Update System EID 104 output for DeepBlue.ps1

Added in functionality for DeepBlue.ps1 to pull "message" field from EVTX log for System EID 104 log clearing events to properly show the correct log file being cleared.
2021-05-05 16:35:17 -04:00
parent c2a3840bae
commit 122d078efe
1 changed files with 3 additions and 3 deletions
--- a/DeepBlue.ps1
+++ b/DeepBlue.ps1
@ -1,4 +1,4 @@
-<#
+<#
 .SYNOPSIS

 A PowerShell module for hunt teaming via Windows event logs
@ -87,7 +87,7 @@ function Main {
            Date    = $event.TimeCreated
            Log     = $logname
            EventID = $event.id
-            Message = ""
+            Message = $event.message
            Results = ""
            Command = ""
            Decoded = ""
@ -405,7 +405,7 @@ function Main {
            ElseIf ($event.id -eq 104){
                # The System log file was cleared.
                $obj.Message = "System Log Clear"
-                $obj.Results = "The System log was cleared."
+                $obj.Results = $event.message
                Write-Output $obj
            }
        }