Count Unique EventData elements from Windows Event Log

September 19, 2014, 8:04 am

≫ Next: ActiveDirectory module, how to authenticate to an outside AD environment?

≪ Previous: List all running scheduled tasks on local/remote machine

$global:imagenames = @()
$Events = Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational
ForEach($event in $Events){
    $eventxmldata = [xml]$event.toxml()
    $EventData = $eventxmldata.Event.EventData.Data
    $Image =$EventData | where {$_.name -eq "Image"}
    $global:imagenames += $Image."#text"
    }
$global:imagenames|group |sort-object -property count –descending|Select-Object count,name

Here is what I have thrown together. It works but it takes forever and I can't help but think there is a better/faster way to count the unique data elements inside EventData.
Anybody got any thoughts?
***Disclaimer*** pretty new to powershell. I think I am looking for a better way to reference the data without having to chuck it into a separate array.

↧