Windows Events: send e-mail
Posted: 2022-Oct-12, 2:32 pm
I've setup a task in Task Scheduler to act upon a series of events triggered by Windows Defender. When triggered, it executes a script to send me an e-mail that there's something going on with Defender. Works fine. Now I want the e-mail to be a bit more informative, like what is the event and what is the description for that event. This is fairly easy in PowerShell, but I don't master that - I'd rather use a cmd-script. So I've been fiddling with wevtutil and I've got it to filter out the Event ID's triggering the script. But that lists the complete event. I could include the whole event text into the mail, but I'd rather keep it snappy? Only thing is, I don't know how.
So here's the line filtering out a bunch of events:
The result could be something like this:
Log Name: Microsoft-Windows-Windows Defender/Operational
Source: Microsoft-Windows-Windows Defender
Date: 2022-10-12T10:18:34.6960000Z
Event ID: 5001
Task: N/A
Level: Information
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: <computername>
Description:
Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled.
I would like to have the Event ID (5001) and description (Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled) added to the mail. Any idea's how to do that?
So here's the line filtering out a bunch of events:
Code: Select all
wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /count:1 /rd:true /format:text /q:"*[System[((EventID=1005 and EventID=1015) or (EventID= 1116 and EventID= 1119) or EventID=1127 or EventID=2001 or EventID=2003 or EventID=2006 or EventID=2012 or EventID=3002 or EventID=5001 or EventID=5007 or EventID=5008 or EventID=5010 or EventID=5012 or EventID=5013)]]"
Log Name: Microsoft-Windows-Windows Defender/Operational
Source: Microsoft-Windows-Windows Defender
Date: 2022-10-12T10:18:34.6960000Z
Event ID: 5001
Task: N/A
Level: Information
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: <computername>
Description:
Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled.
I would like to have the Event ID (5001) and description (Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled) added to the mail. Any idea's how to do that?