Some changes are pure convenience, and others are to make auditing functions work on Windows Server 2019.
Changes Get-WDACCodeIntegrityEvent to return a NULL value for PolicyGUID if event data does not supply one (quick'n'dirty fix to make function work on Windows Server 2019)
Adds Get-WinEventData function that creates a pscustomobject with named properties based on the referenced event template. This makes it easier to discover and reference available data from an event.
Adds Get-WDACPolicyRefreshEventFilter function to lookup last policy refresh, and allow that to be used in Get-WDACApplockerScriptMsiEvent as well.
Changes Get-WDACCodeIntegrityEvent and Get-WDACApplockerScriptMsiEvent to use the two new functions.
Adds a -SinceLastPolicyRefresh to Get-WDACApplockerScriptMsiEvent to only get events since last policy refresh
Adds a -IgnoreNativeImagesDLLs switch to Get-WDACCodeIntegrityEvent to skip those *.ni.dll "false positive" events from showing.
Code will need a bit of reviewing to ensure I still pick the right properties from event data, and the name of the -IgnoreNativeImagesDLLs is definitely open for debate. Speaking of that switch, the implementation is a bit of a quick'n'dirty hack as well - a nicer implementation could be made, that skipped those events earlier on to speed up processing time, but that would require more of a rewrite, and I wanted to check with you first before optionally doing that.
Let me know what you think of the changes - I am totally open to changing what I have made, if you don't agree with the approach, style, naming or what have you :)
Some changes are pure convenience, and others are to make auditing functions work on Windows Server 2019.
Get-WDACCodeIntegrityEventto return a NULL value for PolicyGUID if event data does not supply one (quick'n'dirty fix to make function work on Windows Server 2019)Get-WinEventDatafunction that creates a pscustomobject with named properties based on the referenced event template. This makes it easier to discover and reference available data from an event.Get-WDACPolicyRefreshEventFilterfunction to lookup last policy refresh, and allow that to be used inGet-WDACApplockerScriptMsiEventas well.Get-WDACCodeIntegrityEventandGet-WDACApplockerScriptMsiEventto use the two new functions.-SinceLastPolicyRefreshtoGet-WDACApplockerScriptMsiEventto only get events since last policy refresh-IgnoreNativeImagesDLLsswitch toGet-WDACCodeIntegrityEventto skip those*.ni.dll"false positive" events from showing.Code will need a bit of reviewing to ensure I still pick the right properties from event data, and the name of the
-IgnoreNativeImagesDLLsis definitely open for debate. Speaking of that switch, the implementation is a bit of a quick'n'dirty hack as well - a nicer implementation could be made, that skipped those events earlier on to speed up processing time, but that would require more of a rewrite, and I wanted to check with you first before optionally doing that.Let me know what you think of the changes - I am totally open to changing what I have made, if you don't agree with the approach, style, naming or what have you :)
Thoughts?