#
# Get-ADFSFailedLogins.ps1
#
# Simple solution to parse the ADFS events that are specific to failed logins
# and spit out the usernames of those failed logins to a CSV file.
#
# Licensed under the Apache License, v2.0 — https://www.apache.org/licenses/LICENSE-2.0.html.

$adfsServers = @("adfs-server-01", "adfs-server-02")
$csv = "$($env:TEMP)\failedlogins.csv"
$data = @()

$query = @"
<QueryList>
  <Query Id="0" Path="AD FS/Admin">
    <Select Path="AD FS/Admin">*[System[(EventID=342) and TimeCreated[timediff(@SystemTime) &lt;= 43200000]]]</Select>
  </Query>
</QueryList>
"@

foreach($server in $adfsServers) {
    Write-Verbose "Get events from $server..."
    $events = Get-WinEvent -FilterXml $query -ComputerName $server

    foreach($event in $events) {
        Write-Verbose "Split event detail for $($event.TimeCreated)"
        $lines = $event.Message.Split("`r`n")
        $messageDetail = $lines[14]
        $userName = $messageDetail.Split("-")[0]
        Write-Host $userName

        $event | Add-Member -NotePropertyName "username" -NotePropertyValue $userName

        $data += $event
    }
}

$data | Export-Csv -Path $csv -Append -NoTypeInformation