From 122d078efec38faffed011753b11cc18e0ef298a Mon Sep 17 00:00:00 2001
From: Zach Burnham <39965193+zmbf0r3ns1cs@users.noreply.github.com>
Date: Wed, 5 May 2021 16:35:17 -0400
Subject: [PATCH] Update System EID 104 output for DeepBlue.ps1

Added in functionality for DeepBlue.ps1 to pull "message" field from EVTX log for System EID 104 log clearing events to properly show the correct log file being cleared.
---
 DeepBlue.ps1 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/DeepBlue.ps1 b/DeepBlue.ps1
index e63f6d6..be734c4 100644
--- a/DeepBlue.ps1
+++ b/DeepBlue.ps1
@@ -1,4 +1,4 @@
-<#
+<#
 .SYNOPSIS
 
 A PowerShell module for hunt teaming via Windows event logs
@@ -87,7 +87,7 @@ function Main {
             Date    = $event.TimeCreated
             Log     = $logname
             EventID = $event.id
-            Message = ""
+            Message = $event.message
             Results = ""
             Command = ""
             Decoded = ""
@@ -405,7 +405,7 @@ function Main {
             ElseIf ($event.id -eq 104){
                 # The System log file was cleared.
                 $obj.Message = "System Log Clear"
-                $obj.Results = "The System log was cleared."
+                $obj.Results = $event.message
                 Write-Output $obj
             }
         }