Parsing a large multi-line text field (variable) for a specific string and extract text from it:<\/p>\n
Subject: This event is generated when a logon session is created. It is generated on the computer that was accessed.<\/p>\n The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.<\/p>\n The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).<\/p>\n The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.<\/p>\n The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.<\/p>\n The authentication information fields provide detailed information about this specific logon request.<\/p>\n The authentication information fields provide detailed information about this specific logon request.<\/p>\n Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. \u201c@<\/p>\n $EventMessageLogonNumber = $EventMessage | Select-String -Pattern \u201cLogon Type:\\w+\u201d -AllMatches | Select -ExpandProperty matches | Select -ExpandProperty value Parsing a large multi-line text field (variable) for a specific string and extract text from it: $EventMessage = @\u201d An account was successfully logged on. Subject: Security ID:\u00a0 SYSTEM Account Name:\u00a0 METCORPWKS201$ Account Domain:\u00a0 METCORP Logon ID:\u00a0 0x2b5 Logon Type:10 New Logon: Security ID:\u00a0 METCORP\\Administrator Account Name:\u00a0 Administrator Account Domain:\u00a0 METCORPWKS201 Logon ID:\u00a0 0bc123d Logon … <\/p>\n$EventMessage =
\n@\u201d
\nAn account was successfully logged on.<\/p>\n
\nSecurity ID:\u00a0 SYSTEM
\nAccount Name:\u00a0 METCORPWKS201$
\nAccount Domain:\u00a0 METCORP
\nLogon ID:\u00a0 0x2b5
\nLogon Type:10
\nNew Logon:
\nSecurity ID:\u00a0 METCORP\\Administrator
\nAccount Name:\u00a0 Administrator
\nAccount Domain:\u00a0 METCORPWKS201
\nLogon ID:\u00a0 0bc123d
\nLogon GUID:\u00a0 {00000000-0000-0000-0000-000000000000}
\nProcess Information:
\nProcess ID:\u00a0 0x123
\nProcess Name:\u00a0 C:\\Windows\\System32\\winlogon.exe
\nNetwork Information:
\nWorkstation Name: METCORPWKS201
\nSource Network Address: 10.10.10.201
\nSource Port:\u00a0 1234
\nDetailed Authentication Information:
\nLogon Process:\u00a0 User32
\nAuthentication Package: Negotiate
\nTransited Services: \u2013
\nPackage Name (NTLM only): \u2013
\nKey Length:\u00a0 0<\/p>\n
\nTransited services indicate which intermediate services have participated in this logon request.
\nPackage name indicates which sub-protocol was used among the NTLM protocols.
\nKey length indicates the length of the generated session key. This will be 0 if no session key was requested.<\/p>\n
\n$EventMessageAccountNameText = $EventMessage | Select-String -Pattern \u201cAccount Name:\\s+\\w+\u201d -AllMatches | Select -ExpandProperty matches | Select -ExpandProperty value
\n$EventMessageAccountName = (($EventMessageNameText -split \u201c:\u201d)[1]) -Replace(\u201c`t\u201d,\u201d\u201d)
\n$EventMessageWorkstationNameText = $EventMessage | Select-String -Pattern \u201cWorkstation Name:\\s+\\S+\u201d -AllMatches | Select -ExpandProperty matches | Select -ExpandProperty value
\n$EventMessageWorkstationName = (($EventMessageWorkstationNameText -split \u201c:\u201d)[1]) -Replace(\u201c`t\u201d,\u201d\u201d)
\n$EventMessageSourceIPText = $EventMessage | Select-String -Pattern \u201cSource Network Address:\\s+\\S+\u201d -AllMatches | Select -ExpandProperty matches | Select -ExpandProperty value
\n$EventMessageSourceIP = (($EventMessageSourceIPText -split \u201c:\u201d)[1]) -Replace(\u201c`t\u201d,\u201d\u201d)
\n$EventMessageLogonNumber
\n$EventMessageAccountName
\n$EventMessageWorkstationName
\n$EventMessageSourceIP<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"