├── .gitignore ├── LICENSE ├── README.md ├── SECURITY.md ├── posh-cef.psd1 ├── posh-cef.psm1 └── test └── posh-cef.Tests.ps1 /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | *.json 3 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) Microsoft Corporation. All rights reserved. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | # Contributing 3 | 4 | This project welcomes contributions and suggestions. Most contributions require you to agree to a 5 | Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us 6 | the rights to use your contribution. For details, visit https://cla.microsoft.com. 7 | 8 | When you submit a pull request, a CLA-bot will automatically determine whether you need to provide 9 | a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions 10 | provided by the bot. You will only need to do this once across all repos using our CLA. 11 | 12 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 13 | For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or 14 | contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. 15 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Security 4 | 5 | Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). 6 | 7 | If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. 8 | 9 | ## Reporting Security Issues 10 | 11 | **Please do not report security vulnerabilities through public GitHub issues.** 12 | 13 | Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report). 14 | 15 | If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey). 16 | 17 | You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 18 | 19 | Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: 20 | 21 | * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) 22 | * Full paths of source file(s) related to the manifestation of the issue 23 | * The location of the affected source code (tag/branch/commit or direct URL) 24 | * Any special configuration required to reproduce the issue 25 | * Step-by-step instructions to reproduce the issue 26 | * Proof-of-concept or exploit code (if possible) 27 | * Impact of the issue, including how an attacker might exploit the issue 28 | 29 | This information will help us triage your report more quickly. 30 | 31 | If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs. 32 | 33 | ## Preferred Languages 34 | 35 | We prefer all communications to be in English. 36 | 37 | ## Policy 38 | 39 | Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd). 40 | 41 | 42 | -------------------------------------------------------------------------------- /posh-cef.psd1: -------------------------------------------------------------------------------- 1 | # 2 | # Module manifest for module 'posh-cef' 3 | # 4 | # Generated by: Jared Poeppelman, Microsoft 5 | # 6 | # Generated on: 8/10/2017 7 | # 8 | 9 | @{ 10 | 11 | # Script module or binary module file associated with this manifest. 12 | RootModule = 'posh-cef.psm1' 13 | 14 | # Version number of this module. 15 | ModuleVersion = '0.9.0' 16 | 17 | # Supported PSEditions 18 | # CompatiblePSEditions = @() 19 | 20 | # ID used to uniquely identify this module 21 | GUID = '6b923935-19ae-485a-9334-8fbb710dfcae' 22 | 23 | # Author of this module 24 | Author = 'Jared Poeppelman (powershellshock)' 25 | 26 | # Company or vendor of this module 27 | CompanyName = 'Microsoft Corporation' 28 | 29 | # Copyright statement for this module 30 | Copyright = '(c) 2017 Microsoft. All rights reserved.' 31 | 32 | # Description of the functionality provided by this module 33 | Description = 'Powershell module for creating Common Event Format (CEF) messages' 34 | 35 | # Minimum version of the Windows PowerShell engine required by this module 36 | # PowerShellVersion = '' 37 | 38 | # Name of the Windows PowerShell host required by this module 39 | # PowerShellHostName = '' 40 | 41 | # Minimum version of the Windows PowerShell host required by this module 42 | # PowerShellHostVersion = '' 43 | 44 | # Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. 45 | # DotNetFrameworkVersion = '' 46 | 47 | # Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. 48 | # CLRVersion = '' 49 | 50 | # Processor architecture (None, X86, Amd64) required by this module 51 | # ProcessorArchitecture = '' 52 | 53 | # Modules that must be imported into the global environment prior to importing this module 54 | # RequiredModules = @() 55 | 56 | # Assemblies that must be loaded prior to importing this module 57 | # RequiredAssemblies = @() 58 | 59 | # Script files (.ps1) that are run in the caller's environment prior to importing this module. 60 | # ScriptsToProcess = @() 61 | 62 | # Type files (.ps1xml) to be loaded when importing this module 63 | # TypesToProcess = @() 64 | 65 | # Format files (.ps1xml) to be loaded when importing this module 66 | # FormatsToProcess = @() 67 | 68 | # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess 69 | # NestedModules = @() 70 | 71 | # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. 72 | FunctionsToExport = 'New-CEFMessage' 73 | 74 | # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. 75 | CmdletsToExport = @() 76 | 77 | # Variables to export from this module 78 | VariablesToExport = @() 79 | 80 | # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. 81 | AliasesToExport = @() 82 | 83 | # DSC resources to export from this module 84 | # DscResourcesToExport = @() 85 | 86 | # List of all modules packaged with this module 87 | # ModuleList = @() 88 | 89 | # List of all files packaged with this module 90 | # FileList = @() 91 | 92 | # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. 93 | PrivateData = @{ 94 | 95 | PSData = @{ 96 | 97 | # Tags applied to this module. These help with module discovery in online galleries. 98 | # Tags = @() 99 | 100 | # A URL to the license for this module. 101 | # LicenseUri = '' 102 | 103 | # A URL to the main website for this project. 104 | # ProjectUri = '' 105 | 106 | # A URL to an icon representing this module. 107 | # IconUri = '' 108 | 109 | # ReleaseNotes of this module 110 | # ReleaseNotes = '' 111 | 112 | } # End of PSData hashtable 113 | 114 | } # End of PrivateData hashtable 115 | 116 | # HelpInfo URI of this module 117 | # HelpInfoURI = '' 118 | 119 | # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. 120 | # DefaultCommandPrefix = '' 121 | 122 | } 123 | 124 | 125 | -------------------------------------------------------------------------------- /posh-cef.psm1: -------------------------------------------------------------------------------- 1 | 2 | enum CEF_Ext_Device_Direction { 3 | inbound 4 | outbound 5 | } 6 | 7 | enum CEF_Ext_Event_Type { 8 | Base 9 | Aggregated 10 | Correlation 11 | Action 12 | } 13 | 14 | function Format-MacAddress { 15 | [CmdletBinding()] 16 | [OutputType([string])] 17 | Param 18 | ( 19 | # MAC address to be formatted. Can be colon/hyphen/space delimited or not delimited 20 | [Parameter(Mandatory = $true, 21 | ValueFromPipeline = $true, 22 | Position = 0)] 23 | [ValidateNotNullOrEmpty()] 24 | [ValidateLength(0, 17)] 25 | [ValidateScript( {$_ -replace (':', '') -replace ('-', '') -replace (' ', '') -match {^[A-Fa-f0-9]{12}$}})] 26 | [Alias("MacAddress", "PhysicalAddress")] 27 | [string] 28 | $Address, 29 | 30 | # Optional separator character to use (can be colon ':', hyphen '-', or space ' '). If not specified, no separator will be used. 31 | [Parameter(Mandatory = $false, 32 | Position = 1)] 33 | [ValidateSet(':', '-', ' ')] 34 | [char] 35 | $Separator, 36 | 37 | # Specify output in all upper/lower case 38 | [Parameter(Mandatory = $false, 39 | Position = 2)] 40 | [ValidateSet('Upper', 'Lower')] 41 | [string] 42 | $Case 43 | ) 44 | Begin {} 45 | 46 | Process { 47 | If ($Case -eq 'Upper') { 48 | $Address = $Address.ToUpper() 49 | Write-Verbose "Format-MacAddress: Upper case was enforced: $Address" 50 | } 51 | 52 | If ($Case -eq 'Lower') { 53 | $Address = $Address.ToLower() 54 | Write-Verbose "Format-MacAddress: Lower case was enforced: $Address" 55 | } 56 | 57 | $Address = $Address -replace (':', '') -replace ('-', '') -replace (' ', '') 58 | Write-Verbose "Format-MacAddress: Colon (:), hyphen (-), and space ( ) separators were removed: $Address" 59 | 60 | $Address = @(($Address[0, 1] -join ''), ($Address[2, 3] -join ''), ($Address[4, 5] -join ''), ($Address[6, 7] -join ''), ($Address[8, 9] -join ''), ($Address[10, 11] -join '')) -join $Separator 61 | Write-Verbose "Format-MacAddress: Address was reconstructed with specified separator: $Address" 62 | 63 | $Address 64 | } 65 | 66 | End {} 67 | } 68 | 69 | function New-CEFMessage { 70 | <# 71 | .Synopsis 72 | Creates a CEF message string (without a SYSLOG prefix) that will typically be sent via SYSLOG or written to a file 73 | 74 | .DESCRIPTION 75 | Generate a properly formatted CEF message (CEF version 0 as specified by CommonEventFormatv23.pdf) consisting of mandatory CEF header fields and optional CEF extension fields 76 | 77 | .EXAMPLE 78 | New-CEFMessage -DeviceVendor 'Contoso' -DeviceProduct 'MyPowershellScript' -DeviceVersion '1.0' -DeviceEventClassId 'Alert' -Name 'Bad Thing Detected' -Severity 10 -externalId 12345 -dmac '01-23-45-67-89-AF' -src 192.168.1.1 -deviceDirection Outbound -spriv Administrator -Type Base -In 6213467 -cfp1 3.141592653589 -CustomExtensionRawString 'key=value' 79 | 80 | .INPUTS 81 | All parameters can accept input from the pipeline 82 | 83 | .OUTPUTS 84 | CEF message as a [string] 85 | 86 | .NOTES 87 | Name: New-CEFMessage 88 | Author: Jared Poeppelman (powershellshock) 89 | 90 | .LINK 91 | https://github.com/poshsecurity/posh-cef 92 | 93 | .LINK 94 | https://github.com/powershellshock 95 | #> 96 | [CMDLetBinding()] 97 | [OutputType([string])] 98 | Param 99 | ( 100 | # Specifies the value to use for the "Device Vendor" portion of the CEF message header 101 | [Parameter(Mandatory = $true, Position = 0, ValueFromPipelineByPropertyName=$true, HelpMessage = 'String to uniquely identify the vendor of the device or component generating the message')] 102 | [ValidateNotNullOrEmpty()] 103 | [string] 104 | $DeviceVendor, 105 | 106 | # Specifies the value to use for the "Device Product" portion of the CEF message header 107 | [Parameter(Mandatory = $true, Position = 1, ValueFromPipelineByPropertyName=$true, HelpMessage = 'String to uniquely identify the product name of the device or component generating the message')] 108 | [ValidateNotNullOrEmpty()] 109 | [string] 110 | $DeviceProduct, 111 | 112 | # Specifies the value to use for the "Device Version" portion of the CEF message header 113 | [Parameter(Mandatory = $true, Position = 2, ValueFromPipelineByPropertyName=$true, HelpMessage = 'String to uniquely identify the product version of the device or component generating the message')] 114 | [ValidateNotNullOrEmpty()] 115 | [string] 116 | $DeviceVersion, 117 | 118 | # Specifies the value to use for the "Device Event Class ID" portion of the CEF message header 119 | [Parameter(Mandatory = $true, Position = 3,ValueFromPipelineByPropertyName=$true, HelpMessage = 'String to uniquely identify the event type being reported in the message, also known as "Signature ID"')] 120 | [ValidateNotNullOrEmpty()] 121 | [string] 122 | $DeviceEventClassId, 123 | 124 | # Specifies the value to use for the "Name" portion of the CEF message header 125 | [Parameter(Mandatory = $true, Position = 4, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, HelpMessage = 'String representing a human-readable description of the event; should be general and not include information that is specific to a single instance of the event, such as a source IP')] 126 | [ValidateNotNullOrEmpty()] 127 | [string] 128 | $Name, 129 | 130 | # Specifies the severity value from 0 to 10 (0=lowest, 10=highest) to use for the "Severity" portion of the CEF message header 131 | [Parameter(Mandatory = $true, Position = 5, ValueFromPipelineByPropertyName=$true, HelpMessage = 'String to uniquely identify the vendor of the device or component generating the message')] 132 | [ValidateRange(0, 10)] 133 | [Int] 134 | $Severity, 135 | 136 | 137 | #------------------------------------------------------------------------------- 138 | #----------------------------Optional CEF Extensions---------------------------- 139 | #------------------------------------------------------------------------------- 140 | 141 | #----------------------------enumtype extensions---------------------------- 142 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The direction of the observed communication. The following values are supported: "Inbound" (translated to integer value of 0) or "Outbound" (translated to integer value of 1)')] 143 | [ValidateNotNullOrEmpty()] 144 | [CEF_Ext_Device_Direction] 145 | $deviceDirection, 146 | 147 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Can be "Base", "Aggregated", "Correlation", or "Action" (translated to integer values of 0, 1, 2, or 3 respectively. This field can be omitted for base events (type 0)')] 148 | [ValidateNotNullOrEmpty()] 149 | [CEF_Ext_Event_Type] 150 | $type, 151 | 152 | #----------------------------ipaddress extensions---------------------------- 153 | 154 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of four IPV6 address fields available to map fields that do not apply to any other CEF extension key name (type=IPv6address)')] 155 | [ValidateNotNullOrEmpty()] 156 | [Alias("deviceCustomIPv6Address1")] 157 | [ipaddress] 158 | $c6a1, 159 | 160 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of four IPV6 address fields available to map fields that do not apply to any other CEF extension key name (type=IPv6address)')] 161 | [ValidateNotNullOrEmpty()] 162 | [Alias("deviceCustomIPv6Address2")] 163 | [ipaddress] 164 | $c6a2, 165 | 166 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of four IPV6 address fields available to map fields that do not apply to any other CEF extension key name (type=IPv6address)')] 167 | [ValidateNotNullOrEmpty()] 168 | [Alias("deviceCustomIPv6Address3")] 169 | [ipaddress] 170 | $c6a3, 171 | 172 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of four IPV6 address fields available to map fields that do not apply to any other CEF extension key name (type=IPv6address)')] 173 | [ValidateNotNullOrEmpty()] 174 | [Alias("deviceCustomIPv6Address4")] 175 | [ipaddress] 176 | $c6a4, 177 | 178 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Identifies the translated destination address to which the event refers. Example: "192.168.10.1" (type=IPv4address)')] 179 | [ValidateNotNullOrEmpty()] 180 | [ipaddress] 181 | $destinationTranslatedAddress, 182 | 183 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Identifies the translated device address to which the event refers. Example: "192.168.10.1" (type=IPv4address)')] 184 | [ValidateNotNullOrEmpty()] 185 | [ipaddress] 186 | $deviceTranslatedAddress, 187 | 188 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Identifies the destination device address to which the event refers. Example: "192.168.10.1" (type=IPv4address)')] 189 | [ValidateNotNullOrEmpty()] 190 | [Alias("destinationAddress")] 191 | [ipaddress] 192 | $dst, 193 | 194 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Identifies the device address to which the event refers. Example: "192.168.10.1" (type=IPv4address)')] 195 | [ValidateNotNullOrEmpty()] 196 | [Alias("deviceAddress")] 197 | [ipaddress] 198 | $dvc, 199 | 200 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Identifies the translated source address to which the event refers. Example: "192.168.10.1" (type=IPv4address)')] 201 | [ValidateNotNullOrEmpty()] 202 | [ipaddress] 203 | $sourceTranslatedAddress, 204 | 205 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Identifies the source device address to which the event refers. Example: "192.168.10.1" (type=IPv4address)')] 206 | [ValidateNotNullOrEmpty()] 207 | [Alias("sourceAddress")] 208 | [ipaddress] 209 | $src, 210 | 211 | #----------------------------mac addr extensions---------------------------- 212 | 213 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Identifies the destination MAC address to which an event refers. The format is six pairs of hexadecimal numbers which can be separated by colons, hyphens, spaces, or not separated. (type=string)')] 214 | [ValidateNotNullOrEmpty()] 215 | [ValidateLength(0, 17)] 216 | [ValidateScript( {$_ -replace (':', '') -replace ('-', '') -replace (' ', '') -match {^[A-Fa-f0-9]{12}$}})] 217 | [Alias("destinationMacAddress")] 218 | [string] 219 | $dmac, 220 | 221 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Identifies the device MAC address to which an event refers. The format is six pairs of hexadecimal numbers which can be separated by colons, hyphens, spaces, or not separated. (type=string)')] 222 | [ValidateNotNullOrEmpty()] 223 | [ValidateLength(0, 17)] 224 | [ValidateScript( {$_ -replace (':', '') -replace ('-', '') -replace (' ', '') -match {^[A-Fa-f0-9]{12}$}})] 225 | [Alias("deviceMacAddress")] 226 | [string] 227 | $dvcmac, 228 | 229 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Identifies the source MAC address to which an event refers. The format is six pairs of hexadecimal numbers which can be separated by colons, hyphens, spaces, or not separated. (type=string)')] 230 | [ValidateNotNullOrEmpty()] 231 | [ValidateLength(0, 17)] 232 | [ValidateScript( {$_ -replace (':', '') -replace ('-', '') -replace (' ', '') -match {^[A-Fa-f0-9]{12}$}})] 233 | [Alias("sourceMacAddress")] 234 | [string] 235 | $smac, 236 | 237 | #----------------------------int extensions---------------------------- 238 | 239 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of three number fields available to map fields that do not apply to any other CEF extension key name (type=int)')] 240 | [ValidateNotNullOrEmpty()] 241 | [Alias("deviceCustomNumber1", "Channel")] 242 | [int] 243 | $cn1, 244 | 245 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of three number fields available to map fields that do not apply to any other CEF extension key name (type=int)')] 246 | [ValidateNotNullOrEmpty()] 247 | [Alias("deviceCustomNumber2")] 248 | [int] 249 | $cn2, 250 | 251 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of three number fields available to map fields that do not apply to any other CEF extension key name (type=int)')] 252 | [ValidateNotNullOrEmpty()] 253 | [Alias("deviceCustomNumber3")] 254 | [int] 255 | $cn3, 256 | 257 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1 (type=int)')] 258 | [ValidateNotNullOrEmpty()] 259 | [ValidateScript( {$_ -gt 0})] 260 | [Alias("baseEventCount")] 261 | [int] 262 | $cnt, 263 | 264 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Identifies the translated destination port number to which the event refers (type=int; range=0-65535)')] 265 | [ValidateNotNullOrEmpty()] 266 | [ValidateRange(0, 65535)] 267 | [int] 268 | $destinationTranslatedPort, 269 | 270 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The ID number of the destination process associated with the event. For example, if an event contains process ID 105, "105" is the process ID (type=int)')] 271 | [ValidateNotNullOrEmpty()] 272 | [Alias("destinationProcessId")] 273 | [int] 274 | $dpid, 275 | 276 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Identifies the destination port number to which the event refers (type=int; range=0-65535)')] 277 | [ValidateNotNullOrEmpty()] 278 | [ValidateRange(0, 65535)] 279 | [Alias("destinationPort")] 280 | [int] 281 | $dpt, 282 | 283 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The ID number of the process on the device that generated the event. For example, if an event was generated by process ID 105, "105" is the process ID (type=int)')] 284 | [ValidateNotNullOrEmpty()] 285 | [Alias("deviceProcessId")] 286 | [int] 287 | $dvcpid, 288 | 289 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'A custom integer field typically reserved for customer use and should not be set by vendors unless necessary. Use all flex fields sparingly and seek a more specific field when possible (type=int)')] 290 | [ValidateNotNullOrEmpty()] 291 | [int] 292 | $flexNumber1, 293 | 294 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'A custom integer field typically reserved for customer use and should not be set by vendors unless necessary. Use all flex fields sparingly and seek a more specific field when possible (type=int)')] 295 | [ValidateNotNullOrEmpty()] 296 | [int] 297 | $flexNumber2, 298 | 299 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Size of the file (type=int)')] 300 | [ValidateNotNullOrEmpty()] 301 | [Alias("fileSize")] 302 | [int] 303 | $fsize, 304 | 305 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Number of bytes transferred inbound to the destination from the source (type=int)')] 306 | [ValidateNotNullOrEmpty()] 307 | [Alias("bytesIn")] 308 | [int] 309 | $in, 310 | 311 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Size of the old file (type=int)')] 312 | [ValidateNotNullOrEmpty()] 313 | [int] 314 | $oldFileSize, 315 | 316 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Number of bytes transferred outbound from the source to the destination (type=int)')] 317 | [ValidateNotNullOrEmpty()] 318 | [Alias("bytesOut")] 319 | [int] 320 | $out, 321 | 322 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Identifies the translated source port number to which the event refers (type=int; range=0-65535)')] 323 | [ValidateNotNullOrEmpty()] 324 | [ValidateRange(0, 65535)] 325 | [int] 326 | $sourceTranslatedPort, 327 | 328 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The ID number of the source process associated with the event. For example, if an event contains process ID 105, "105" is the process ID (type=int)')] 329 | [ValidateNotNullOrEmpty()] 330 | [Alias("sourceProcessId")] 331 | [int] 332 | $spid, 333 | 334 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Identifies the source port number to which the event refers (type=int; range=0-65535)')] 335 | [ValidateNotNullOrEmpty()] 336 | [ValidateRange(0, 65535)] 337 | [Alias("sourcePort")] 338 | [int] 339 | $spt, 340 | 341 | #----------------------------datetime extensions---------------------------- 342 | 343 | <# 344 | #----------------------------Timestamps as [datetime] types---------------------------- 345 | [Parameter(ParameterSetName='CEFExtensionFields',ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of two timestamp fields available to map fields that do not apply to any other CEF extension key name (type=datetime)')] 346 | [ValidateNotNullOrEmpty()] 347 | [datetime] 348 | $deviceCustomDate1, 349 | 350 | 351 | [Parameter(ParameterSetName='CEFExtensionFields',ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of two timestamp fields available to map fields that do not apply to any other CEF extension key name (type=datetime)')] 352 | [ValidateNotNullOrEmpty()] 353 | [datetime] 354 | $deviceCustomDate2, 355 | 356 | [Parameter(ParameterSetName='CEFExtensionFields',ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of two timestamp fields available to map fields that do not apply to any other CEF extension key name (type=datetime)')] 357 | [ValidateNotNullOrEmpty()] 358 | [Alias("endTime")] 359 | [datetime] 360 | $end, 361 | 362 | [Parameter(ParameterSetName='CEFExtensionFields',ValueFromPipelineByPropertyName=$true, HelpMessage = 'Time when the file was created (type=datetime)')] 363 | [ValidateNotNullOrEmpty()] 364 | [datetime] 365 | $fileCreateTime, 366 | 367 | [Parameter(ParameterSetName='CEFExtensionFields',ValueFromPipelineByPropertyName=$true, HelpMessage = 'Time when the file was last modified (type=datetime)')] 368 | [ValidateNotNullOrEmpty()] 369 | [datetime] 370 | $fileModificationTime, 371 | 372 | [Parameter(ParameterSetName='CEFExtensionFields',ValueFromPipelineByPropertyName=$true, HelpMessage = 'A custom timestamp field typically reserved for customer use and should not be set by vendors unless necessary. Use all flex fields sparingly and seek a more specific field when possible (type=datetime)')] 373 | [ValidateNotNullOrEmpty()] 374 | [datetime] 375 | $flexDate1, 376 | 377 | [Parameter(ParameterSetName='CEFExtensionFields',ValueFromPipelineByPropertyName=$true, HelpMessage = 'Time when the old file was created (type=datetime)')] 378 | [ValidateNotNullOrEmpty()] 379 | [datetime] 380 | $oldFileCreateTime, 381 | 382 | [Parameter(ParameterSetName='CEFExtensionFields',ValueFromPipelineByPropertyName=$true, HelpMessage = 'Time when the old file was last modified (type=datetime)')] 383 | [ValidateNotNullOrEmpty()] 384 | [datetime] 385 | $OldFileModificationTime, 386 | 387 | [Parameter(ParameterSetName='CEFExtensionFields',ValueFromPipelineByPropertyName=$true, HelpMessage = 'Time when the event related to the activity was received (type=datetime)')] 388 | [ValidateNotNullOrEmpty()] 389 | [Alias("deviceReceiptTime")] 390 | [datetime] 391 | $rt, 392 | 393 | [Parameter(ParameterSetName='CEFExtensionFields',ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of two timestamp fields available to map fields that do not apply to any other CEF extension key name (type=datetime)')] 394 | [ValidateNotNullOrEmpty()] 395 | [Alias("startTime")] 396 | [datetime] 397 | $start, 398 | #> 399 | 400 | #----------------------------Timestamps as [string] types---------------------------- 401 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of two timestamp fields available to map fields that do not apply to any other CEF extension key name (type=datetime)')] 402 | [ValidateNotNullOrEmpty()] 403 | [string] 404 | $deviceCustomDate1, 405 | 406 | 407 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of two timestamp fields available to map fields that do not apply to any other CEF extension key name (type=datetime)')] 408 | [ValidateNotNullOrEmpty()] 409 | [string] 410 | $deviceCustomDate2, 411 | 412 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of two timestamp fields available to map fields that do not apply to any other CEF extension key name (type=datetime)')] 413 | [ValidateNotNullOrEmpty()] 414 | [Alias("endTime")] 415 | [string] 416 | $end, 417 | 418 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Time when the file was created (type=datetime)')] 419 | [ValidateNotNullOrEmpty()] 420 | [string] 421 | $fileCreateTime, 422 | 423 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Time when the file was last modified (type=datetime)')] 424 | [ValidateNotNullOrEmpty()] 425 | [string] 426 | $fileModificationTime, 427 | 428 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'A custom timestamp field typically reserved for customer use and should not be set by vendors unless necessary. Use all flex fields sparingly and seek a more specific field when possible (type=datetime)')] 429 | [ValidateNotNullOrEmpty()] 430 | [string] 431 | $flexDate1, 432 | 433 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Time when the old file was created (type=datetime)')] 434 | [ValidateNotNullOrEmpty()] 435 | [string] 436 | $oldFileCreateTime, 437 | 438 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Time when the old file was last modified (type=datetime)')] 439 | [ValidateNotNullOrEmpty()] 440 | [string] 441 | $OldFileModificationTime, 442 | 443 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Time when the event related to the activity was received (type=datetime)')] 444 | [ValidateNotNullOrEmpty()] 445 | [Alias("deviceReceiptTime")] 446 | [string] 447 | $rt, 448 | 449 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of two timestamp fields available to map fields that do not apply to any other CEF extension key name (type=datetime)')] 450 | [ValidateNotNullOrEmpty()] 451 | [Alias("startTime")] 452 | [string] 453 | $start, 454 | 455 | #----------------------------float extensions---------------------------- 456 | 457 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of four floating point fields available to map fields that do not apply to any other CEF extension key name (type=float)')] 458 | [ValidateNotNullOrEmpty()] 459 | [Alias("deviceCustomFloatingPoint1")] 460 | [float] 461 | $cfp1, 462 | 463 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of four floating point fields available to map fields that do not apply to any other CEF extension key name (type=float)')] 464 | [ValidateNotNullOrEmpty()] 465 | [Alias("deviceCustomFloatingPoint2")] 466 | [float] 467 | $cfp2, 468 | 469 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of four floating point fields available to map fields that do not apply to any other CEF extension key name (type=float)')] 470 | [ValidateNotNullOrEmpty()] 471 | [Alias("deviceCustomFloatingPoint3")] 472 | [float] 473 | $cfp3, 474 | 475 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of four floating point fields available to map fields that do not apply to any other CEF extension key name (type=float)')] 476 | [ValidateNotNullOrEmpty()] 477 | [Alias("deviceCustomFloatingPoint4")] 478 | [float] 479 | $cfp4, 480 | 481 | #----------------------------String extensions---------------------------- 482 | 483 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Action taken by the device (full name=deviceAction; type=string; max length=63)')] 484 | [ValidateNotNullOrEmpty()] 485 | [ValidateLength(0, 63)] 486 | [Alias("deviceAction", "Action")] 487 | [String] 488 | $act, 489 | 490 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Application level protocol, example values are: HTTP, HTTPS, SSHv2, Telnet, POP, IMAP, IMAPS, etc. (type=string; max length=31)')] 491 | [ValidateNotNullOrEmpty()] 492 | [ValidateLength(0, 31)] 493 | [Alias("applicationProtocol")] 494 | [String] 495 | $app, 496 | 497 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of six string fields available to map fields that do not apply to any other CEF extension key name (type=string; max length=4000)')] 498 | [ValidateNotNullOrEmpty()] 499 | [ValidateLength(0, 4000)] 500 | [string] 501 | [Alias("deviceCustomString1", "RuleNumber", "AclNumber", "VirusName", "Relay")] 502 | $cs1, 503 | 504 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of six string fields available to map fields that do not apply to any other CEF extension key name (type=string; max length=4000)')] 505 | [ValidateNotNullOrEmpty()] 506 | [ValidateLength(0, 4000)] 507 | [Alias("deviceCustomString2", "SignatureVersion", "EngineVersion", "SSID")] 508 | [string] 509 | $cs2, 510 | 511 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of six string fields available to map fields that do not apply to any other CEF extension key name (type=string; max length=4000)')] 512 | [ValidateNotNullOrEmpty()] 513 | [ValidateLength(0, 4000)] 514 | [Alias("deviceCustomString3")] 515 | [string] 516 | $cs3, 517 | 518 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of six string fields available to map fields that do not apply to any other CEF extension key name (type=string; max length=4000)')] 519 | [ValidateNotNullOrEmpty()] 520 | [ValidateLength(0, 4000)] 521 | [Alias("deviceCustomString4")] 522 | [string] 523 | $cs4, 524 | 525 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of six string fields available to map fields that do not apply to any other CEF extension key name (type=string; max length=4000)')] 526 | [ValidateNotNullOrEmpty()] 527 | [ValidateLength(0, 4000)] 528 | [Alias("deviceCustomString5")] 529 | [string] 530 | $cs5, 531 | 532 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'One of six string fields available to map fields that do not apply to any other CEF extension key name (type=string; max length=4000)')] 533 | [ValidateNotNullOrEmpty()] 534 | [ValidateLength(0, 4000)] 535 | [Alias("deviceCustomString6")] 536 | [string] 537 | $cs6, 538 | 539 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The DNS domain part of the complete fully qualified domain name (FQDN) of the destination (type=string; max length=255)')] 540 | [ValidateNotNullOrEmpty()] 541 | [ValidateLength(0, 255)] 542 | [String] 543 | $destinationDnsDomain, 544 | 545 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The service targeted by this event. Example: "sshd" (type=string; max length=1023)')] 546 | [ValidateNotNullOrEmpty()] 547 | [ValidateLength(0, 1023)] 548 | [String] 549 | $destinationServiceName, 550 | 551 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'A name that uniquely identifies the device generating this event (type=string; max length=255)')] 552 | [ValidateNotNullOrEmpty()] 553 | [ValidateLength(0, 255)] 554 | [string] 555 | $deviceExternalId, 556 | 557 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The facility generating this event. For example, Syslog has an explicit facility associated with every event (type=string; max length=1023)')] 558 | [ValidateNotNullOrEmpty()] 559 | [ValidateLength(0, 1023)] 560 | [string] 561 | $deviceFacility, 562 | 563 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Interface on which the packet or data entered the device (type=string; max length=128)')] 564 | [ValidateNotNullOrEmpty()] 565 | [ValidateLength(0, 128)] 566 | [string] 567 | $deviceInboundInterface, 568 | 569 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The Windows domain name of the device address (type=string; max length=255)')] 570 | [ValidateNotNullOrEmpty()] 571 | [ValidateLength(0, 255)] 572 | [string] 573 | $deviceNtDomain, 574 | 575 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Interface on which the packet or data left the device (type=string; max length=128)')] 576 | [ValidateNotNullOrEmpty()] 577 | [ValidateLength(0, 128)] 578 | [string] 579 | $deviceOutboundInterface, 580 | 581 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Unique identifier for the payload associated with the event (type=string; max length=128)')] 582 | [ValidateNotNullOrEmpty()] 583 | [ValidateLength(0, 128)] 584 | [string] 585 | $devicePayloadId, 586 | 587 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Process name associated with the event. An example might be the process generating the syslog entry in UNIX (type=string; max length=1023)')] 588 | [ValidateNotNullOrEmpty()] 589 | [ValidateLength(0, 1023)] 590 | [string] 591 | $deviceProcessName, 592 | 593 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Identifies the destination to which an event refers. The format should be a fully qualified domain name associated with the destination node, if available (type=string; max length=1023)')] 594 | [ValidateNotNullOrEmpty()] 595 | [ValidateLength(0, 1023)] 596 | [Alias("destinationHostName")] 597 | [string] 598 | $dhost, 599 | 600 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The Windows domain name of the destination address (type=string; max length=255)')] 601 | [ValidateNotNullOrEmpty()] 602 | [ValidateLength(0, 255)] 603 | [Alias("destinationNtDomain")] 604 | [string] 605 | $dntdom, 606 | 607 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The typical values are: "Administrator", "User", and "Guest". This identifies the privilege level of the user on the destination system. For example, activity executed on the root user would be identified with value of "Administrator"')] 608 | [ValidateNotNullOrEmpty()] 609 | [Alias("destinationUserPrivileges")] 610 | [string] 611 | $dpriv, 612 | 613 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The name of the destination process with which the event is associated. For example, "telnetd" or "sshd" (type=string; max length=1023)')] 614 | [ValidateNotNullOrEmpty()] 615 | [ValidateLength(0, 1023)] 616 | [Alias("destinationProcessName")] 617 | [string] 618 | $dproc, 619 | 620 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The timezone for the device generating the event (type=string; max length=255)')] 621 | [ValidateNotNullOrEmpty()] 622 | [ValidateLength(0, 255)] 623 | [Alias("deviceTimeZone")] 624 | [string] 625 | $dtz, 626 | 627 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Identifies the destination user by ID. For example, in UNIX, the root user has the uid of 0 (type=string; max length=1023)')] 628 | [ValidateNotNullOrEmpty()] 629 | [ValidateLength(0, 1023)] 630 | [Alias("destinationUserId")] 631 | [string] 632 | $duid, 633 | 634 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Identifies the username associated with the destination system. For example, with email related events the recipient is a candidate to put into destinationUserName. (type=string; max length=1023)')] 635 | [ValidateNotNullOrEmpty()] 636 | [ValidateLength(0, 1023)] 637 | [Alias("destinationUserName", "Recipient")] 638 | [string] 639 | $duser, 640 | 641 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Fully qualified domain name associated with the device, if available (type=string; max length=100)')] 642 | [ValidateNotNullOrEmpty()] 643 | [ValidateLength(0, 100)] 644 | [Alias("deviceHostName")] 645 | [string] 646 | $dvchost, 647 | 648 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The unique event identifier used by an originating device (type=string; max length=40)')] 649 | [ValidateNotNullOrEmpty()] 650 | [ValidateLength(0, 40)] 651 | [string] 652 | $externalId, 653 | 654 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The hash of the file (type=string; max length=255)')] 655 | [ValidateNotNullOrEmpty()] 656 | [ValidateLength(0, 255)] 657 | [ValidateScript( {$_ -match {^[A-Fa-f0-9]{32}$} -or $_ -match {^[A-Fa-f0-9]{40}} -or $_ -match {^[A-Fa-f0-9]{56}} -or $_ -match {^[A-Fa-f0-9]{64}} -or $_ -match {^[A-Fa-f0-9]{80}} -or $_ -match {^[A-Fa-f0-9]{96}} -or $_ -match {^[A-Fa-f0-9]{128}} })] 658 | [string] 659 | $fileHash, 660 | 661 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'An ID associated with a file, could be the inode (type=string; max length=1023)')] 662 | [ValidateNotNullOrEmpty()] 663 | [ValidateLength(0, 1023)] 664 | [string] 665 | $fileId, 666 | 667 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Full path to the file, including file name itself. Example: C:\Program Files\WindowsNT\Accessories\wordpad.exe or /usr/bin/zip (type=string; max length=1023)')] 668 | [ValidateNotNullOrEmpty()] 669 | [ValidateLength(0, 1023)] 670 | [string] 671 | $filePath, 672 | 673 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Permissions of the file (type=string; max length=1023)')] 674 | [ValidateNotNullOrEmpty()] 675 | [ValidateLength(0, 1023)] 676 | [string] 677 | $filePermission, 678 | 679 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Type of the file, such as pipe, socket, etc (type=string; max length=1023)')] 680 | [ValidateNotNullOrEmpty()] 681 | [ValidateLength(0, 1023)] 682 | [string] 683 | $fileType, 684 | 685 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'A custom string field typically reserved for customer use and should not be set by vendors unless necessary. Use all flex fields sparingly and seek a more specific field when possible (type=string; max length=1023)')] 686 | [ValidateNotNullOrEmpty()] 687 | [ValidateLength(0, 1023)] 688 | [string] 689 | $flexstring1, 690 | 691 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'A custom string field typically reserved for customer use and should not be set by vendors unless necessary. Use all flex fields sparingly and seek a more specific field when possible (type=string; max length=1023)')] 692 | [ValidateNotNullOrEmpty()] 693 | [ValidateLength(0, 1023)] 694 | [string] 695 | $flexstring2, 696 | 697 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Name of the file only, without its path (type=string; max length=1023)')] 698 | [ValidateNotNullOrEmpty()] 699 | [ValidateLength(0, 1023)] 700 | [Alias("fileName")] 701 | [string] 702 | $fname, 703 | 704 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator (type=string; max length=1023)')] 705 | [ValidateNotNullOrEmpty()] 706 | [ValidateLength(0, 1023)] 707 | [Alias("message")] 708 | [string] 709 | $msg, 710 | 711 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The hash of the old file (type=string; max length=255)')] 712 | [ValidateNotNullOrEmpty()] 713 | [ValidateLength(0, 255)] 714 | [ValidateScript( {$_ -match {^[A-Fa-f0-9]{32}$} -or $_ -match {^[A-Fa-f0-9]{40}} -or $_ -match {^[A-Fa-f0-9]{56}} -or $_ -match {^[A-Fa-f0-9]{64}} -or $_ -match {^[A-Fa-f0-9]{80}} -or $_ -match {^[A-Fa-f0-9]{96}} -or $_ -match {^[A-Fa-f0-9]{128}} })] 715 | [string] 716 | $oldFileHash, 717 | 718 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'An ID associated with the old file, could be the inode (type=string; max length=1023)')] 719 | [ValidateNotNullOrEmpty()] 720 | [ValidateLength(0, 1023)] 721 | [string] 722 | $oldFileId, 723 | 724 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Name of the old file, without its path (type=string; max length=1023)')] 725 | [ValidateNotNullOrEmpty()] 726 | [ValidateLength(0, 1023)] 727 | [string] 728 | $oldFileName, 729 | 730 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Full path to the old file, including file name itself. Example: C:\Program Files\WindowsNT\Accessories\wordpad.exe or /usr/bin/zip (type=string; max length=1023)')] 731 | [ValidateNotNullOrEmpty()] 732 | [ValidateLength(0, 1023)] 733 | [string] 734 | $oldFilePath, 735 | 736 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Permissions of the old file (type=string; max length=1023)')] 737 | [ValidateNotNullOrEmpty()] 738 | [ValidateLength(0, 1023)] 739 | [string] 740 | $oldFilePermission, 741 | 742 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Type of the old file, such as pipe, socket, etc (type=string; max length=1023)')] 743 | [ValidateNotNullOrEmpty()] 744 | [ValidateLength(0, 1023)] 745 | [string] 746 | $oldFileType, 747 | 748 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The outcome of the event, typically "success" or "failure" (type=string; max length=63)')] 749 | [ValidateNotNullOrEmpty()] 750 | [ValidateLength(0, 63)] 751 | [Alias("eventOutcome")] 752 | [string] 753 | $outcome, 754 | 755 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Identifies the layer-4 protocol used, such as TCP, UDP, ICMP, GRE, etc. (type=string; max length=31)')] 756 | [ValidateNotNullOrEmpty()] 757 | [ValidateLength(0, 31)] 758 | [Alias("transportProtocol")] 759 | [string] 760 | $proto, 761 | 762 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The reason an event was generated, such as "Bad password" or "Unknown user" or return code like "0x1234" (type=string; max length=1023)')] 763 | [ValidateNotNullOrEmpty()] 764 | [ValidateLength(0, 1023)] 765 | [string] 766 | $reason, 767 | 768 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'In the case of an HTTP request, this field contains the URL accessed, such as "https://site.example/vdir/resource.html" (type=string; max length=1023)')] 769 | [ValidateNotNullOrEmpty()] 770 | [ValidateLength(0, 1023)] 771 | [Alias("requestUrl")] 772 | [string] 773 | $request, 774 | 775 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The user-agent associated with the request (type=string; max length=1023)')] 776 | [ValidateNotNullOrEmpty()] 777 | [ValidateLength(0, 1023)] 778 | [string] 779 | $requestClientApplication, 780 | 781 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Description of the content from which the request originated, such as "HTTP Referrer" (type=string; max length=2048)')] 782 | [ValidateNotNullOrEmpty()] 783 | [ValidateLength(0, 2048)] 784 | [string] 785 | $requestContext, 786 | 787 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Cookies associated with the request (type=string; max length=1023)')] 788 | [ValidateNotNullOrEmpty()] 789 | [ValidateLength(0, 1023)] 790 | [string] 791 | $requestCookies, 792 | 793 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Method used to access a URL, such as "GET" or "POST" (type=string; max length=1023)')] 794 | [ValidateNotNullOrEmpty()] 795 | [ValidateLength(0, 1023)] 796 | [string] 797 | $requestMethod, 798 | 799 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Identifies the source system to which an event refers. The format should be a fully qualified domain name associated with the source node, if available (type=string; max length=1023)')] 800 | [ValidateNotNullOrEmpty()] 801 | [ValidateLength(0, 1023)] 802 | [Alias("sourceHostName")] 803 | [string] 804 | $shost, 805 | 806 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The Windows domain name of the source address (type=string; max length=255)')] 807 | [ValidateNotNullOrEmpty()] 808 | [ValidateLength(0, 255)] 809 | [Alias("sourceNtDomain")] 810 | [string] 811 | $sntdom, 812 | 813 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The DNS domain part of the complete fully qualified domain name (FQDN) of the source (type=string; max length=255)')] 814 | [ValidateNotNullOrEmpty()] 815 | [ValidateLength(0, 255)] 816 | [String] 817 | $sourceDnsDomain, 818 | 819 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The service responsible for generating the event (type=string; max length=1023)')] 820 | [ValidateNotNullOrEmpty()] 821 | [ValidateLength(0, 1023)] 822 | [String] 823 | $sourceServiceName, 824 | 825 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The typical values are: "Administrator", "User", and "Guest". This identifies the privilege level of the user on the source system. For example, activity executed on the root user would be identified with value of "Administrator"')] 826 | [ValidateNotNullOrEmpty()] 827 | [Alias("sourceUserPrivileges")] 828 | [string] 829 | $spriv, 830 | 831 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'The name of the source process with which the event is associated. For example, "telnet" or "ssh" (type=string; max length=1023)')] 832 | [ValidateNotNullOrEmpty()] 833 | [ValidateLength(0, 1023)] 834 | [Alias("sourceProcessName")] 835 | [string] 836 | $sproc, 837 | 838 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Identifies the source user by ID. For example, in UNIX, the root user has the uid of 0 (type=string; max length=1023)')] 839 | [ValidateNotNullOrEmpty()] 840 | [ValidateLength(0, 1023)] 841 | [Alias("sourceUserId")] 842 | [string] 843 | $suid, 844 | 845 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Identifies the username associated with the source system. For example, with email related events the sender is a candidate to put into sourceUserName. (type=string; max length=1023)')] 846 | [ValidateNotNullOrEmpty()] 847 | [ValidateLength(0, 1023)] 848 | [Alias("sourceUserName", "Sender")] 849 | [string] 850 | $suser, 851 | 852 | [Parameter(ValueFromPipelineByPropertyName=$true, HelpMessage = 'A custom raw string parameter allowing inclusion of one or more custom extensions. Use only when no reasonable mapping exists to existing key names (type=string)')] 853 | [ValidateNotNullOrEmpty()] 854 | [string] 855 | $CustomExtensionRawString, 856 | 857 | #----------------------------custom label extensions---------------------------- 858 | 859 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "c6a1" key. Recommended value is "Device IPv6 Address" (type=string; max length=1023)')] 860 | [ValidateNotNullOrEmpty()] 861 | [ValidateLength(0, 1023)] 862 | [Alias("deviceCustomIPv6Address1Label")] 863 | [string] 864 | $c6a1Label, 865 | 866 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "c6a2" key. Recommended value is "Source IPv6 Address" (type=string; max length=1023)')] 867 | [ValidateNotNullOrEmpty()] 868 | [ValidateLength(0, 1023)] 869 | [Alias("deviceCustomIPv6Address2Label")] 870 | [string] 871 | $c6a2Label, 872 | 873 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "c6a3" key. Recommended value is "Destination IPv6 Address" (type=string; max length=1023)')] 874 | [ValidateNotNullOrEmpty()] 875 | [ValidateLength(0, 1023)] 876 | [Alias("deviceCustomIPv6Address3Label")] 877 | [string] 878 | $c6a3Label, 879 | 880 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "c6a4" key (type=string; max length=1023)')] 881 | [ValidateNotNullOrEmpty()] 882 | [ValidateLength(0, 1023)] 883 | [Alias("deviceCustomIPv6Address4Label")] 884 | [string] 885 | $c6a4Label, 886 | 887 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "cfp1" key (type=string; max length=1023)')] 888 | [ValidateNotNullOrEmpty()] 889 | [ValidateLength(0, 1023)] 890 | [Alias("deviceCustomFloatingPoint1Label")] 891 | [string] 892 | $cfp1Label, 893 | 894 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "cfp2" key (type=string; max length=1023)')] 895 | [ValidateNotNullOrEmpty()] 896 | [ValidateLength(0, 1023)] 897 | [Alias("deviceCustomFloatingPoint2Label")] 898 | [string] 899 | $cfp2Label, 900 | 901 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "cfp3" key (type=string; max length=1023)')] 902 | [ValidateNotNullOrEmpty()] 903 | [ValidateLength(0, 1023)] 904 | [Alias("deviceCustomFloatingPoint3Label")] 905 | [string] 906 | $cfp3Label, 907 | 908 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "cfp4" key (type=string; max length=1023)')] 909 | [ValidateNotNullOrEmpty()] 910 | [ValidateLength(0, 1023)] 911 | [Alias("deviceCustomFloatingPoint4Label")] 912 | [string] 913 | $cfp4Label, 914 | 915 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "cn1" key (type=string; max length=1023)')] 916 | [ValidateNotNullOrEmpty()] 917 | [ValidateLength(0, 1023)] 918 | [Alias("deviceCustomNumber1Label")] 919 | [string] 920 | $cn1Label, 921 | 922 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "cn2" key (type=string; max length=1023)')] 923 | [ValidateNotNullOrEmpty()] 924 | [ValidateLength(0, 1023)] 925 | [Alias("deviceCustomNumber2Label")] 926 | [string] 927 | $cn2Label, 928 | 929 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "cn3" key (type=string; max length=1023)')] 930 | [ValidateNotNullOrEmpty()] 931 | [ValidateLength(0, 1023)] 932 | [Alias("deviceCustomNumber3Label")] 933 | [string] 934 | $cn3Label, 935 | 936 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "cs1" key (type=string; max length=1023)')] 937 | [ValidateNotNullOrEmpty()] 938 | [ValidateLength(0, 1023)] 939 | [Alias("deviceCustomString1Label")] 940 | [string] 941 | $cs1Label, 942 | 943 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "cs2" key (type=string; max length=1023)')] 944 | [ValidateNotNullOrEmpty()] 945 | [ValidateLength(0, 1023)] 946 | [Alias("deviceCustomString2Label")] 947 | [string] 948 | $cs2Label, 949 | 950 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "cs3" key (type=string; max length=1023)')] 951 | [ValidateNotNullOrEmpty()] 952 | [ValidateLength(0, 1023)] 953 | [Alias("deviceCustomString3Label")] 954 | [string] 955 | $cs3Label, 956 | 957 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "cs4" key (type=string; max length=1023)')] 958 | [ValidateNotNullOrEmpty()] 959 | [ValidateLength(0, 1023)] 960 | [Alias("deviceCustomString4Label")] 961 | [string] 962 | $cs4Label, 963 | 964 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "cs5" key (type=string; max length=1023)')] 965 | [ValidateNotNullOrEmpty()] 966 | [ValidateLength(0, 1023)] 967 | [Alias("deviceCustomString5Label")] 968 | [string] 969 | $cs5Label, 970 | 971 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "cs6" key (type=string; max length=1023)')] 972 | [ValidateNotNullOrEmpty()] 973 | [ValidateLength(0, 1023)] 974 | [Alias("deviceCustomString6Label")] 975 | [string] 976 | $cs6Label, 977 | 978 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "deviceCustomDate1" key (type=string; max length=1023)')] 979 | [ValidateNotNullOrEmpty()] 980 | [ValidateLength(0, 1023)] 981 | [string] 982 | $deviceCustomDate1Label, 983 | 984 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "deviceCustomDate2" key (type=string; max length=1023)')] 985 | [ValidateNotNullOrEmpty()] 986 | [ValidateLength(0, 1023)] 987 | [string] 988 | $deviceCustomDate2Label, 989 | 990 | #----------------------------flex label extensions---------------------------- 991 | 992 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "flexDate1" key (type=string; max length=128)')] 993 | [ValidateNotNullOrEmpty()] 994 | [ValidateLength(0, 128)] 995 | [string] 996 | $flexDate1Label, 997 | 998 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "flexNumber1" key (type=string; max length=128)')] 999 | [ValidateNotNullOrEmpty()] 1000 | [ValidateLength(0, 128)] 1001 | [string] 1002 | $flexNumber1Label, 1003 | 1004 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "flexNumber2" key (type=string; max length=128)')] 1005 | [ValidateNotNullOrEmpty()] 1006 | [ValidateLength(0, 128)] 1007 | [string] 1008 | $flexNumber2Label, 1009 | 1010 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "flexString1" key (type=string; max length=128)')] 1011 | [ValidateNotNullOrEmpty()] 1012 | [ValidateLength(0, 128)] 1013 | [string] 1014 | $flexString1Label, 1015 | 1016 | [Parameter(ParameterSetName = 'CEFExtensionFields', ValueFromPipelineByPropertyName=$true, HelpMessage = 'Label name for the "flexString2" key (type=string; max length=128)')] 1017 | [ValidateNotNullOrEmpty()] 1018 | [ValidateLength(0, 128)] 1019 | [string] 1020 | $flexString2Label 1021 | ) 1022 | Begin { 1023 | [String]$CEFVersion = 'CEF:0' 1024 | Write-Verbose "New-CEFMessage: CEF version being used: $CEFVersion" 1025 | } 1026 | 1027 | Process { 1028 | [String]$CEFExtension = '' 1029 | 1030 | Write-Verbose "New-CEFMessage: Convert MAC addresses to CEF expected format" 1031 | If ($dmac) {$dmac = Format-MacAddress -MacAddress $dmac -Separator ':' -Case Upper} 1032 | If ($dvcmac) {$dvcmac = Format-MacAddress -MacAddress $dvcmac -Separator ':' -Case Upper} 1033 | If ($smac) {$smac = Format-MacAddress -MacAddress $smac -Separator ':' -Case Upper} 1034 | 1035 | Write-Verbose "New-CEFMessage: Loop through the list of specified params" 1036 | ($PSCmdlet.MyInvocation.BoundParameters).Keys | ForEach-Object { 1037 | Write-Verbose "New-CEFMessage: Get handle for parameter $_ before entering another ForEach-Object loop block" 1038 | $i = $_ 1039 | 1040 | Write-Verbose "New-CEFMessage: Loop through the param sets of which param $_ is a member" 1041 | (($MyInvocation.MyCommand.Parameters.Item($i)).ParameterSets).Keys | ForEach-Object { 1042 | 1043 | Write-Verbose "New-CEFMessage: Check if param $i is a member of param set 'CEFExtensionFields'" 1044 | If ($_ -ccontains 'CEFExtensionFields') { 1045 | 1046 | Write-Verbose "New-CEFMessage: Param $i is a member of param set 'CEFExtensionFields'" 1047 | If (($MyInvocation.MyCommand.Parameters.Item($i)).ParameterType -eq [CEF_Ext_Device_Direction]) { 1048 | Write-Verbose "New-CEFMessage: Adding the value for $i as an [int] to the CEF extension" 1049 | $CEFExtension += (((Get-Variable $i).Name), ((Get-Variable $i).Value -as [int]) -join '=') + ' ' 1050 | } 1051 | ElseIf (($MyInvocation.MyCommand.Parameters.Item($i)).ParameterType -eq [CEF_Ext_Event_Type]) { 1052 | Write-Verbose "New-CEFMessage: Adding the value for $i as an [int] to the CEF extension" 1053 | $CEFExtension += (((Get-Variable $i).Name), ((Get-Variable $i).Value -as [int]) -join '=') + ' ' 1054 | } 1055 | Else { 1056 | Write-Verbose "New-CEFMessage: Adding the value for $i to the CEF extension" 1057 | $CEFExtension += (((Get-Variable $i).Name), ((Get-Variable $i).Value) -join '=') + ' ' 1058 | } 1059 | } 1060 | } 1061 | } 1062 | 1063 | Write-Verbose "New-CEFMessage: Add raw, non-standard CEF extension fields directly (this param is not a member of the 'CEFExtensionFields' paramset on purpose, we handle it uniquely because it contains both key names and values, e.g.- 'cefkeyname=value')" 1064 | If ($CustomExtensionRawString) { 1065 | $CEFExtension += $CustomExtensionRawString 1066 | Write-Verbose "New-CEFMessage: CEF custom extension fields being used: $CEFExtension" 1067 | } 1068 | 1069 | Write-Verbose "New-CEFMessage: Trim trailing space from CEF extension, if there are any" 1070 | $CEFExtension = $CEFExtension.ToString().TrimEnd(' ') 1071 | 1072 | Write-Verbose "New-CEFMessage: CEF extension being used: $CEFExtension" 1073 | 1074 | [String]$CEFHeader = "$CEFVersion|$DeviceVendor|$DeviceProduct|$DeviceVersion|$DeviceEventClassId|$Name|$Severity|" 1075 | 1076 | If ($CEFExtension -ne '') { 1077 | Write-Verbose "New-CEFMessage: Assemble CEF header and extension into CEF message" 1078 | $CEFMessage = '{0}{1}' -f $CEFHeader, $CEFExtension 1079 | } 1080 | Else { 1081 | Write-Verbose "New-CEFMessage: No CEF extensions were used, CEF header only will be the CEF message" 1082 | $CEFMessage = $CEFHeader 1083 | } 1084 | 1085 | Write-Output $CEFMessage 1086 | } 1087 | 1088 | End {} 1089 | } 1090 | 1091 | # Be sure to list each exported functions in the FunctionsToExport field of the module manifest file. 1092 | Export-ModuleMember -Function New-CEFMessage -------------------------------------------------------------------------------- /test/posh-cef.Tests.ps1: -------------------------------------------------------------------------------- 1 | 2 | $ModuleManifestName = 'posh-cef.psd1' 3 | $ModuleManifestPath = "$PSScriptRoot\..\$ModuleManifestName" 4 | 5 | Describe 'Module Manifest Tests' { 6 | It 'Passes Test-ModuleManifest' { 7 | Test-ModuleManifest -Path $ModuleManifestPath 8 | $? | Should Be $true 9 | } 10 | } 11 | 12 | $ExpectedResult = 'CEF:0|Contoso|MyPowershellScript|1.0|Alert|Something bad was detected.|10|externalId=12345 src=192.168.1.1 deviceDirection=1 act=Blocked spriv=Administrator type=0 in=6213467 dmac=01:23:45:67:89:AF cfp1=3.141593 key=value' 13 | 14 | $TestCollection = @() 15 | $TestCollection += New-Object -TypeName PSObject -Property ([ordered]@{'DeviceVendor'='Contoso';'DeviceProduct'='MyPowershellScript';'DeviceVersion'='1.0';'DeviceEventClassId'='Alert';'Name'='Something bad was detected.';'Severity'=10;'externalId'='12345';'src'='192.168.1.1';'deviceDirection'='Outbound';'act'='Blocked';'spriv'='Administrator';'Type'='Base';'In'=6213467;'dmac'='01-23-45-67-89-AF';'cfp1'=3.141592653589;'CustomExtensionRawString'='key=value'}) 16 | 17 | 18 | Describe 'New-CEFMessage' { 19 | It 'Properly outputs CEF formatted message' { 20 | $Result = New-CEFMessage -DeviceVendor 'Contoso' -DeviceProduct 'MyPowershellScript' -DeviceVersion '1.0' -DeviceEventClassId 'Alert' -Name 'Something bad was detected.' -Severity 10 -externalId 12345 -src 192.168.1.1 -deviceDirection Outbound -act 'Blocked' -spriv 'Administrator' -Type Base -In 6213467 -dmac '01-23-45-67-89-AF' -cfp1 3.141592653589 -CustomExtensionRawString 'key=value' 21 | $Result | Should Be $ExpectedResult 22 | } 23 | 24 | It 'Accepts input via ForEach-Object' { 25 | $Result = $TestCollection | New-CEFMessage 26 | $Result | Should Be $ExpectedResult 27 | } 28 | } 29 | 30 | 31 | 32 | $TestCollection | New-CEFMessage -Verbose 33 | $TestCollection 34 | $TestCollection | %{$_} 35 | 36 | 37 | 38 | #$TestCollection | %{New-CEFMessage -DeviceVendor $_.DeviceVendor -DeviceProduct $_.DeviceProduct -DeviceVersion $_.DeviceVersion -DeviceEventClassId $_.DeviceEventClassId -Name $_.Name -Severity $_.Severity -externalId 12345 -dmac '01-23-45-67-89-AF' -CustomExtensionRawString 'key=value' -deviceDirection Inbound } 39 | #$TestCollection | %{New-CEFMessage -DeviceVendor $_.DeviceVendor -DeviceProduct $_.DeviceProduct -DeviceVersion $_.DeviceVersion -DeviceEventClassId $_.DeviceEventClassId -Name $_.Name -Severity $_.Severity -externalId $_.externalId -dmac $_.dmac -src $_.src -deviceDirection $_.deviceDirection -act $_.act -spriv $_.spriv -Type $_.Type -In $_.In -cfp1 $_.cfp1 -CustomExtensionRawString $_.CustomExtensionRawString} 40 | 41 | #$TestCollection | New-CEFMessage -DeviceVendor 'JaredP' -DeviceProduct 'MyScript' -DeviceVersion '2.0' -DeviceEventClassId 'Detection' -Severity 8 -externalId 12345 -dmac '01-23-45-67-89-AF' -CustomExtensionRawString 'key=value' -deviceDirection Outbound | Write-Host -ForegroundColor Red 42 | 43 | 44 | 45 | 46 | #> 47 | 48 | 49 | --------------------------------------------------------------------------------