我正在尝试使用 C# .net 框架从事件查看器记录 Windows Defender 事件。当我尝试通过读取 XML 来捕获事件数据属性值时,它为我提供了一些属性的奇怪字符串值,例如Origin Name、Execution Name、Type Name、Action Name。
并且这些属性在常规视图中的实际值正确显示如下。
这是我用于 xml 数据的代码片段:
private static void GetRecordsInfo()
{
//string channel = "Microsoft-Windows-Windows Defender/Operational";
string _channel = @"C:\Users\patilp\Desktop\DefenderLogs.evtx";
string query = "Event/System[ TimeCreated[@SystemTime > '2020-07-15T19:08:30.895832100Z' and @SystemTime < '2020-07-15T20:21:30.895832100Z']" +
" and ((Level=1 or Level=2 or Level=3 or Level=4) and (EventID = 1006 or EventID = 1007 or EventID = 1008 or EventID = 1009 or " +
"EventID = 1010 or EventID = 1011 or EventID = 1012 or EventID = 1015 or EventID = 1116 or EventID = 1117 or EventID = 1118 or EventID = 1119) and Provider[@Name='Microsoft-Windows-Windows Defender'])]";
EventLogQuery eventLogQuery = new EventLogQuery(_channel, PathType.FilePath, query);
EventLogReader eventLogReader = new EventLogReader(eventLogQuery);
EventRecord record = eventLogReader.ReadEvent();
if (record == null)
{
Console.WriteLine("No data found");
return;
}
var _currentEvent = new Dictionary<string, object>();
_currentEvent["ProviderName"] = record.ProviderName;
_currentEvent["ProviderEventGuid"] = record.ProviderId;
_currentEvent["Channel"] = String.IsNullOrEmpty(_channel) ? String.Empty : _channel;
_currentEvent["EventID"] = Convert.ToString(record.Id);
_currentEvent["Level"] = Convert.ToString(record.Level);
string rawXml = record.ToXml();
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.LoadXml(rawXml);
Dictionary<string, string> _EventData = new Dictionary<string, string>();
XmlNodeList xmlnodeList = xmlDoc.GetElementsByTagName("Data");
foreach (XmlNode node in xmlnodeList)
{
string text = node.InnerText;
string attr = node.Attributes["Name"]?.InnerText;
_EventData.Add(attr, text);
}
_currentEvent["ThreatID"] = _EventData.ContainsKey("Threat ID") ? string.IsNullOrWhiteSpace(_EventData["Threat ID"]) ? "NA" : _EventData["Threat ID"] : "NA";
_currentEvent["ThreatName"] = _EventData.ContainsKey("Threat Name") ? string.IsNullOrWhiteSpace(_EventData["Threat Name"]) ? "NA" : _EventData["Threat Name"] : "NA";
_currentEvent["Severity"] = _EventData.ContainsKey("Severity ID") ? string.IsNullOrWhiteSpace(_EventData["Severity ID"]) ? "NA" : _EventData["Severity ID"] : "NA";
_currentEvent["Category"] = _EventData.ContainsKey("Category Name") ? string.IsNullOrWhiteSpace(_EventData["Category Name"]) ? "NA" : _EventData["Category Name"] : "NA";
_currentEvent["Path"] = _EventData.ContainsKey("Path") ? string.IsNullOrWhiteSpace(_EventData["Path"]) ? "NA" : _EventData["Path"] : "NA";
_currentEvent["DetectionOrigin"] = _EventData.ContainsKey("Origin Name") ? string.IsNullOrWhiteSpace(_EventData["Detection ID"]) ? "NA" : _EventData["Detection ID"] : "NA";
_currentEvent["DetectionType"] = _EventData.ContainsKey("Type ID") ? string.IsNullOrWhiteSpace(_EventData["Threat ID"]) ? "NA" : _EventData["Threat ID"] : "NA";
_currentEvent["DetectionSource"] = _EventData.ContainsKey("Source Name") ? string.IsNullOrWhiteSpace(_EventData["Detection User"]) ? "NA" : _EventData["Detection User"] : "NA";
_currentEvent["Status"] = _EventData.ContainsKey("Status Description") ? string.IsNullOrWhiteSpace(_EventData["Status Description"]) ? "NA" : _EventData["Status Description"] : "NA";
_currentEvent["ProcessName"] = _EventData.ContainsKey("Process Name") ? string.IsNullOrWhiteSpace(_EventData["Process Name"]) ? "NA" : _EventData["Process Name"] : "NA";
_currentEvent["Action"] = _EventData.ContainsKey("Action Name") ? string.IsNullOrWhiteSpace(_EventData["Action Name"]) ? "NA" : _EventData["Action Name"] : "NA";
_currentEvent["ErrorCode"] = _EventData.ContainsKey("Error Code") ? string.IsNullOrWhiteSpace(_EventData["Error Code"]) ? "NA" : _EventData["Error Code"] : "NA";
_currentEvent["ErrorDescription"] = _EventData.ContainsKey("Error Description") ? string.IsNullOrWhiteSpace(_EventData["Error Description"]) ? "NA" : _EventData["Error Description"] : "NA";
_currentEvent["SignatureVersion"] = _EventData.ContainsKey("Security intelligence Version") ? string.IsNullOrWhiteSpace(_EventData["Security intelligence Version"]) ? "NA" : _EventData["Security intelligence Version"] : "NA";
_currentEvent["EngineVersion"] = _EventData.ContainsKey("Engine Version") ? string.IsNullOrWhiteSpace(_EventData["Engine Version"]) ? "NA" : _EventData["Engine Version"] : "NA";
foreach (var item in _currentEvent)
Console.WriteLine("{0} : {1}",item.Key,item.Value);
}
谁能告诉我如何为提到的属性获取正确的字符串值..?