Get-WinEvent Obtain Interactive Logon Messages Only

Question

I am attempting to get this PS script going to pull the Security log from multiple machines and only search for the Event ID of 4624 and only show me the logs that contain \

Answer 1

EventRecord.properties have logon type in the list. To filter out successful logon events of interactive logon type for today:

Get-winevent -FilterHashtable @{logname='security'; id=4624; starttime=(get-date).date} | where {$_.properties[8].value -eq 2}