I need to parse Windows Defender event log. With this command
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object { $_.LevelDisplayName -ne "Information" } | Select-Object -ExpandProperty Message
I get this output:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/TFTPD32&threatid=12892&enterprise=0
Name: Trojan:Win32/TFTPD32
ID: 12892
Severity: Severe
Category: Trojan
Path: file:_\\server\share\path\file1.exe::$DATA; file:_\\server\share\path\file2.exe::$DATA; file:_\\server\share\path\file3.exe::$DATA;
Detection Origin: Network share
Detection Type: Concrete
Detection Source: Real-Time Protection
User: DOMAIN\user
Process Name: C:\Windows\SMSProxy\Microsoft.StorageMigration.Proxy.Service.exe
Signature Version: AV: 1.335.1263.0, AS: 1.335.1263.0, NIS: 1.335.1263.0
Engine Version: AM: 1.1.18000.5, NIS: 1.1.18000.5
When there are multiple files and the line starting with Path: is very long, it is truncated. Not the message property, but only the line. When I see the record using Event Log viewer, the line is complete. Is there a way to get full length of the line?
I need to get lines with Name: and Path: from the Message property (multi-line string) only.
How can I get it using e.g. RegEx ^\s+(Name|Path): ?
Update:
I mishmatched event log records, even in Event Log the line Path is truncated.
The second part of the question remains: How to get only some lines from multiline property?