XML tab

Important:
– The XPath queries are looking at specific locations within the XML format. Therefore if the value
(i.e. computer name or workstation) queried is not in than specified location, the filter will
not return the event. (These are not wildcard searches.)
– Events are often specific to roles (i.e. Domain Controller), dependent upon log size, and policies
must be configured to audit the events.
– Remember to check archived logs

$LogName = 'System'
$FilterXpath = "*[System[Provider[@Name='Microsoft-Windows-Kernel-General'] and (EventID=12 or EventID=13)]]"
Get-WinEvent -LogName "$LogName" -FilterXPath "$FilterXpath" -MaxEvents 6 | fl

<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*</Select>
</Query>
</QueryList>

Security Events:

###XPath ##XPath-Authentication-SmartCard
Smart Card Authentication
*[EventData[Data[@Name="PreAuthType"]="15"]]

Smart Card Authentication, Success
*[System[(EventID="4768")]][EventData[Data[@Name="PreAuthType"]="15"]]

Smart Card Authentication, Failure
*[System[(EventID="4771")]][EventData[Data[@Name="PreAuthType"]="15"]]

###XPath ##AuditFailure ##Failure
*[System[band(Keywords,4503599627370496)]]

# Failure and Last Hour
*[System[band(Keywords,4503599627370496) and TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]

###XPath ##Keywords ##AuditFailure ##Failure
# Failure or Success and Last Hour
*[System[band(Keywords,13510798882111488) and TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]

Keywords
Failure 4503599627370496
Success 9007199254740992
Failure and Success 13510798882111488
Classic 36028797018963968
Correlation Hint 18014398509481984
Response Time 281474976710656
SQM 2251799813685248
WDI Diag 1125899906842624

###XPath ##XPath-Authentication-KDC
Key Distribution Center (KDC) issues affecting Smart Card Logon
*[System[Provider[@Name='Microsoft-Windows-Kerberos-Key-Distribution-Center'] and (EventID=19 or EventID=29)]]

###XPath ##XPath-Authentication-NTLM
Events listing NTLM for the Authentication Package Name
*[EventData[Data[@Name="AuthenticationPackageName"] ="NTLM"]]

###XPath ##XPath-Authentication-Kerberos
~Implies Kerberos
*[EventData[Data[@Name="AuthenticationPackageName"] ="negotiate" and Data[@Name="KeyLength"] = "0"]] or
*[EventData[Data[@Name="AuthenticationPackageName"] ="Kerberos" and Data[@Name="KeyLength"] = "0"]]

*[System[(EventID=4768)]][EventData[Data[@Name='Status'] = '0x42']]

# And example under Execution
*[System[Execution[@ProcessID='704' and @ThreadID='4520']]]

###XPath ##IpAddress ##Not
*[EventData[Data[@Name="IpAddress"]!="185.243.96.63"]]

###############################
##current

*[System[TimeCreated[timediff(@SystemTime) &lt;= 3600000]]][EventData[Data[@Name="TargetUserName"] ="vvdttdm_nb"]] or
*[System[TimeCreated[timediff(@SystemTime) &lt;= 3600000]]][EventData[Data[@Name="TargetUserName"] ="vvttadm@vVette.com"]] or
*[System[TimeCreated[timediff(@SystemTime) &lt;= 3600000]]][EventData[Data[@Name="TargetUserName"] ="vvttdadm"]