Sammendrag
Det script, der findes i denne artikel, er et tilbehør til oplysninger om , hvordan du administrerer ændringerne i Netlogon-kanal forbindelser, der er knyttet til CVE-2020-1472. Det angives, som den er.
Scriptet behandler EVTX-filer, der er eksporteret fra Logbog og opretter et Microsoft Excel-regneark med pivottabeller til forskellige problemer og enheder i dit miljø, der udløste begivenhederne. Scriptet kræver PowerShell og Microsoft Excel 2013 eller nyere (64bit anbefales til større datasæt).
Brug
Du skal eksportere EVTX filer fra de domænecontrollere (DC'er), du overvåger for at se de problemer, der er beskrevet i KB4557222. Hvis du vil gøre dette, skal du åbne Logbog ved at markere Start, skrive Logbog og vælge den. Når Logbog åbnes, skal du udvide Windows-loggen, højreklikke på eller lang trykke på systemet og vælge Gem alle begivenheder som... og gemme filen et sted for at tillade behandling af filen.
Scriptet kan behandle mere end én EVTX fil ad gangen, hvis du vil. Scriptet kan tage lang tid at gennemføre på større datasæt. Vi anbefaler også, at du har EVTX filerne lokale på samme enhed, der kører scriptet for at hjælpe med at gøre det hurtigere at behandle filer.
Du skal køre scriptet i en PowerShell-kommandolinje. Det er ikke nødvendigt at køre som administrator. Scriptet vil starte, når du bliver spurgt, om det er nødvendigt, medmindre du angiver det $mcScriptPrompts$false . Hvis EVTX filerne er i samme mappe som scriptet, skal du ikke angive en sti til filerne.
Tilpasning af scriptet
Variabel |
Beskrivelse |
$mcScriptPrompts |
Værdier $true,$false Beskriv Standardværdien er $true og vil kræve input/interaktion fra brugeren. Kan angives til, $false Hvis EVTX filerne er i samme mappe som scriptet, og alle andre indstillinger køres som standard. |
$mcMaxExport |
Standardværdi: 50000 Beskriv Med standardindstillingerne stopper scriptet behandlingen af hver fil, EVTX efter du eksporterer 50000 begivenheder til CSV filer. Hvis du modtager fejl, der er relateret til hukommelse fra Microsoft Excel, skal du sænke dette tal eller ændre, hvilke data der behandles, f. eks $mcStartTime . at ændre. |
$mcMaxImport |
Standardværdi: 50000 Beskriv Med standardindstillingerne afbryder scriptet forsøget på at behandle hændelser efter den aktuelle CSV-fil, der behandles, når den finder det maksimale antal hændelser 50000. Det betyder, at når der søges efter det maksimale antal hændelser, fuldføres den aktuelle CSV fil, den er startet, men behandlingen af en ny fil kan ikke startes CSV . |
$mcStartTime |
Standardværdi: '2020/05/26 11:06' Beskriv Denne variabel giver dig mulighed for at angive et starttidspunkt, og scriptet kun behandler begivenheder efter denne dato og et klokkeslæt. Hvis du allerede har rettet enheder op til et bestemt tidspunkt, kan du kun målrette de begivenheder, du endnu ikke har løst. |
$mcMaxThreads |
Standardværdi: 4 Beskriv Denne variabel giver dig mulighed for at øge eller mindske antallet af tråde, der bruges under import af begivenheder fra EVXT filer til CSV filer. |
Skrive
Nedenfor finder du det PowerShell-script, som du kan bruge, når du har tilpasset dit miljø. Du skal kopiere og indsætte dette script i en CVE-2020-1472EventReader.ps1 fil på den enhed, du bruger til at behandle begivenhederne.
# ---------------------------------
# CVE-2020-1472 Event Reader v1.0 8/4/2020
# This script will:
# 1. Scan system evtx in input file folder for event 5827, 5828,5829,5830 and 5831, exact data fields, export to 582#-*.CSV.
# 2. Calls Excel to import resulting 582#-*.CSV, create pivot tables for common secure RPC analysis scenarios. Delete 582#-*.CSV afterward.
# Feel free to modify to fit your need.
# ---------------------------------
# Script requires Excel 2013 or later.
# 64 bits Excel will allow creation of larger data import to XLS.
# ---------------------------------
# To use the script:
# 1. Save system log as system.evtx to file.
# 2. Follow on screen prompt to enter Path containing *.evtx and final xlsx.
#
# More info https://support.microsoft.com/kb/4557222
#---------------------------------------
#Script Globals/ Tuning variables.
#---------------------------------------
# - $mcScriptPrompts > when set to $false, script will process all evtx in the script file folder without prompting. Good for dropping evtx, right-click script to "Run with powershell"
# - $mcMaxExport > max events to export per EVTX, set to low number for quick sample/spot checks.
# - $mcMaxImport > max events to import into excel, script will finish current file and stop importing next file(s). Set to lower number if Excel is returning memory error during import.
# - $mcStartTime > Earliest event to export, in the form of 'yyyy/MM/dd HH:mm', where HH 13 is 1pm, example: '2017/05/26 13:01'. Use this to filter progress.
# - $mcMaxThreads > max number of evtx files to export at the same time. 4 default, set to 8 and experiment if you have fast SSD HDD.
#
# Script variables block, modify to fit your need ---------------------------------------------------------------------
$mcScriptPrompts = $True #Script default, $false for non-interactive input & output.
$mcMaxExport = 50000 #50000 Max events to export per each EVTX, modify this if we are getting Excel memory error (or we just need first few evt for samples)
$mcMaxImport = 50000 #50000 max events to import into excel, ##NOTE##: Once maxed out, script will finish current import file and stop future import(s).
$mcStartTime = '2020/05/26 11:06' #Earliest 582* event to export, in the form of 'yyyy/MM/dd HH:mm', where HH 13 is 1pm, example: '2020/05/26 11:06' will list events starting 05/26 11:06, use this to filter new events.
$mcMaxThreads = 4 #Max concurrent Evt to CSV export threads (jobs)
# Internal values init, do not modify -------------------------------------------------------------------------------------
$mcCSVImport = $true
$mcEvtPath = $null
$mcStartTime=[datetime]::ParseExact($mcStartTime,'yyyy/MM/dd HH:mm',$null) #Convert string to timestamp
$mcProgressBarDelay = 0 #Delay in seconds after each ProgressBar update
#----Functions--------------------------
Function mcSetPivotField($mcPivotFieldSetting) { #Set pivot field attributes per MSDN https://msdn.microsoft.com/en-us/library/office/ff820762.aspx
if ($mcPivotFieldSetting[1] -ne $null) { $mcPivotFieldSetting[0].Orientation = $mcPivotFieldSetting[1]} # 1 Orientation { $xlRowField | $xlDataField |$xlColumnField }, in XlPivotFieldOrientation
if ($mcPivotFieldSetting[2] -ne $null) { $mcPivotFieldSetting[0].NumberFormat = $mcPivotFieldSetting[2]} # 2 NumberFormat { $mcNumberF | $mcPercentF }
if ($mcPivotFieldSetting[3] -ne $null) { $mcPivotFieldSetting[0].Function = $mcPivotFieldSetting[3]} # 3 Function { $xlAverage | $xlSum | $xlCount }, in XlConsolidationFunction
if ($mcPivotFieldSetting[4] -ne $null) { $mcPivotFieldSetting[0].Calculation = $mcPivotFieldSetting[4]} # 4 Calculation { $xlPercentOfTotal | $xlPercentRunningTotal }, in XlPivotFieldCalculation
if ($mcPivotFieldSetting[5] -ne $null) { $mcPivotFieldSetting[0].BaseField = $mcPivotFieldSetting[5]} # 5 BaseField <String>
if ($mcPivotFieldSetting[6] -ne $null) { $mcPivotFieldSetting[0].Name = $mcPivotFieldSetting[6]} # 6 Name <String>
if ($mcPivotFieldSetting[7] -ne $null) { $mcPivotFieldSetting[0].Position = $mcPivotFieldSetting[7]} # 7 Position
}
Function mcSetPivotTableFormat($mcPivotTable) { # Set pivotTable cosmetics and sheet name
$mcPT=$mcPivotTable[0].PivotTables($mcPivotTable[1])
$mcPT.HasAutoFormat = $False #2.turn of AutoColumnWidth
for ($i=2; $i -lt 9; $i++) { #3. SetColumnWidth for Sheet($mcPivotTable[0]),PivotTable($mcPivotTable[1]),Column($mcPivotTable[2-8])
if ($mcPivotTable[$i] -ne $null) { $mcPivotTable[0].columns.item(($i-1)).columnWidth = $mcPivotTable[$i]}
}
$mcPivotTable[0].Application.ActiveWindow.SplitRow = 3
$mcPivotTable[0].Application.ActiveWindow.SplitColumn = 2
$mcPivotTable[0].Application.ActiveWindow.FreezePanes = $true #1.Freeze R1C1
$mcPivotTable[0].Cells.Item(1,1)="Filter"
$mcPivotTable[0].Cells.Item(3,1)=$mcPivotTable[9] #4 set TXT at R3C1 with PivotTableName$mcPivotTable[9]
$mcPivotTable[0].Name=$mcPivotTable[10] #5 Set Sheet Name to $mcPivotTable[10]
$mcRC = ($mcPivotTable[0].UsedRange.Cells).Rows.Count-1
if ($mcPivotTable[11] -ne $null) { # $mcPivotTable[11] Set ColorScale
$mColorScaleRange='$'+$mcPivotTable[11]+'$4:$'+$mcPivotTable[11]+'$'+$mcRC
[Void]$mcPivotTable[0].Range($mColorScaleRange).FormatConditions.AddColorScale(3) #$mcPivotTable[11]=ColorScale
$mcPivotTable[0].Range($mColorScaleRange).FormatConditions.item(1).ColorScaleCriteria.item(1).type = 1 #xlConditionValueLowestValue
$mcPivotTable[0].Range($mColorScaleRange).FormatConditions.item(1).ColorScaleCriteria.item(1).FormatColor.Color = 8109667
$mcPivotTable[0].Range($mColorScaleRange).FormatConditions.item(1).ColorScaleCriteria.item(2).FormatColor.Color = 8711167
$mcPivotTable[0].Range($mColorScaleRange).FormatConditions.item(1).ColorScaleCriteria.item(3).type = 2 #xlConditionValueHighestValue
$mcPivotTable[0].Range($mColorScaleRange).FormatConditions.item(1).ColorScaleCriteria.item(3).FormatColor.Color = 7039480
}
if ($mcPivotTable[12] -ne $null) { # $mcPivotTable[12] Set DataBar
$mcDataBarRange='$'+$mcPivotTable[12]+'$4:$'+$mcPivotTable[12]+'$'+$mcRC
[void]$mcPivotTable[0].Range($mcDataBarRange).FormatConditions.AddDatabar() #$mcPivotTable[12]:Set DataBar
}
}
Function mcSortPivotFields($mcPF) { #Sort on $mcPF and collapse later pivot fields
for ($i=2; $i -lt 5; $i++) { #collapse later pivot fields
if ($mcPF[$i] -ne $null) {
$mcPF[$i].showDetail = $false
}
}
[void]($mcPF[0].Cells.Item(4, 2)).sort(($mcPF[0].Cells.Item(4, 2)), 2)
[void]($mcPF[0].Cells.Item(4, 1)).sort(($mcPF[0].Cells.Item(4, 1)), 1)
}
Function mcSetPivotTableHeaderColor($mcSheet) { #Set PiviotTable Header Color for easier reading
for ($i=1; $i -lt 5; $i++) { #Set header(s) color
if ($mcSheet[$i] -ne $null) { $mcSheet[0].Range(($mcSheet[$i]+"3")).interior.Colorindex = 37 }
}
}
#----Main---------
#---- script info-------
$mcScriptPath = Split-Path ((Get-Variable MyInvocation -Scope 0).Value).MyCommand.Path
if ($mcScriptPrompts) { #Interactive mcScriptPrompts
$mcEvtPath = Read-Host "Enter local, mapped or UNC path to saved system evtx or previously generated 582-*.csv. Be sure to remove trailing blank. For Example (c:\EventData)`n Or press [Enter] if script is in the same file folder as evtx or csv.`n"
if ($mcEvtPath -eq '') { #If there is no Path entered, we will use the same file folder as script path.
$mcEvtPath= $mcScriptPath
Write-Output "No path entered, default to " $mcEvtPath
}
} else {
$mcEvtPath= $mcScriptPath #Non-interactive script uses script path for Event path
}
#---- Export evtx to CSV---------------------------------------------------
Write-Output 'Convert evtx to csv.'
$mcFiles = Get-ChildItem -Path $mcEvtPath | Where {$_.name -clike '*.evtx'}
ForEach ($mcFile in $mcFiles) { #Loop through *.evtx
$mcFile | Add-Member -MemberType NoteProperty -Name MaxEvents -force -Value $mcMaxExport
$mcFile | Add-Member -MemberType NoteProperty -Name StartTime -force -Value $mcStartTime
#Job [ #Job start code 1
Start-Job -ArgumentList (,$mcFile) -ScriptBlock { #Start-Job for reading each files
param ($mcFile)
#Job ]
Write-Output "Reading $mcFile"
$mc582s = Get-WinEvent -FilterHashtable @{Path=$mcfile.FullName; LogName="System"; Level=3,4; StartTime=$mcFile.StartTime; id=5827,5828,5829,5830,5831} -MaxEvents $mcFile.MaxEvents -ErrorAction SilentlyContinue
If ($mc582s -ne $null) {
$mcOutFile = $mcFile.DirectoryName+'\582-'+$mcFile.Name+'.csv'
Write-Output " Event 5826-28 found, generating $mcOutFile"
$mc582sOut = @() #Array for exporting CSV items
ForEach ($mc582 in $mc582s) {
$mcObject = New-Object System.Object
$mcObject | Add-Member -MemberType NoteProperty -Name EventSource -force -value $mc582.MachineName
$mcObject | Add-Member -MemberType NoteProperty -Name EventTime -force -value $mc582.TimeCreated
$mcObject | Add-Member -MemberType NoteProperty -Name EventID -force -value $mc582.ID
switch ($mc582.ID) {
5827 { #Denided Unsecure RPC machine client
$mcObject | Add-Member -MemberType NoteProperty -Name NRPCType -force -value '2 - Denied Unsecure NRPC Evt:5827,5828'
$mcObject | Add-Member -MemberType NoteProperty -Name Name -force -value $mc582.Properties[0].value
$mcObject | Add-Member -MemberType NoteProperty -Name DomainName -force -value $mc582.Properties[1].value
$mcObject | Add-Member -MemberType NoteProperty -Name AccountType -force -value $mc582.Properties[2].value
$mcObject | Add-Member -MemberType NoteProperty -Name MachineOS -force -value $mc582.Properties[3].value
$mcObject | Add-Member -MemberType NoteProperty -Name MachineOsBuild -force -value $mc582.Properties[4].value
$mcObject | Add-Member -MemberType NoteProperty -Name MachineOsServicePack -force -value $mc582.Properties[5].value
}
5829 { #Temp Allowed Unsecure RPC machine client
$mcObject | Add-Member -MemberType NoteProperty -Name NRPCType -force -value '1 - TempAllowed Unsecure NRPC Evt:5829'
$mcObject | Add-Member -MemberType NoteProperty -Name Name -force -value $mc582.Properties[0].value
$mcObject | Add-Member -MemberType NoteProperty -Name DomainName -force -value $mc582.Properties[1].value
$mcObject | Add-Member -MemberType NoteProperty -Name AccountType -force -value $mc582.Properties[2].value
$mcObject | Add-Member -MemberType NoteProperty -Name MachineOS -force -value $mc582.Properties[3].value
$mcObject | Add-Member -MemberType NoteProperty -Name MachineOsBuild -force -value $mc582.Properties[4].value
$mcObject | Add-Member -MemberType NoteProperty -Name MachineOsServicePack -force -value $mc582.Properties[5].value
}
5830 { #Allowed Unsecure RPC machine client
$mcObject | Add-Member -MemberType NoteProperty -Name NRPCType -force -value '3 - Allowed Unsecure NRPC Evt:5830,5831'
$mcObject | Add-Member -MemberType NoteProperty -Name Name -force -value $mc582.Properties[0].value
$mcObject | Add-Member -MemberType NoteProperty -Name DomainName -force -value $mc582.Properties[1].value
$mcObject | Add-Member -MemberType NoteProperty -Name AccountType -force -value $mc582.Properties[2].value
$mcObject | Add-Member -MemberType NoteProperty -Name MachineOS -force -value $mc582.Properties[3].value
$mcObject | Add-Member -MemberType NoteProperty -Name MachineOsBuild -force -value $mc582.Properties[4].value
$mcObject | Add-Member -MemberType NoteProperty -Name MachineOsServicePack -force -value $mc582.Properties[5].value
}
5828 { #Temp Allowed Unsecure RPC trust
$mcObject | Add-Member -MemberType NoteProperty -Name NRPCType -force -value '2 - Denied Unsecure NRPC Evt:5827,5828'
$mcObject | Add-Member -MemberType NoteProperty -Name Name -force -value $mc582.Properties[1].value
$mcObject | Add-Member -MemberType NoteProperty -Name DomainName -force -value $mc582.Properties[2].value
$mcObject | Add-Member -MemberType NoteProperty -Name AccountType -force -value $mc582.Properties[0].value
$mcObject | Add-Member -MemberType NoteProperty -Name MachineOS -force -value 'Domain Trust'
$mcObject | Add-Member -MemberType NoteProperty -Name MachineOsBuild -force -value 'N/A'
$mcObject | Add-Member -MemberType NoteProperty -Name MachineOsServicePack -force -value 'N/A'
}
5831 { #Allowed Unsecure RPC trust
$mcObject | Add-Member -MemberType NoteProperty -Name NRPCType -force -value '3 - Allowed Unsecure NRPC Evt:5830,5831'
$mcObject | Add-Member -MemberType NoteProperty -Name Name -force -value $mc582.Properties[1].value
$mcObject | Add-Member -MemberType NoteProperty -Name DomainName -force -value $mc582.Properties[2].value
$mcObject | Add-Member -MemberType NoteProperty -Name AccountType -force -value $mc582.Properties[0].value
$mcObject | Add-Member -MemberType NoteProperty -Name MachineOS -force -value 'Domain Trust'
$mcObject | Add-Member -MemberType NoteProperty -Name MachineOsBuild -force -value 'N/A'
$mcObject | Add-Member -MemberType NoteProperty -Name MachineOsServicePack -force -value 'N/A'
}
}
$mcObject.Name = $mcObject.Name.Trim()
$mcObject.DomainName = $mcObject.DomainName.Trim()
$mcObject.AccountType = $mcObject.AccountType.Trim()
$mcObject.MachineOS = $mcObject.MachineOS.Trim()
$mcObject.MachineOsBuild = $mcObject.MachineOsBuild.Trim()
$mcObject.MachineOsServicePack = $mcObject.MachineOsServicePack.Trim()
$mc582sOut += $mcObject
}
$mc582sout | ConvertTo-Csv -NoTypeInformation | Out-File $mcOutFile
}
#Job [ # Maxthread code 2/3
} | Out-Null #Job output
Write-Output " Processing: $mcFile"
While((Get-Job -State 'Running').Count -ge $mcMaxThreads) { Start-Sleep -Milliseconds 10 } # Pause, only run $mcMaxThreads number of jobs.
#Job ]
}
#Job [ # Job clean out code 3/3
While((Get-Job -State 'Running').Count -gt 0) {
Write-Progress -Activity "Exporting evtx" -PercentComplete ((($mcfiles.Count-(Get-Job -State 'Running').Count)/$mcfiles.Count)*100)
Start-Sleep -Milliseconds 10
} # wait for last job to complete
#Get-Job | Receive-Job
Get-Job -State Completed | Remove-Job
#Job ]
#---- Import csv to excel-----------------------------------------------------
if ($mcCSVImport -eq $true) { #Debug only, perforem CSV to Excel import
$mcFiles = Get-ChildItem -Path $mcEvtPath | Where {$_.name -clike '582-*.csv'}
If ($mcFiles -ne $null) { #Create a new Excel workbook if there are CSV in directory.
cd $mcEvtPath #for Import-Csv to read all files.
$mcObject = Import-Csv $mcfiles -Delimiter ','
cd $mcScriptPath #Back to script path
#Write-Output 'Import csv to excel.'
$mcExcel = New-Object -ComObject excel.application
$mcWorkbooks = $mcExcel.Workbooks.Add()
$Sheet1 = $mcWorkbooks.worksheets.Item(1)
$mcCurrentRow = $mcFileProcessed = 1
ForEach ($mcFile in $mcFiles) { #Define Excel TXT connector and import/append
Write-Progress -Activity "Importing $mcFile" -PercentComplete (($mcFileProcessed/$mcfiles.Count)*100)
Sleep $mcProgressBarDelay
$mcFileProcessed=$mcFileProcessed+1
if ($mcCurrentRow -le $mcMaxImport){ #Import only up to $mcMaxImport number of records.
$mcConnector = $Sheet1.QueryTables.add(("TEXT;" + $mcEvtPath+'\'+$mcFile),$Sheet1.Range(('a'+($mcCurrentRow))))
$Sheet1.QueryTables.item($mcConnector.name).TextFileCommaDelimiter = $True
$Sheet1.QueryTables.item($mcConnector.name).TextFileParseType = 1
[void]$Sheet1.QueryTables.item($mcConnector.name).Refresh()
if ($mcCurrentRow -ne 1) { [void]($Sheet1.Cells.Item($mcCurrentRow,1).entireRow).delete()} # Delete header on 2nd and later CSV.
$mcCurrentRow = $Sheet1.UsedRange.EntireRow.Count+1
} else {
Write-Output " *** Max [ $mcMaxImport ] import events reached, skipping: $mcfile"
}
}
#---- Customize XLS, Excel Globals--------------------------------------------------------
#Write-Output 'Customizing XLS.' #https://msdn.microsoft.com/en-us/library/bb241425(v=office.12).aspx, https://msdn.microsoft.com/en-us/library/office/ff838592.aspx
$xlRowField = 1 #XlPivotFieldOrientation
$xlPageField = 3 #XlPivotFieldOrientation
$xlDataField = 4 #XlPivotFieldOrientation
$xlColumnField = 2 #XlPivotFieldOrientation
$xlAverage = -4106 #XlConsolidationFunction
$xlSum = -4157 #XlConsolidationFunction
$xlCount = -4112 #XlConsolidationFunction
$xlPercentOfTotal = 8 #XlPivotFieldCalculation
$xlPercentRunningTotal = 13 #XlPivotFieldCalculation
$mcNumberF = "###,###,###,###,###"
$mcPercentF = "#0.00%"
$mcDateF = "yyyy/m/d h:mm"
$mcDateGroupFlags=($false, $false, $true, $true, $true, $false, $false) # Months, Days, Hours, https://msdn.microsoft.com/en-us/library/office/ff839808.aspx
#-------#Sheet1 - RawData---------------------------------------------------------------
$Sheet1.Range("A1").Autofilter() | Out-Null
$Sheet1.Application.ActiveWindow.SplitRow = 1
$Sheet1.Application.ActiveWindow.FreezePanes = $true
#Write-Output 'Tab 0.5826, 5827, 5828 events imported'
Write-Progress -Activity "Created 0.Raw RPC events Tab" -PercentComplete 30
Sleep $mcProgressBarDelay
#-------#Sheet2 - PivotTable1---------------------------------------------------------------
$Sheet2 = $mcWorkbooks.Worksheets.add()
$PivotTable1 = $mcWorkbooks.PivotCaches().Create(1,"Sheet1!R1C1:R$($Sheet1.UsedRange.Rows.count)C$($Sheet1.UsedRange.Columns.count)",5) # xlDatabase=1 xlPivotTableVersion15=5 Excel2013
$PivotTable1.CreatePivotTable("Sheet2!R1C1") | Out-Null
$mcPF00 = $Sheet2.PivotTables("PivotTable1").PivotFields("EventSource")
mcSetPivotField($mcPF00, $xlPageField, $null, $null, $null, $null, $null)
$mcPF0 = $Sheet2.PivotTables("PivotTable1").PivotFields("NRPCType")
mcSetPivotField($mcPF0, $xlRowField, $null, $null, $null, $null, $null)
$mcPF1 = $Sheet2.PivotTables("PivotTable1").PivotFields("MachineOS")
mcSetPivotField($mcPF1, $xlRowField, $null, $null, $null, $null, $null)
$mcPF2 = $Sheet2.PivotTables("PivotTable1").PivotFields("DomainName")
mcSetPivotField($mcPF2, $xlRowField, $null, $null, $null, $null, $null)
$mcPF3 = $Sheet2.PivotTables("PivotTable1").PivotFields("Name")
mcSetPivotField($mcPF3, $xlRowField, $null, $null, $null, $null, $null)
$mcPF = $Sheet2.PivotTables("PivotTable1").PivotFields("EventTime")
mcSetPivotField($mcPF, $xlDataField, $mcNumberF, $null, $null, $null, "Event Count",1)
mcSetPivotTableFormat($Sheet2, "PivotTable1", 60, 15, $null, $null, $null, $null, $null,"NRPC Type", "1.OS,Domain,Client", $null, $null)
mcSortPivotFields($sheet2,$mcPF,$mcPF0)
mcSetPivotTableHeaderColor($Sheet2, "A")
$Sheet2.Cells.Item(1,1).Formula='Source DC'
#Write-Output ' Tab 1.NRPCType-OS,Domain,Client Done'
Write-Progress -Activity "Created Tab 1.NRPCType-OS,Domain,Client pivot table" -PercentComplete 60
Sleep $mcProgressBarDelay
#-------#Sheet3 - PivotTable2---------------------------------------------------------------
$Sheet3 = $mcWorkbooks.Worksheets.add()
$PivotTable2 = $mcWorkbooks.PivotCaches().Create(1,"Sheet1!R1C1:R$($Sheet1.UsedRange.Rows.count)C$($Sheet1.UsedRange.Columns.count)",5) # xlDatabase=1 xlPivotTableVersion15=5 Excel2013
$PivotTable2.CreatePivotTable("Sheet3!R1C1") | Out-Null
$mcPF00 = $Sheet3.PivotTables("PivotTable2").PivotFields("EventSource")
mcSetPivotField($mcPF00, $xlPageField, $null, $null, $null, $null, $null)
$mcPF0 = $Sheet3.PivotTables("PivotTable2").PivotFields("NRPCType")
mcSetPivotField($mcPF0, $xlRowField, $null, $null, $null, $null, $null)
$mcPF1 = $Sheet3.PivotTables("PivotTable2").PivotFields("DomainName")
mcSetPivotField($mcPF1, $xlRowField, $null, $null, $null, $null, $null)
$mcPF2 = $Sheet3.PivotTables("PivotTable2").PivotFields("Name")
mcSetPivotField($mcPF2, $xlRowField, $null, $null, $null, $null, $null)
$mcPF = $Sheet3.PivotTables("PivotTable2").PivotFields("EventTime")
mcSetPivotField($mcPF, $xlDataField, $mcNumberF, $null, $null, $null, "Event Count",1)
mcSetPivotTableFormat($Sheet3, "PivotTable2", 60, 15, $null, $null, $null, $null, $null,"NRPC Type", "2.Domain,Client", $null, $null)
mcSortPivotFields($Sheet3,$mcPF,$mcPF0)
mcSetPivotTableHeaderColor($Sheet3, "A")
$Sheet3.Cells.Item(1,1).Formula='Source DC'
#Write-Output ' Tab 2.NRPCType-Domain,Client Done'
Write-Progress -Activity "Created Tab 2.NRPCType-Domain,Client pivot table" -PercentComplete 90
Sleep $mcProgressBarDelay
#-------#$Sheet4 - $PivotTable3---------------------------------------------------------------
$Sheet4 = $mcWorkbooks.Worksheets.add()
$PivotTable3 = $mcWorkbooks.PivotCaches().Create(1,"Sheet1!R1C1:R$($Sheet1.UsedRange.Rows.count)C$($Sheet1.UsedRange.Columns.count)",5) # xlDatabase=1 xlPivotTableVersion15=5 Excel2013
$PivotTable3.CreatePivotTable("Sheet4!R1C1") | Out-Null
$Sheet4.name = "3.CustomPivot"
#Set Sort sheet names in reverse
$Sheet1.Name = "0.Raw RPC events"
$Sheet2.Tab.ColorIndex = $Sheet3.Tab.ColorIndex =35
$mcWorkSheetNames = New-Object System.Collections.ArrayList
foreach ($mcWorkSheet in $mcWorkbooks.Worksheets) { $mcWorkSheetNames.add($mcWorkSheet.Name) | Out-null }
$mctmp = $mcWorkSheetNames.Sort() | Out-Null
For ($i=0; $i -lt $mcWorkSheetNames.Count-1; $i++){ #Sort name.
$mcTmp = $mcWorkSheetNames[$i]
$mcBefore = $mcWorkbooks.Worksheets.Item($mcTmp)
$mcAfter = $mcWorkbooks.Worksheets.Item($i+1)
$mcBefore.Move($mcAfter)
}
$Sheet1.Activate()
Write-Progress -Activity "Creating Excel sheets" -PercentComplete 100
Sleep $mcProgressBarDelay
if ($mcScriptPrompts) { #SaveAsFile
$mcFileName = Read-Host "Enter a FileName to save extracted event 582 xlsx.`n"
if ($mcFileName) {
Write-Output "Saving file to $mcEvtPath\$mcFileName.xlsx"
$mcWorkbooks.SaveAs($mcEvtPath+'\'+$mcFileName)
}
$mcCleanup = Read-Host "Delete 582-*.CSV? ([Enter]/[Y] to delete, [N] to keep csv)`n"
if ($mcCleanup -ne 'N') {
Get-ChildItem -Path $mcEvtPath | Where {$_.name -clike '582-*.csv'} | foreach ($_) {
Remove-Item $mcEvtPath'\'$_
Write-Output " $_ deleted."
}
}
}
$mcExcel.visible = $true
} else { #end of mcFiles
Write-Output " No 582-*.csv found in specified $mcEvtPath."
}
}
Write-Output 'Script completed.'