Windows Security Event Viewer
Retrieve and analyze security events from Windows PowerShell
PowerShell Command
Get-WinEvent -FilterHashtable @{LogName='Security'}
This command retrieves all security events from the Windows Event Log.
Filtered Events
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624,4625}
This retrieves only successful (4624) and failed (4625) login attempts.
Python Implementation
import subprocess
import json
def get_security_events(event_ids=None):
"""Retrieve Windows security events using PowerShell"""
command = [
"powershell",
"-Command",
"Get-WinEvent -FilterHashtable @{LogName='Security'"
]
if event_ids:
command[-1] += f"; ID={','.join(map(str, event_ids))}"
command[-1] += "} | ConvertTo-Json"
try:
result = subprocess.run(command, capture_output=True, text=True, check=True)
events = json.loads(result.stdout)
return events
except subprocess.CalledProcessError as e:
print(f"Error executing PowerShell: {e.stderr}")
return []
except json.JSONDecodeError:
print("Error parsing PowerShell output")
return []
# Example usage
if __name__ == "__main__":
# Get all security events
all_events = get_security_events()
# Get only login events (successful and failed)
login_events = get_security_events([4624, 4625])
print(f"Total security events: {len(all_events)}")
print(f"Login events: {len(login_events)}")
Event Analysis
| Event ID | Description | Common Use |
|---|---|---|
| 4624 | Successful account logon | Track successful logins |
| 4625 | Failed account logon | Detect brute force attempts |
| 4648 | Logon with explicit credentials | Monitor credential usage |
| 4720 | User account created | Detect unauthorized account creation |