Watchlist loading from report output
I have written the attached Windows Powershell script to replace the dbUpdate_watchlist.cmd to do two things. The first was to parse the csv file created by an enVision report and loading the data into a Watchlist. And YES, this does overcome the size limits that can be found in the dbUpdate script. This new script is based on creating a Watchlist of terminated employees from Windows Security_642 events of their account being disabled by an admin.
It does require that Windows .Net framework and Powershell be installed on the enVision appliance where reports are generated. This would be on the AS.
I wrote this script to combine functions in one script of parsing the csv file to remove the double plus load it into a Watchlist. Unlike dbUpdate_watchlist which takes input from a file defined with commanline arguements. But yuo can probably pull out that which you would need to be a true dbUpdate_watchlist replacement. Or if there is enough demand I could break it out and write a seperate script to read a user created file.
This is my first attempt at Powershell so excuse what might not be concise codin.
This is an excellent script and works great; a couple minor note though. The script loads the column heading ("UserName") from the report csv in to the watchlist, also it will load duplicate usernames... if a username is already in the watchlist it will be loaded again upon execution of the script.
Again just minor notes, as niether effect the functionality of the alerting, which is all that matters.
I wrote that script for a specific purpose of mine (once daily report of terminated employees) so it does not check for dupes since it's not likely a person is terminated twice in the 30 day timefram of my watchlist.
there is likely a lot of customizing for your use. my reason for posting it here was to help folks get around the buffer limit of windows commands