﻿# Define time for report (default is 1 day)
$history = @(-1, -7, -15, -30)
$Results = @()

# Get the computer name
$ComputerName = (Get-WmiObject Win32_ComputerSystem).Name

Foreach ($datehistory in $history) {
    $startDate = (Get-Date).AddDays($datehistory)
    $logevents = Get-EventLog -LogName Security -After $startDate
    $Data = @()
    
    foreach ($e in $logevents) {
        # Logon Successful Events
        if (($e.EventID -eq 4624) -and ($e.ReplacementStrings[8] -eq 2) -and ($e.ReplacementStrings[5] -notmatch 'DWM-[0-9]') -and ($e.ReplacementStrings[5] -notmatch 'UMFD-[0-9]')) {
            $Data += [pscustomobject]@{
                Date = $e.TimeGenerated
                EventID = $e.EventID
                Type = 'Connexion Locale'
                Status = 'Ouverture Session'
                User = $e.ReplacementStrings[5]
                Domaine = $e.ReplacementStrings[6]
                Workstation = $e.ReplacementStrings[11]
                IP = ""
            }
        }
        if (($e.EventID -eq 4624) -and ($e.ReplacementStrings[8] -eq 10)) {
            $Data += [pscustomobject]@{
                Date = $e.TimeGenerated
                EventID = $e.EventID
                Type = 'Connexion Distante'
                Status = 'Ouverture Session'
                User = $e.ReplacementStrings[5]
                Domaine = $e.ReplacementStrings[6]
                Workstation = $e.ReplacementStrings[11]
                IP = $e.ReplacementStrings[18]
            }
        }
        
        # Logon Failed Events
        if (($e.EventID -eq 4625) -and ($e.ReplacementStrings[10] -eq 2)) {
            $Data += [pscustomobject]@{
                Date = $e.TimeGenerated
                EventID = $e.EventID
                Type = 'Connexion Locale'
                Status = "Échec d’ouverture de session"
                User = $e.ReplacementStrings[5]
                Domaine = $e.ReplacementStrings[6]
                Workstation = $e.ReplacementStrings[13]
                IP = ""
            }
        }
        if (($e.EventID -eq 4625) -and ($e.ReplacementStrings[10] -eq 7)) {
            $Data += [pscustomobject]@{
                Date = $e.TimeGenerated
                EventID = $e.EventID
                Type = 'Connexion Distante'
                Status = "Échec d’ouverture de session"
                User = $e.ReplacementStrings[5]
                Domaine = $e.ReplacementStrings[6]
                Workstation = $e.ReplacementStrings[13]
                IP = $e.ReplacementStrings[19]
            }
        }
        
        # Unlocked Session
        if (($e.EventID -eq 4801) -and ($e.ReplacementStrings[4] -eq 1)) {
            $Data += [pscustomobject]@{
                Date = $e.TimeGenerated
                EventID = $e.EventID
                Type = 'Déverrouillage'
                Status = 'Session déverrouillée'
                User = $e.ReplacementStrings[1]
                Domaine = $e.ReplacementStrings[2]
                Workstation = ""
                IP = ""
            }
        }
        if (($e.EventID -eq 4801) -and ($e.ReplacementStrings[4] -eq 4)) {
            $Data += [pscustomobject]@{
                Date = $e.TimeGenerated
                EventID = $e.EventID
                Type = 'Déverrouillage'
                Status = 'Session déverrouillée'
                User = $e.ReplacementStrings[1]
                Domaine = $e.ReplacementStrings[2]
                Workstation = ""
                IP = ""
            }
        }
        
        # Locked Session
        if (($e.EventID -eq 4800) -and ($e.ReplacementStrings[4] -eq 1)) {
            $Data += [pscustomobject]@{
                Date = $e.TimeGenerated
                EventID = $e.EventID
                Type = 'Verrouillage'
                Status = 'Session verrouillée'
                User = $e.ReplacementStrings[1]
                Domaine = $e.ReplacementStrings[2]
                Workstation = ""
                IP = ""
            }
        }
        if (($e.EventID -eq 4800) -and ($e.ReplacementStrings[4] -eq 4)) {
            $Data += [pscustomobject]@{
                Date = $e.TimeGenerated
                EventID = $e.EventID
                Type = 'Verrouillage'
                Status = 'Session verrouillée'
                User = $e.ReplacementStrings[1]
                Domaine = $e.ReplacementStrings[2]
                Workstation = ""
                IP = ""
            }
        }
        
        # Closed Session
        if (($e.EventID -eq 4634) -and ($e.ReplacementStrings[4] -eq 2) -and ($e.ReplacementStrings[1] -notmatch 'DWM-[0-9]') -and ($e.ReplacementStrings[1] -notmatch 'UMFD-[0-9]')) {
            $Data += [pscustomobject]@{
                Date = $e.TimeGenerated
                EventID = $e.EventID
                Type = 'Déconnexion Locale'
                Status = 'Fermeture session'
                User = $e.ReplacementStrings[1]
                Domaine = $e.ReplacementStrings[2]
                Workstation = ""
                IP = ""
            }
        }
        if (($e.EventID -eq 4634) -and ($e.ReplacementStrings[4] -eq 7)) {
            $Data += [pscustomobject]@{
                Date = $e.TimeGenerated
                EventID = $e.EventID
                Type = 'Déconnexion Distante'
                Status = 'Fermeture session'
                User = $e.ReplacementStrings[1]
                Domaine = $e.ReplacementStrings[2]
                Workstation = ""
                IP = ""
            }
        }
    }

    $SessionActive = $null
    $SessionInactive = $null
    $SessionTotalTime = [timespan]"00:00:00"
    $Result = $Data | Sort-Object -Property Date, EventID -Unique
    
    foreach ($ligne in $Result) {
        if (($ligne.EventID -eq "4801") -or ($ligne.EventID -eq "4624")) {
            $SessionActive = $ligne.Date
            $Session = $True
        }
        if (($ligne.EventID -eq "4800") -or ($ligne.EventID -eq "4634")) {
            $SessionInactive = $ligne.Date
            $Session = $False
        }
        if (($Session -eq $False) -and ($SessionActive -ne $null)) {
            $Diff = New-TimeSpan -Start $SessionActive -End $SessionInactive
            $SessionActive = $null
            $SessionTotalTime = $SessionTotalTime + [timespan]$Diff
        }
    }
    
    $formattedStartDate = $startDate.ToString("dd/MM/yyyy")
    $sessionData = @{
        "history_days"    = $datehistory
        "start_date"      = $formattedStartDate
        "total_days"      = "$($SessionTotalTime.Days)"
        "total_hours"     = "$($SessionTotalTime.Hours)"
        "total_minutes"   = "$($SessionTotalTime.Minutes)"
        "total_seconds"   = "$($SessionTotalTime.Seconds)"
        "date_history"    = "$($datehistory)"
    }

    # Add the session data to the main result
    $Results += $sessionData
}

# Final JSON structure for WAPT.write_audit_data
$finalReport = @{
    "hostname" = $ComputerName
    "report_date" = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ")
    "session_data" = $Results
}

$finalReport | ConvertTo-Json -Depth 3 -Compress