PowerShell parsing Win-Event XML

Question

I've been battling this for a few hours (don't laugh). What I need is REALLY simple, but I just can't get it. I avoid Powershell, but I would really like to add it to my portfolio. Every time I try it, it pisses me off. Anyway...

The Event data is as follows:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          21/10/2020 14:17:13
Event ID:      4725
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      V-XXXXX1.opXXl.local
Description:
A user account was disabled.

Subject:
    Security ID:        OPXXL\w126389
    Account Name:       w126389
    Account Domain:     OPXXL
    Logon ID:       0x43846C4

Target Account:
    Security ID:        OPXXL\nmctest
    Account Name:       nmctest
    Account Domain:     OPXXL
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4725</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13824</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2020-10-21T13:17:13.084423200Z" />
    <EventRecordID>118968190</EventRecordID>
    <Correlation />
    <Execution ProcessID="640" ThreadID="1280" />
    <Channel>Security</Channel>
    <Computer>V-NXXXXX1.oXXl.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">nmctest</Data>
    <Data Name="TargetDomainName">OXXL</Data>
    <Data Name="TargetSid">S-1-5-21-3289407757-3693523607-1375118011-18123</Data>
    <Data Name="SubjectUserSid">S-1-5-21-3289407757-3693523607-1375118011-1134</Data>
    <Data Name="SubjectUserName">w126389</Data>
    <Data Name="SubjectDomainName">OXXXL</Data>
    <Data Name="SubjectLogonId">0x43846c4</Data>
  </EventData>
</Event>



    $events = Get-WinEvent -FilterHashtable @{logname="Security";id=4725}
$event = [xml]$events[0].ToXml()
$eventdate = $event | Select-Object -Expand TimeCreated |ForEach-Object {
    $date = [DateTime]$_
    $date.ToString("yyyy-MM-ddTHH:mm:ss.ffffff")
}
$eventdate + "," + $event.SelectSingleNode("//*[@Name='TargetUserName']")."#text" + ",Account was disabled," + $event.SelectSingleNode("//*[@Name='SubjectUserName']")."#text"

The output is as follows:

PS C:\Windows\system32> C:\Users\w126389\Documents\event logs.ps1
Select-Object : Property "TimeCreated" cannot be found.
At C:\Users\w126389\Documents\event logs.ps1:3 char:23
+ $eventdate = $event | Select-Object -Expand TimeCreated |ForEach-Obje ...
+                       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (#document:PSObject) [Select-Object], PSArgumentException
    + FullyQualifiedErrorId : ExpandPropertyNotFound,Microsoft.PowerShell.Commands.SelectObjectCommand
 
,nmctest,Account was disabled,w126389

What I'm expecting the output to be is:

2020-10-21 13:17:13,nmctest,Account was disabled,w126389

You can see I'm getting the other fields I need, everything apart from the date!

Any help would be gratefully received.

Thanks.

Answer 1

TimeCreated is a property of the original EventLogRecord object returned by Get-WinEvent:

$eventdate = $events[0].TimeCreated.ToString("yyyy-MM-ddTHH:mm:ss.ffffff")