Merge pull request #76 from Yamato-Security/hotfix/security_eventidst…

…atistics#75 Hotfix/security eventidstatistics#75
Yamato-Security · Dec 24, 2021 · 7655916 · 7655916
2 parents 4a9b200 + 159864b
commit 7655916
Show file tree

Hide file tree

Showing 2 changed files with 89 additions and 87 deletions.
diff --git a/Analyzers/Security-LogonTimeline.ps1 b/Analyzers/Security-LogonTimeline.ps1
@@ -90,92 +90,6 @@ Function Format-FileSize {
  Else { "" }
 }
 
-function EventInfo ($eventIDNumber) {
-
- [hashtable]$return = @{}
-
- switch ( $eventIDNumber ) {
- "1100" { $return = $1100 }
- "1101" { $return = $1101 }
- "1102" { $return = $1102 }
- "1107" { $return = $1107 }
- "4608" { $return = $4608 }
- "4610" { $return = $4610 }
- "4611" { $return = $4611 }
- "4614" { $return = $4614 }
- "4616" { $return = $4616 }
- "4622" { $return = $4622 }
- "4624" { $return = $4624 }
- "4625" { $return = $4625 }
- "4627" { $return = $4627 }
- "4634" { $return = $4634 }
- "4647" { $return = $4647 }
- "4648" { $return = $4648 }
- "4672" { $return = $4672 }
- "4673" { $return = $4673 }
- "4674" { $return = $4674 }
- "4688" { $return = $4688 }
- "4696" { $return = $4696 }
- "4692" { $return = $4692 }
- "4697" { $return = $4697 }
- "4717" { $return = $4717 }
- "4719" { $return = $4719 }
- "4720" { $return = $4720 }
- "4722" { $return = $4722 }
- "4724" { $return = $4724 }
- "4725" { $return = $4725 }
- "4726" { $return = $4726 }
- "4728" { $return = $4728 }
- "4729" { $return = $4729 }
- "4732" { $return = $4732 }
- "4733" { $return = $4733 }
- "4735" { $return = $4735 }
- "4727" { $return = $4727 }
- "4738" { $return = $4738 }
- "4739" { $return = $4739 }
- "4776" { $return = $4776 }
- "4778" { $return = $4778 }
- "4779" { $return = $4779 }
- "4797" { $return = $4797 }
- "4798" { $return = $4798 }
- "4799" { $return = $4799 }
- "4781" { $return = $4781 }
- "4800" { $return = $4800 }
- "4801" { $return = $4801 }
- "4826" { $return = $4826 }
- "4902" { $return = $4902 }
- "4904" { $return = $4904 }
- "4905" { $return = $4905 }
- "4907" { $return = $4907 }
- "4944" { $return = $4944 }
- "4945" { $return = $4945 }
- "4946" { $return = $4946 }
- "4947" { $return = $4947 }
- "4948" { $return = $4948 }
- "4954" { $return = $4954 }
- "4956" { $return = $4956 }
- "4985" { $return = $4985 }
- "5024" { $return = $5024 }
- "5033" { $return = $5033 }
- "5038" { $return = $5038 }
- "5058" { $return = $5058 }
- "5059" { $return = $5059 }
- "5061" { $return = $5061 }
- "5140" { $return = $5140 }
- "5142" { $return = $5142 }
- "5144" { $return = $5144 }
- "5379" { $return = $5379 }
- "5381" { $return = $5381 }
- "5382" { $return = $5382 }
- "5478" { $return = $5478 }
- "5889" { $return = $5889 }
- "5890" { $return = $5890 }
- default { $return = $unregistered }
- }
-
- return $return
-
-}
 
 function Get-KerberosStatusStr {
  param(

diff --git a/Config/util.ps1 b/Config/util.ps1
@@ -76,14 +76,102 @@ function Check-DateString() {
  default { return "" }
  }
  try {
- $Date = [DateTime]::ParseExact($DateString, $testFormat,$null)
+ $Date = [DateTime]::ParseExact($DateString, $testFormat, $null)
  return $Date.ToString($DateFormat)
  }
  catch {
  return ""
  }
 }
 
+function EventInfo ($eventIDNumber) {
+
+ [hashtable]$return = @{}
+
+ switch ( $eventIDNumber ) {
+ "1100" { $return = $1100 }
+ "1101" { $return = $1101 }
+ "1102" { $return = $1102 }
+ "1107" { $return = $1107 }
+ "4608" { $return = $4608 }
+ "4610" { $return = $4610 }
+ "4611" { $return = $4611 }
+ "4614" { $return = $4614 }
+ "4616" { $return = $4616 }
+ "4622" { $return = $4622 }
+ "4624" { $return = $4624 }
+ "4625" { $return = $4625 }
+ "4627" { $return = $4627 }
+ "4634" { $return = $4634 }
+ "4647" { $return = $4647 }
+ "4648" { $return = $4648 }
+ "4672" { $return = $4672 }
+ "4673" { $return = $4673 }
+ "4674" { $return = $4674 }
+ "4688" { $return = $4688 }
+ "4696" { $return = $4696 }
+ "4692" { $return = $4692 }
+ "4697" { $return = $4697 }
+ "4717" { $return = $4717 }
+ "4719" { $return = $4719 }
+ "4720" { $return = $4720 }
+ "4722" { $return = $4722 }
+ "4724" { $return = $4724 }
+ "4725" { $return = $4725 }
+ "4726" { $return = $4726 }
+ "4728" { $return = $4728 }
+ "4729" { $return = $4729 }
+ "4732" { $return = $4732 }
+ "4733" { $return = $4733 }
+ "4735" { $return = $4735 }
+ "4727" { $return = $4727 }
+ "4738" { $return = $4738 }
+ "4739" { $return = $4739 }
+ "4776" { $return = $4776 }
+ "4778" { $return = $4778 }
+ "4779" { $return = $4779 }
+ "4797" { $return = $4797 }
+ "4798" { $return = $4798 }
+ "4799" { $return = $4799 }
+ "4781" { $return = $4781 }
+ "4800" { $return = $4800 }
+ "4801" { $return = $4801 }
+ "4826" { $return = $4826 }
+ "4902" { $return = $4902 }
+ "4904" { $return = $4904 }
+ "4905" { $return = $4905 }
+ "4907" { $return = $4907 }
+ "4944" { $return = $4944 }
+ "4945" { $return = $4945 }
+ "4946" { $return = $4946 }
+ "4947" { $return = $4947 }
+ "4948" { $return = $4948 }
+ "4954" { $return = $4954 }
+ "4956" { $return = $4956 }
+ "4985" { $return = $4985 }
+ "5024" { $return = $5024 }
+ "5033" { $return = $5033 }
+ "5038" { $return = $5038 }
+ "5058" { $return = $5058 }
+ "5059" { $return = $5059 }
+ "5061" { $return = $5061 }
+ "5140" { $return = $5140 }
+ "5142" { $return = $5142 }
+ "5144" { $return = $5144 }
+ "5379" { $return = $5379 }
+ "5381" { $return = $5381 }
+ "5382" { $return = $5382 }
+ "5478" { $return = $5478 }
+ "5889" { $return = $5889 }
+ "5890" { $return = $5890 }
+ default { $return = $unregistered }
+ }
+
+ return $return
+
+}
+
+
 
 # following check function in DeepBlueCLI.