Create logonsessions.ps1

Windows Logon Sessions/logonsessions.ps1

@@ -0,0 +1,13 @@
+################################
+##########
+# Script execution triggered by Wazuh Manager, wodles-command
+# Output converted to JSON and appended to active-responses.log
+##########
+# RUN LOGONSESSIONS AND STORE CSV
+$Sessions_Output_CSV = c:\"Program Files"\Sysinternals\logonsessions.exe  -nobanner -c -p
+# REMOVE SPACES IN CSV HEADER AND CONVERT TO ARRAY
+$Sessions_Output_Array = $Sessions_Output_CSV.PSObject.BaseObject.Trim(' ') -Replace '\s','' | ConvertFrom-Csv
+# GO THRU THE ARRAY, CONVERT TO JSON AND APPEND TO active-responses.log
+Foreach ($item in $Sessions_Output_Array) {
+  echo  $item | ConvertTo-Json -Compress | Out-File -width 2000 C:\"Program Files (x86)"\ossec-agent\active-response\active-responses.log -Append -Encoding ascii
+ }