The only thing I have changed in this script is where the output file goes to, everything else is the same. When I run the script in ISE I get a weird error about get-winevent not working, however when i run it from the shell or as scheduled task that works fine.
When I run the script from the shell the file outputs with the UPN, IP, Time. When I run it as a scheduled task, the file outputs with UPN, IP but no time. I have the scheduled task running as system, and running with highest privileges. If I run the scheduled task as my domain admin account (obviously a no no, but this was for testing purposes) it outputs with time. Any ideas on how to get it to run as system and get time? Or do I need to create a service account to do this? (my least favorable option, as my security team is going to be a pain in the ass about it)
PARAM ($PastDays = 1, $PastHours)
#************************************************
# ADFSBadCredsSearch.ps1
# Version 1.0
# Date: 6-20-2016
# Author: Tim Springston [MSFT]
# Description: This script will parse the ADFS server's (not proxy) security ADFS
# for events which indicate an incorrectly entered username or password. The script can specify a
# past period to search the log for and it defaults to the past 24 hours. Results will be placed into a CSV for
# review of UPN, IP address of submitter, and timestamp.
#************************************************
$dToday = Get-Date -format “MM-dd-yyyy”
cls
if ($PastHours -gt 0)
{$PastPeriod = (Get-Date).AddHours(-($PastHours))}
else
{$PastPeriod = (Get-Date).AddDays(-($PastDays)) }
$Outputfile = $Pwd.path + "\BadCredAttempts.csv"
$CS = get-wmiobject -class win32_computersystem
$Hostname = $CS.Name + '.' + $CS.Domain
$Instances = @{}
$OSVersion = gwmi win32_operatingsystem
[int]$BN = $OSVersion.Buildnumber
if ($BN -lt 9200){$ADFSLogName = "AD FS 2.0/Admin"}
else {$ADFSLogName = "AD FS/Admin"}
$Users = @()
$IPAddresses = @()
$Times = @()
$AllInstances = @()
Write-Host "Searching event log for bad credential events..."
if ($BN -ge 9200) {Get-Winevent -FilterHashTable @{LogName= "Security"; StartTime=$PastPeriod; ID=411} -ErrorAction SilentlyContinue | Where-Object {$_.Message -match "The user name or password is incorrect"} | % {
$Instance = New-Object PSObject
$UPN = $_.Properties[2].Value
$UPN = $UPN.Split("-")[0]
$IPAddress = $_.Properties[4].Value
$Users += $UPN
$IPAddresses += $IPAddress
$Times += $_.TimeCreated
add-member -inputobject $Instance -membertype noteproperty -name "UserPrincipalName" -value $UPN
add-member -inputobject $Instance -membertype noteproperty -name "IP Address" -value $IPAddress
add-member -inputobject $Instance -membertype noteproperty -name "Time" -value ($_.TimeCreated).ToString()
$AllInstances += $Instance
$Instance = $null
}
}
$AllInstances | select * | Out-File $("\\fileserver\" + $dtoday + "_" + "adfslogs.csv")
Write-Host "Data collection finished. The output file can be found at $outputfile`."
$AllInstances = $null