IP Address for the connection. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [string[]] $DestinationIp, # Destination hostname for the connection. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [string[]] $DestinationHostname, # Destination port name for the connection. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [int[]] $DestinationPortName, # Rule Name for filter that generated the event. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [string[]] $RuleName, # Specifies the path to the event log files that this cmdlet get events from. Enter the paths to the log files in a comma-separated list, or use wildcard characters to create file path patterns. Function supports files with the .evtx file name extension. You can include events from different files and file types in the same command. [Parameter(Mandatory=$true, Position=0, ParameterSetName="file", ValueFromPipelineByPropertyName=$true)] [Alias("FullName")] [ValidateNotNullOrEmpty()] [SupportsWildcards()] [string[]] $Path, # Gets events from the event logs on the specified computer. Type the NetBIOS name, an Internet Protocol (IP) address, or the fully qualified domain name of the computer. # The default value is the local computer. # To get events and event logs from remote computers, the firewall port for the event log service must be configured to allow remote access. [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Remote')] [string[]] $ComputerName, # Specifies a user account that has permission to perform this action. # # Type a user name, such as User01 or Domain01\User01. Or, enter a PSCredential object, such as one generated by the Get-Credential cmdlet. If you type a user name, you will # be prompted for a password. If you type only the parameter name, you will be prompted for both a user name and a password. [Parameter(Mandatory = $false, ParameterSetName = 'Remote')] [Management.Automation.PSCredential] [Management.Automation.CredentialAttribute()] $Credential, # Specifies the maximum number of events that are returned. Enter an integer. The default is to return all the events in the logs or files. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] [int64] $MaxEvents, # Stsrttime from where to pull events. [Parameter(Mandatory = $false)] [datetime] $StartTime, # Stsrttime from where to pull events. [Parameter(Mandatory = $false)] [datetime] $EndTime, # Changes the default logic for matching fields from 'and' to 'or'. [Parameter(Mandatory = $false)] [switch] $ChangeLogic, # Changes the query action from inclusion to exclusion when fields are matched. [Parameter(Mandatory = $false)] [switch] $Suppress ) begin {} process { Search-SysmonEvent -EventId 3 -ParamHash $MyInvocation.BoundParameters } end {} } |