Some changes are pure convenience, and others are to make auditing functions work on Windows Server 2019.
Changes Get-WDACCodeIntegrityEvent to return a NULL value for PolicyGUID if event data does not supply one (quick'n'dirty fix to make function work on Windows Server 2019)
Adds Get-WinEventData function that creates a pscustomobject with named properties based on the referenced event template. This makes it easier to discover and reference available data from an event.
Adds Get-WDACPolicyRefreshEventFilter function to lookup last policy refresh, and allow that to be used in Get-WDACApplockerScriptMsiEvent as well.
Changes Get-WDACCodeIntegrityEvent and Get-WDACApplockerScriptMsiEvent to use the two new functions.
Adds a -SinceLastPolicyRefresh to Get-WDACApplockerScriptMsiEvent to only get events since last policy refresh
Adds a -IgnoreNativeImagesDLLs switch to Get-WDACCodeIntegrityEvent to skip those *.ni.dll "false positive" events from showing.
Code will need a bit of reviewing to ensure I still pick the right properties from event data, and the name of the -IgnoreNativeImagesDLLs is definitely open for debate. Speaking of that switch, the implementation is a bit of a quick'n'dirty hack as well - a nicer implementation could be made, that skipped those events earlier on to speed up processing time, but that would require more of a rewrite, and I wanted to check with you first before optionally doing that.
Let me know what you think of the changes - I am totally open to changing what I have made, if you don't agree with the approach, style, naming or what have you :)
Some changes are pure convenience, and others are to make auditing functions work on Windows Server 2019.
Get-WDACCodeIntegrityEvent
to return a NULL value for PolicyGUID if event data does not supply one (quick'n'dirty fix to make function work on Windows Server 2019)Get-WinEventData
function that creates a pscustomobject with named properties based on the referenced event template. This makes it easier to discover and reference available data from an event.Get-WDACPolicyRefreshEventFilter
function to lookup last policy refresh, and allow that to be used inGet-WDACApplockerScriptMsiEvent
as well.Get-WDACCodeIntegrityEvent
andGet-WDACApplockerScriptMsiEvent
to use the two new functions.-SinceLastPolicyRefresh
toGet-WDACApplockerScriptMsiEvent
to only get events since last policy refresh-IgnoreNativeImagesDLLs
switch toGet-WDACCodeIntegrityEvent
to skip those*.ni.dll
"false positive" events from showing.Code will need a bit of reviewing to ensure I still pick the right properties from event data, and the name of the
-IgnoreNativeImagesDLLs
is definitely open for debate. Speaking of that switch, the implementation is a bit of a quick'n'dirty hack as well - a nicer implementation could be made, that skipped those events earlier on to speed up processing time, but that would require more of a rewrite, and I wanted to check with you first before optionally doing that.Let me know what you think of the changes - I am totally open to changing what I have made, if you don't agree with the approach, style, naming or what have you :)
Thoughts?