Monitoring Events on Specific Domain Account.
Please run this as Custom monitoring script.
#To define a particular parameter, replace the 'parameterName' inside itsm.getParameter('parameterName') with that parameter's name
import os
import re
import filecmp
import difflib
import sys
import ctypes
Eventid=4624
AccountName= "VulnerabilityScanner"
workdir=os.environ['PROGRAMDATA']+r'\c1_temp'
if not os.path.exists(workdir):
os.makedirs(workdir)
save_path=workdir
def eventid():
class disable_file_system_redirection:
_disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
_revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
def __enter__(self):
self.old_value = ctypes.c_long()
self.success = self._disable(ctypes.byref(self.old_value))
def __exit__(self, type, value, traceback):
if self.success:
self._revert(self.old_value)
setpolicy=os.popen('powershell "Set-ExecutionPolicy RemoteSigned"').read()
with disable_file_system_redirection():
command='powershell.exe ' +'"'+' Get-EventLog -log Security | Where {$_.message -match "Account Name:\s*%s"} | Where {$_.eventid -eq %s}"'%(AccountName,Eventid)
print command
logs=os.popen(command).read()
return logs
login_event=[]
flag=0
global fnd2
fnd2=0
out=save_path+"\\Output.txt"
event=eventid()
for i in [i.strip() for i in event.split("\n\n") if i.strip()]:
i = i.lower()
login_event.append(i)
def alert(arg):
sys.stderr.write("%d%d%d" % (arg, arg, arg))
def files():
file_name1 = "login_old.txt"
cur_dir1 = save_path
file_list1 = os.listdir(cur_dir1)
parent_dir1 = os.path.dirname(cur_dir1)
if file_name1 in file_list1:
fnd2=1
with open(os.path.join(save_path, "login_new.txt"), "w") as file_1:
for j in login_event:
j=str(j)
file_1.write(j+'\n')
fnd2=1
else:
with open(os.path.join(save_path, "login_old.txt"), "w") as file_1:
file_1.write('\n')
fnd2=2
return fnd2
def swchanges():
file11=save_path+"\\login_new.txt"
file_1=save_path+"\\login_old.txt"
flag=0
if False==0:
with open(file11) as file:
data1=file.read()
data1.strip()
with open(file_1) as file:
data21=file.read()
data21.strip()
text1Lines1 = data1.splitlines(1)
text2Lines1 = data21.splitlines(1)
diffInstance1 = difflib.Differ()
diffList1 = list(diffInstance1.compare(text1Lines1,text2Lines1 ))
with open(out, 'a+') as o1:
o1.write("\n********** Newly Added Event logs***********\n")
for line in diffList1:
if line[0] == '-':
flag=1
o1.write(line)
o1.close()
file.close()
file.close()
return flag
def remove():
os.remove(save_path+"\\login_old.txt")
os.rename(save_path+"\\login_new.txt",save_path+"\\login_old.txt" )
os.remove(save_path+"\\Output.txt")
ki=files()
if ki==2:
with open(os.path.join(save_path, "login_old.txt"), "w") as file_1:
file_1.write('\n')
file_1.close()
ki=files()
s=swchanges()
if s ==0:
print "No new event for logon failed"
alert(0)
else:
with open(out, 'r') as o1:
for i in o1:
print i
o1.close()
alert(1)
v=remove()
Comments