This Powershell can be used on a windows machine to collect logs for traiging/investigating an event. This can also be used on Crowdstrike RTR to collect logs. This process is automated and zips the files into 1 single folder.
Open a Powershell session as "Administrator" and run PS.
Add this script to custom scripts in Cwordstrike Admin console. Run from RTR Console = runscript -CloudFile="Windows-IR-Event-Collection" -Timeout="300"
get /"filename" CLick on download file and extract
Events Collected from this script are: Local user accounts, Running Process with user, Location, outbound connections, Client DNS Cache,Windows Events- System, Security, Application Installed Software, Temp and Downloads folder with executables, Chrome and Edge Browser History( getting some data, still working on tweaking this) ,Scheduled Task, Run Once registry content, Services with AutoMode, Local Firewall Rules and Connections, Command History More to be added...
This script automates the log creation by creating a dicrectoty in the root of c:\ --> "001-2023-event-log-collection".
As always test this on a non-critical system. This is a simple powershell that collects logs and places them in the root of C:, pleae make sure you have enough space. The log collection is small, about 5 megs. This scripts collects windows system, security and application events, DNS, Registry, Running Process.. etc and more.