Hello Hello.
I'm having some trouble getting the desired result when parsing event logs from the security log. I've enabled windows auditing, and I'm attempting to parse the Access List data as seen under "Accesses" In the log below. Below that photo is the XML data view
I've gotten as far as being able to perform the following:
Get-WinEvent -FilterXPath "*[System[(EventID='4663')] and EventData[Data[@Name='AccessList']and (Data='%%1537
%%1537
%4423
		
		')]]" -LogName Security -MaxEvents 1
I've had success with parsing the following log entry to gather when a file is opened/accessed by modifying the syntax, however, with multiple data entries, I can't seem to figure out the formatting to get it to work.
Get-WinEvent -FilterXPath "*[System[(EventID='4663')] and EventData[Data[@Name='AccessList']and Data='%%1538`r`n`t`t`t`t']]" -LogName Security -MaxEvents 1
So my question is: how do I format my first string of text to get the desired logs for deleted files with auditing turned on?
Thanks in advanced for anyone who can assist.