iknowjason · September 15, 2024 17:48
diff --git a/Analyze-EventLogsDeepBlue.ps1 b/Analyze-EventLogsDeepBlue.ps1
 # Step 1: Download and extract DeepBlueCLI on each target computer
 # https://github.com/sans-blue-team/DeepBlueCLI
 # Step 2:  Get the path for Deepblue.ps1 and change it in the ```DeepBluePath``` below

 workflow Analyze-EventLogsDeepBlue {
    param (
        [string[]]$ComputerName,
        [string]$LogName = 'Security',
        [string]$DeepBluePath = "C:\Path\To\DeepBlue.ps1"  
    )

    foreach -parallel ($computer in $ComputerName) {
        InlineScript {
            # Ensure the script is run as an Administrator
            if (-not (Test-Path -Path $using:DeepBluePath)) {
                throw "DeepBlue.ps1 not found at $using:DeepBluePath. Please check the path and try again."
            }

            # Execute the script directly on the remote machine using Invoke-Command
            $result = Invoke-Command -ComputerName $using:computer -ScriptBlock {
                param ($logName, $deepBluePath)

                # Set Execution Policy to allow running scripts
                Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force

                # Execute the DeepBlue script with parameters
                powershell.exe -File $deepBluePath -log $logName
            } -ArgumentList $using:LogName, $using:DeepBluePath

            # Output the result in the current session
            Write-Output ("DeepBlueCLI analysis for {0} on {1}:" -f $using:LogName, $using:computer)
            Write-Output $result
        }
    }
 }

 # Run it on target computers, adapting correct computername
 Analyze-EventLogsDeepBlue -ComputerName @('win1') -LogName 'Security'
	# Step 1: Download and extract DeepBlueCLI on each target computer
	# https://github.com/sans-blue-team/DeepBlueCLI
	# Step 2: Get the path for Deepblue.ps1 and change it in the ```DeepBluePath``` below

	workflow Analyze-EventLogsDeepBlue {
	param (
	[string[]]$ComputerName,
	[string]$LogName = 'Security',
	[string]$DeepBluePath = "C:\Path\To\DeepBlue.ps1"
	)

	foreach -parallel ($computer in $ComputerName) {
	InlineScript {
	# Ensure the script is run as an Administrator
	if (-not (Test-Path -Path $using:DeepBluePath)) {
	throw "DeepBlue.ps1 not found at $using:DeepBluePath. Please check the path and try again."
	}

	# Execute the script directly on the remote machine using Invoke-Command
	$result = Invoke-Command -ComputerName $using:computer -ScriptBlock {
	param ($logName, $deepBluePath)

	# Set Execution Policy to allow running scripts
	Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force

	# Execute the DeepBlue script with parameters
	powershell.exe -File $deepBluePath -log $logName
	} -ArgumentList $using:LogName, $using:DeepBluePath

	# Output the result in the current session
	Write-Output ("DeepBlueCLI analysis for {0} on {1}:" -f $using:LogName, $using:computer)
	Write-Output $result
	}
	}
	}

	# Run it on target computers, adapting correct computername
	Analyze-EventLogsDeepBlue -ComputerName @('win1') -LogName 'Security'