locked
Which of two Event IDs is the latest to occur in EventViewer RRS feed

  • Question

  • We use Crowdstrike for malware protection and one function we use at times is Containment which quarantines a machine from network resources.  I have the following working for me to get the two event IDs related to Containment but what I would like to do is get the status of the machine by knowing which of the two IDs was the last entry.  Contained = 5, Online = 6. Based on the ouput below the machine is Online. Ideally what I would want is something like "if last entry = 6 then machine is online" or  "if last entry = 5 then machine is offline".  Any ideas on how to accomplish this?

    $CSCstatus = Get-WinEvent -LogName 'CrowdStrike-Falcon Sensor-CSFalconService/Operational' | Where-Object {$_.Id -like "5" -or $_.Id -like "6"}
    $CSCstatus

       ProviderName: CrowdStrike-Falcon Sensor-CSFalconService
    
    TimeCreated                     Id LevelDisplayName Message                                                                                                                                                                                                                                                  
    -----------                     -- ---------------- -------                                                                                                                                                                                                                                                  
    2/6/2019 9:52:23 AM              6 Information      Your computer is back online.                                                                                                                                                                                                                            
    2/5/2019 10:44:05 PM             5 Warning          Your computer is offline to keep it safe. Please contact IT for more information.                                                                                                                                                                        
    2/5/2019 4:29:19 PM              6 Information      Your computer is back online.                                                                                                                                                                                                                            
    2/5/2019 4:24:09 PM              5 Warning          Your computer is offline to keep it safe. Please contact IT for more information.



    • Edited by DexterRivera Thursday, February 14, 2019 11:14 PM
    Thursday, February 14, 2019 11:07 PM

Answers

  • To get the last event of multiple event ids do this:

    Get-WinEvent -FilterHashTable @{LogName='CrowdStrike-Falcon Sensor-CSFalconService/Operational';ID=5,6} -MaxEvents 1
    It will find the first match and return only that record.


    \_(ツ)_/


    • Edited by jrv Thursday, February 14, 2019 11:34 PM
    • Marked as answer by DexterRivera Friday, February 15, 2019 12:39 AM
    Thursday, February 14, 2019 11:33 PM

All replies

  • Use "-MaxEvents 1" to get the latest occurrence.

    Get-WinEvent -FilterHashTable @{LogName='CrowdStrike-Falcon Sensor-CSFalconService/Operational';ID=5} -MaxEvents 1
    Get-WinEvent -FilterHashTable @{LogName='CrowdStrike-Falcon Sensor-CSFalconService/Operational';ID=6} -MaxEvents 1


    \_(ツ)_/


    • Edited by jrv Thursday, February 14, 2019 11:18 PM
    Thursday, February 14, 2019 11:17 PM
  • Using that gives me the latest occurrence of that particular ID but it doesn't tell me which one was the last event.  In the output i have above the last event was on 2/6/2019 with ID = 6 with the previous being being 5.  Visually I can see that 6 was the latest but I want to automate some steps based on the powershell query I am working on.
    Thursday, February 14, 2019 11:29 PM
  • To get the last event of multiple event ids do this:

    Get-WinEvent -FilterHashTable @{LogName='CrowdStrike-Falcon Sensor-CSFalconService/Operational';ID=5,6} -MaxEvents 1
    It will find the first match and return only that record.


    \_(ツ)_/


    • Edited by jrv Thursday, February 14, 2019 11:34 PM
    • Marked as answer by DexterRivera Friday, February 15, 2019 12:39 AM
    Thursday, February 14, 2019 11:33 PM
  • That was it.  Thanks for the tip.  Now I can use the following:

    $CSCquery = Get-WinEvent -FilterHashTable @{LogName='CrowdStrike-Falcon Sensor-CSFalconService/Operational';ID=5,6} -MaxEvents 1
    $CSCstatus = $CSCquery.Id
    If($CSCstatus -eq "5")
    {
        Write-Host "CONTAINED (Offline), run contained action"
    }
    Else
    {
        Write-Host "ONLINE, run online action"
    }

    Friday, February 15, 2019 12:42 AM