Hey everyone,
I'm working on a PowerShell script that uses JEA (Just Enough Admin Rights) to help unlock users' ADFS accounts. Now, I need to enhance it by pulling in the IP address and user agent string for lockout incidents from the event logs.
The information I need is recorded in the Security logs, particularly from the AD FS Auditing provider and event ID 1201. I've experimented with various commands using Get-WinEvent, but I'm struggling to extract the , , and from the message field where this data is buried.
Here's the code snippet I'm currently using to query the logs:
```powershell
$query = @"
*[System[Provider[@Name='AD FS Auditing'] and (EventID=1201)]]
"@
$event = Get-WinEvent -FilterXml $query
```
This returns an event that looks like this:
```
ProviderName: AD FS Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
6/25/2025 1:52:50 PM 1201 Information The Federation Service failed to issue a valid token. See XML for failure details.
```
I can see the details in the message but need to find a way to filter this query to one specific user while also pulling out the relevant fields. What can I do to make this happen? Any tips would be greatly appreciated!
2 Answers
The data you need is usually hidden within the XML of the event, so you can use the XML reader to extract it. Try something like this:
```powershell
$events = Get-WinEvent -FilterHashtable @{LogName = 'Security'; id = 1201; }
foreach ($SingleEvent in $events) {
$xmldoc = [xml]($SingleEvent.ToXml())
[pscustomobject]@{
UserId = ($xmldoc.event.eventdata.Data | Where-Object name -EQ 'UserId').'#text'
IpAddress = ($xmldoc.event.eventdata.Data | Where-Object name -EQ 'IpAddress').'#text'
UserAgent = ($xmldoc.event.eventdata.Data | Where-Object name -EQ 'UserAgentString').'#text'
}
}
```
This code should help you get the variables you need out of the XML structure!
If you can't find what you need in the XML structure, you can use plain string manipulation on the message field itself. Here's a sample:
```powershell
$a = Get-WinEvent -LogName security | Select-Object * -First 5
($a[1].Message.Split("`n") | Select-String "Source Network Address").ToString().Split(":")[-1]
```
This will extract the network address directly from the message. Just make sure you’re querying the correct log and filtering properly!
I need the info to be limited to the specific security log events related to ADFS lockouts, or else the results include a lot of unrelated data.
I've tried this method, but I kept finding the details were still wrapped in the message field, and the split command wasn't separating them correctly. I'm uncertain if I'm missing something or if there’s another approach.