# Windows Auth (Security)
select where LogonType <> '3'
LogParser.exe -i:EVT "SELECT TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as username,EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName,EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM logs.evtx where EventID=4624 and EXTRACT_TOKEN(Strings, 8, '|') <> '3'"
LogParser.exe -i:EVT "SELECT TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as username,EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName,EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM logs.evtx where EventID=4624 and EXTRACT_TOKEN(Strings, 8, '|') <> '3'"
# Windows Task Scheduler
LogParser.exe -i:EVT "SELECT EXTRACT_TOKEN(Strings, 0, '|') as TaskName, EXTRACT_TOKEN(Strings, 1, '|') as Path, EXTRACT_TOKEN(Strings, 2, '|') as ProcessId, EXTRACT_TOKEN(Strings, 3, '|') AS Priority FROM Microsoft-Windows-TaskScheduler%4Operational.evtx where EventID = 129 and EXTRACT_TOKEN(Strings, 1, '|') not like '%Sophos%' and EXTRACT_TOKEN(Strings, 1, '|') not like '%GoogleUpdate%' and EXTRACT_TOKEN(Strings, 0, '|') not like '%Database One%' and EXTRACT_TOKEN(Strings, 1, '|') not like '%Small Business%' and EXTRACT_TOKEN(Strings, 1, '|') not like '%Solutions BPA%'
LogParser.exe -i:EVT "select * from security.evtx" -rtp:-1
LogParser.exe -i:EVT "select * from security.evtx_ where eventid=4703" -rtp:-1
LogParser.exe -i:EVT "select eventid, count(*) from security.evtx_ group by eventid order by count(*) desc" -rtp:-1
LogParser.exe -i:EVT "select eventid, count(*) from security.evtx_ group by eventid order by count(*) desc" -rtp:-1 -o:csv > out.csv
LogParser.exe -i:EVT "select timegenerated from system.evtx_ where message not like '%description for%' AND timegenerated >= '2018-11-26 05:00:00' and timegenerated <= '2018-11-26 18:00:00'" -rtp:-1
LogParser.exe -i:EVT "select timegenerated, strings from security.evtx_ where strings not like '%privilege%'" -rtp:-1 -o:csv > out.csv
NOTE:
The rtp parameter suppresses the "press a key" paging feature that is default for log parser
-rtp:-1
NOTE:
If you get "The description for event id ... cannot be found" for every message it might be because
LogParser.exe -i:EVT "select * from security.evtx" -rtp:-1
LogParser.exe -i:EVT "select * from security.evtx_ where eventid=4703" -rtp:-1
LogParser.exe -i:EVT "select eventid, count(*) from security.evtx_ group by eventid order by count(*) desc" -rtp:-1
LogParser.exe -i:EVT "select eventid, count(*) from security.evtx_ group by eventid order by count(*) desc" -rtp:-1 -o:csv > out.csv
LogParser.exe -i:EVT "select timegenerated from system.evtx_ where message not like '%description for%' AND timegenerated >= '2018-11-26 05:00:00' and timegenerated <= '2018-11-26 18:00:00'" -rtp:-1
LogParser.exe -i:EVT "select timegenerated, strings from security.evtx_ where strings not like '%privilege%'" -rtp:-1 -o:csv > out.csv
NOTE:
The rtp parameter suppresses the "press a key" paging feature that is default for log parser
-rtp:-1
NOTE:
If you get "The description for event id ... cannot be found" for every message it might be because
user account needs the"Manage auditing and security log." permission
