From 373750e1ea979d0fb769a4f94324e3f02c4fc325 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 12 Oct 2018 12:03:46 -0700 Subject: [PATCH] new topic from Ted Hardy --- windows/security/threat-protection/TOC.md | 1 + .../how-to-list-xml-elements-in-eventdata.md | 83 +++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 7b94429cea..76837097e0 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -465,6 +465,7 @@ ##### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md) ##### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md) ###### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md) +###### [How to list XML elements in ](auditing/how-to-list-xml-elements-in-eventdata.md) ###### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) ####### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md) diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md new file mode 100644 index 0000000000..a332ef1410 --- /dev/null +++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md @@ -0,0 +1,83 @@ +--- +title: How to get a list of XML elements in (Windows 10) +description: This reference topic for the IT professional explains how to use PowerShell to get a list of XML elements that can appear in . +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: tedhardyMSFT +ms.date: 10/12/2018 +--- + +# How to get a list of XML elements in + +**Applies to** +- Windows 10 + +Since the Security log uses a manifest, you can get all of the event schema from the workstation. + +Run this from an elevated powershell prompt: + +```powershell +$secEvents = get-winevent -listprovider "microsoft-windows-security-auditing" +``` + +The .events property is a collection of all of the events listed in the manifest on the local machine. +For each event there is a .Template property for the XML template used for the event properties (if there are any.) + +For example: + +```powershell +PS C:\WINDOWS\system32> $SecEvents.events[100] + + +Id : 4734 +Version : 0 +LogLink : System.Diagnostics.Eventing.Reader.EventLogLink +Level : System.Diagnostics.Eventing.Reader.EventLevel +Opcode : System.Diagnostics.Eventing.Reader.EventOpcode +Task : System.Diagnostics.Eventing.Reader.EventTask +Keywords : {} +Template : + +Description : A security-enabled local group was deleted. + + Subject: + Security ID: %4 + Account Name: %5 + Account Domain: %6 + Logon ID: %7 + + Group: + Security ID: %3 + Group Name: %1 + Group Domain: %2 + + Additional Information: + Privileges: %8 + + + +PS C:\WINDOWS\system32> $SecEvents.events[100].Template + + +```