beancurd1 · February 6, 2017 12:19
diff --git a/AppLockerEventNotification.ps1 b/AppLockerEventNotification.ps1
 Param($eventFilePath)

 # Get the first/latest event from "Forwarded Events" event log and
 # Replace the field value and field name with meaningful value e.g. convert SID to proper user name and Full Name
 $Event = Get-WinEvent -FilterHashtable @{Logname='ForwardedEvents'; Id=8004} -MaxEvents 1
 If($Event.UserId.Value -eq $null) 
 { 
    return
 } else {
    $objSID = New-Object System.Security.Principal.SecurityIdentifier($Event.UserId.Value)
    $objUser = $objSID.Translate([System.Security.Principal.NTAccount])
    $userName = $objUser.Value
    $userFullName = ([adsi]"WinNT://$($objUser.Value.Replace("\", "/")),user").fullname
 }
 $msgBody = $Event | Select-Object -Property @{N='HostName'; E={$_.MachineName}}, 
                                            @{N='UserName'; E={$_.UserId}}, LogName, ProviderName,
                                            @{N='Event ID'; E={$_.Id}}, Message, ProcessId, ThreadId, TimeCreated, LevelDisplayName
 $msgBody.UserName = "$userFullName ($userName)"

 # This is a workaround of the "path couldn't be resolve" bug in Windows Forwarded Events log for events such as AppLocker events
 # Need to config the Event Trigger to return the path from the XML view in event viewer
 If ($msgBody.Message -like "*%11*") {
    $msgBody.Message = $msgBody.Message.Replace("%11","$eventFilePath")
 }

 # Convert the event object into HTML format for better formatting
 # Send Noftifaction in HTML format with High priority
 $messageParameters = @{ 
    Subject = "Event Provider: " + $msgBody.ProviderName
    Body = $msgBody | ConvertTo-Html -As List -PreContent "<h3><font face='Courier New'>Forwarded Event:</font></h3>" -Fragment | Out-String
    From = "USERORGROUP1@DOMAIN" 
    To = "USERORGROUP2@DOMAIN" 
    SmtpServer = "SMTPServer" 
 } 
 Send-MailMessage @messageParameters -BodyAsHtml -priority High
	Param($eventFilePath)

	# Get the first/latest event from "Forwarded Events" event log and
	# Replace the field value and field name with meaningful value e.g. convert SID to proper user name and Full Name
	$Event = Get-WinEvent -FilterHashtable @{Logname='ForwardedEvents'; Id=8004} -MaxEvents 1
	If($Event.UserId.Value -eq $null)
	{
	return
	} else {
	$objSID = New-Object System.Security.Principal.SecurityIdentifier($Event.UserId.Value)
	$objUser = $objSID.Translate([System.Security.Principal.NTAccount])
	$userName = $objUser.Value
	$userFullName = ([adsi]"WinNT://$($objUser.Value.Replace("\", "/")),user").fullname
	}
	$msgBody = $Event \| Select-Object -Property @{N='HostName'; E={$_.MachineName}},
	@{N='UserName'; E={$_.UserId}}, LogName, ProviderName,
	@{N='Event ID'; E={$_.Id}}, Message, ProcessId, ThreadId, TimeCreated, LevelDisplayName
	$msgBody.UserName = "$userFullName ($userName)"

	# This is a workaround of the "path couldn't be resolve" bug in Windows Forwarded Events log for events such as AppLocker events
	# Need to config the Event Trigger to return the path from the XML view in event viewer
	If ($msgBody.Message -like "%11") {
	$msgBody.Message = $msgBody.Message.Replace("%11","$eventFilePath")
	}

	# Convert the event object into HTML format for better formatting
	# Send Noftifaction in HTML format with High priority
	$messageParameters = @{
	Subject = "Event Provider: " + $msgBody.ProviderName
	Body = $msgBody \| ConvertTo-Html -As List -PreContent "<h3><font face='Courier New'>Forwarded Event:</font></h3>" -Fragment \| Out-String
	From = "USERORGROUP1@DOMAIN"
	To = "USERORGROUP2@DOMAIN"
	SmtpServer = "SMTPServer"
	}
	Send-MailMessage @messageParameters -BodyAsHtml -priority High