Overview

Many event sources include custom data.  Extracting this data involves manipulating XML or other properties of an event - no fun.

This function extracts data from the XML behind an event and adds it to the event for your viewing pleasure.

This is just a function wrapper around Ashley McGlone's handy code for parsing this XML.  Certain events don't use the EventData node (e.g. AppLocker events) and would need other logic for parsing.

An example using Get-WinEventData together with Sysmon events

Instructions

PowerShell
Edit|Remove
# Import the function into the current session  
    . "\\Path\To\Get-WinEventData.ps1"  
       
# Get help for the command  
    Get-Help Get-WinEventData -Full   
    
# Example showing the computer an event was generated on, the time, and any custom event data  
    Get-WinEvent -LogName system -MaxEvents 1 | 
        Get-WinEventData | 
        Select MachineName, TimeCreated, EventData* 
 
# Example illustrating the extraction of event lockout records from DC1 
# This would show you the time an account was locked out, who was locked out, and what system locked them out. 
    Get-WinEvent -ComputerName DC1 -FilterHashtable @{Logname='security';id=4740} -MaxEvents 10 | 
        Get-WinEventData | 
        Select TimeCreated, EventDataTargetUserName, EventDataTargetDomainName