$ID=@(5150..5159)
$list=@(5123,123)
Get-WinEvent -FilterHashtable @{logname='security'; id=4757}
Get-WinEvent -FilterHashtable @{logname='forwardedevents'; id=4757}
$all | where{$_.message -like ("*searchstring*")} | fl message


$test = Get-WinEvent -filterHashTable @{Logname='forwardedevents'; Data="searchstring"}
$test| where{@("4624","4634") -notcontains $_.id} | fl message



$table= Get-WinEvent -ComputerName localhost -FilterHashtable @{LogName='ForwardedEvents';id=4724}
$table | %{write-host $_.id $_.timecreated $_.properties[0].value $_.properties[4].value}


$Events = $fileserversecuritylogs
$events=get-winevent -path .\securitylog.evtx
ForEach ($Event in $Events) {            
    # Convert the event to XML            
    $eventXML = [xml]$Event.ToXml()            
    # Iterate through each one of the XML message properties            
    For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {            
        # Append these as object properties            
        Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text'            
    }            
}      

$Events | export-csv "exportsecurity.csv" -delimiter ";" # out-gridview


Get-WinEvent -FilterHashtable @{path="C:\Users\mendel\Desktop\New folder\securitylog.evtx";Id=4624}




$allsecuritylogs = get-winevent -LogName security
foreach($event in $allsecuritylogs)
{
	$var=[xml]$event.ToXml()
	$authname = $var.event.eventdata.data[10]
	$TargetUserName = $var.event.eventdata.data[5]
	$Workstation = $var.event.eventdata.data[11]
        $IpAddress = $var.event.eventdata.data[18]
	if($authname.'#text' -like "*ntlm*")
	{
		$event 
		#$var.event.eventdata.data | fl
		write-host $authname.'#text'  $TargetUserName.'#text' $IpAddress.'#text' $Workstation.'#text'
	}

}

#get all properties of the user to be found
get-aduser $samaccountname -properties * | fl *
#search replication metadata for originating server of the last changed object (logondate or logontimestamp)
get-aduser $samaccountname | Get-ADReplicationAttributeMetadata -IncludeDeletedObjects -server $servername | ft * -auto
#query the found server
$events = get-winevent -FilterHashtable @{logname="security";id=4624;data="$samaccountname"} -ComputerName $originatingserver
#convert the event to something human-readable
ForEach ($Event in $Events) {            
    # Convert the event to XML            
    $eventXML = [xml]$Event.ToXml()            
    # Iterate through each one of the XML message properties            
    For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {            
        # Append these as object properties            
        Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text'            
    }            
}
#try backtracing the ipaddress (probably not possible because otherwise it would be in the event already)
$events | select ipaddress -unique | foreach{ping -a $_.ipaddress}