用powershell獲取sysmon日誌

想用powershell獲取sysmon日誌仍是比較麻煩，開始覺得用Get-EventLog就行，結果試了半天報錯：

PS D:\> Get-EventLog -LogName Microsoft-Windows-Sysmon/Operational -Newest 20
Get-EventLog : 計算機「.」上的事件日誌「Microsoft-Windows-Sysmon/Operational」不存在。
所在位置 行:1 字符: 1
+ Get-EventLog -LogName Microsoft-Windows-Sysmon/Operational -Newest 20
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-EventLog], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetEventLogCommand

上網發現你們都是用的 Get-WinEvent，看了下幫助文檔，這個Cmdlet能夠獲取全部本地和遠程計算機的日誌，使用-ListLog *能夠獲取當前主機的全部類型的日誌

PS C:\> Get-WinEvent -ListLog *

LogMode   MaximumSizeInBytes RecordCount LogName
-------   ------------------ ----------- -------
Circular            20971520       24186 Application
Circular            20971520           0 HardwareEvents
Circular             1052672           0 Internet Explorer
Circular            20971520           0 Key Management Service
Circular             1052672         117 OAlerts
Circular             1052672           0 PreEmptive
Circular            20971520       25272 Security
Circular            20971520       13277 System
Circular            15728640        4381 Windows PowerShell
Circular             1052672           0 AMSI/Operational
Circular            20971520             ForwardedEvents
Circular             1052672         200 Lenovo-Power-BaseModule/Operational
Circular            10485760           0 Microsoft-AppV-Client/Admin
Circular            10485760           0 Microsoft-AppV-Client/Operational
Circular            10485760           0 Microsoft-AppV-Client/Virtual Applications
Circular             1052672        2103 Microsoft-Client-Licensing-Platform/Admin
Circular             1052672             Microsoft-Management-UI/Admin
Circular             1052672           0 Microsoft-Rdms-UI/Admin
Circular             1052672           0 Microsoft-Rdms-UI/Operational
Circular             1052672           0 Microsoft-User Experience Virtualization-Agent 
......

根據網上的例子，使用哈希表同時指定日誌類型和事件ID，能夠查詢sysmon的某類ID的事件日誌

PS C:\> Get-WinEvent -FilterHashtable @{logname='Microsoft-Windows-Sysmon/Operational';id=17} -MaxEvents 10


   ProviderName:Microsoft-Windows-Sysmon

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
2019/4/1 22:23:35               17 信息             Pipe Created:...
2019/4/1 22:23:35               17 信息             Pipe Created:...
2019/4/1 22:23:35               17 信息             Pipe Created:...
2019/4/1 22:23:34               17 信息             Pipe Created:...
2019/4/1 22:23:34               17 信息             Pipe Created:...
2019/4/1 22:23:34               17 信息             Pipe Created:...
2019/4/1 22:23:33               17 信息             Pipe Created:...
2019/4/1 22:23:33               17 信息             Pipe Created:...
2019/4/1 22:23:33               17 信息             Pipe Created:...
2019/4/1 22:23:33               17 信息             Pipe Created:...

接下來我但願獲取日誌中的其餘消息，想到使用 Format-Table指定屬性的方法，首先我查詢到sysmon的事件ID爲17的日誌中的屬性有：RuleName，UtcTime，ProcessGuid，ProcessId，PipeName，Image，而後用指定屬性輸出：

PS C:\> Get-WinEvent -FilterHashtable @{logname='Microsoft-Windows-Sysmon/Operational';id=17} -MaxEvents 10 | Format-Tab
le -Property UtcTime,processguid, processid,pipename,image -AutoSize -Wrap

UtcTime processguid ProcessId pipename image
------- ----------- --------- -------- -----
                         4140
                         4140
                         4140
                         4140
                         4140
                         4140
                         4140
                         4140
                         4140
                         4140

可是發現只有一個ProcessId有值，其餘都爲空！這就很奇怪。而後使用Format-List *獲取一下日誌的屬性都有什麼：

PS C:\> Get-WinEvent -FilterHashtable @{logname='Microsoft-Windows-Sysmon/Operational';id=17} -MaxEvents 10 | Format-List *


Message              : Pipe Created:
                       RuleName:
                       UtcTime: 2019-04-01 14:23:35.814
                       ProcessGuid: {791A80C2-1EE7-5CA2-0000-0010E60FF000}
                       ProcessId: 6724
                       PipeName: <Anonymous Pipe>
                       Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
Id                   : 17
Version              : 1
Qualifiers           :
Level                : 4
Task                 : 17
Opcode               : 0
Keywords             : -9223372036854775808
RecordId             : 113253
ProviderName         : Microsoft-Windows-Sysmon
ProviderId           : 5770385f-c22a-43e0-bf4c-06f5698ffbd9
LogName              : Microsoft-Windows-Sysmon/Operational
ProcessId            : 4140
ThreadId             : 6228
MachineName          : DESKTOP-DKGHJUN
UserId               : S-1-5-18
TimeCreated          : 2019/4/1 22:23:35
ActivityId           :
RelatedActivityId    :
ContainerLog         : Microsoft-Windows-Sysmon/Operational
MatchedQueryIds      : {}
Bookmark             : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName     : 信息
OpcodeDisplayName    : 信息
TaskDisplayName      : Pipe Created (rule: PipeEvent)
KeywordsDisplayNames : {}
Properties           : {System.Diagnostics.Eventing.Reader.EventProperty,
                      System.Diagnostics.Eventing.Reader.EventProperty,
                        System.Diagnostics.Eventing.Reader.EventProperty, 
                        System.Diagnostics.Eventing.Reader.EventProperty...}
......

結果發現日誌的信息都在Message裏面，連顯示的進程ID都是錯的。知道緣由了，也就是說獲取sysmon的日誌信息的話只須要顯示一條Message就夠了。

PS C:\> Get-WinEvent -FilterHashtable @{logname='Microsoft-Windows-Sysmon/Operational';id=17} -MaxEvents 10 | Format-Table -Property message -Wrap

Message
-------
Pipe Created:
RuleName:
UtcTime: 2019-04-01 14:23:35.814
ProcessGuid: {791A80C2-1EE7-5CA2-0000-0010E60FF000}
ProcessId: 6724
PipeName: <Anonymous Pipe>
Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
Pipe Created:
RuleName:
UtcTime: 2019-04-01 14:23:35.751
ProcessGuid: {791A80C2-1EE7-5CA2-0000-00108D0AF000}
ProcessId: 856
PipeName: <Anonymous Pipe>
Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
Pipe Created:

可是這種結果並不利於查看，須要在前面添加幾列信息，讓每一條結果能顯示的更易於區分。經過Format-List *查看有哪些屬性是比較有用的，此次選擇ID，TaskDisplayName這兩項：

PS C:\> Get-WinEvent -FilterHashtable @{logname='Microsoft-Windows-Sysmon/Operational';id=17} -MaxEvents 5 | Format-Table -Property ID,TaskDisplayName,message -Wrap

Id TaskDisplayName                Message
-- ---------------                -------
17 Pipe Created (rule: PipeEvent) Pipe Created:
                                  RuleName:
                                  UtcTime: 2019-04-01 14:23:35.814
                                  ProcessGuid: {791A80C2-1EE7-5CA2-0000-0010E60FF000}
                                  ProcessId: 6724
                                  PipeName: <Anonymous Pipe>
                                  Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
17 Pipe Created (rule: PipeEvent) Pipe Created:
                                  RuleName:
                                  UtcTime: 2019-04-01 14:23:35.751
                                  ProcessGuid: {791A80C2-1EE7-5CA2-0000-00108D0AF000}
                                  ProcessId: 856
                                  PipeName: <Anonymous Pipe>
                                  Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
17 Pipe Created (rule: PipeEvent) Pipe Created:
                                  RuleName:
                                  UtcTime: 2019-04-01 14:23:35.353
                                  ProcessGuid: {791A80C2-1EE7-5CA2-0000-00103F04F000}
                                  ProcessId: 10636
                                  PipeName: <Anonymous Pipe>
                                  Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
......

可是這個結果也很差，由於獲取到某個ID的日誌後不能繼續搜索了。

遺留了兩個問題：

1. Get-EventLog和Get-WinEvent兩個cmdlet的差別在哪裏？
2. 如何進一步篩選sysmon日誌？