XML tab
Important:
– The XPath queries are looking at specific locations within the XML format. Therefore if the value
(i.e. computer name or workstation) queried is not in than specified location, the filter will
not return the event. (These are not wildcard searches.)
– Events are often specific to roles (i.e. Domain Controller), dependent upon log size, and policies
must be configured to audit the events.
– Remember to check archived logs
$LogName = 'System' $FilterXpath = "*[System[Provider[@Name='Microsoft-Windows-Kernel-General'] and (EventID=12 or EventID=13)]]" Get-WinEvent -LogName "$LogName" -FilterXPath "$FilterXpath" -MaxEvents 6 | fl <QueryList> <Query Id="0" Path="Application"> <Select Path="Application">*</Select> </Query> </QueryList> Security Events: ###XPath ##XPath-Authentication-SmartCard Smart Card Authentication *[EventData[Data[@Name="PreAuthType"]="15"]] Smart Card Authentication, Success *[System[(EventID="4768")]][EventData[Data[@Name="PreAuthType"]="15"]] Smart Card Authentication, Failure *[System[(EventID="4771")]][EventData[Data[@Name="PreAuthType"]="15"]] ###XPath ##AuditFailure ##Failure *[System[band(Keywords,4503599627370496)]] # Failure and Last Hour *[System[band(Keywords,4503599627370496) and TimeCreated[timediff(@SystemTime) <= 3600000]]] ###XPath ##Keywords ##AuditFailure ##Failure # Failure or Success and Last Hour *[System[band(Keywords,13510798882111488) and TimeCreated[timediff(@SystemTime) <= 3600000]]] Keywords Failure 4503599627370496 Success 9007199254740992 Failure and Success 13510798882111488 Classic 36028797018963968 Correlation Hint 18014398509481984 Response Time 281474976710656 SQM 2251799813685248 WDI Diag 1125899906842624 ###XPath ##XPath-Authentication-KDC Key Distribution Center (KDC) issues affecting Smart Card Logon *[System[Provider[@Name='Microsoft-Windows-Kerberos-Key-Distribution-Center'] and (EventID=19 or EventID=29)]] ###XPath ##XPath-Authentication-NTLM Events listing NTLM for the Authentication Package Name *[EventData[Data[@Name="AuthenticationPackageName"] ="NTLM"]] ###XPath ##XPath-Authentication-Kerberos ~Implies Kerberos *[EventData[Data[@Name="AuthenticationPackageName"] ="negotiate" and Data[@Name="KeyLength"] = "0"]] or *[EventData[Data[@Name="AuthenticationPackageName"] ="Kerberos" and Data[@Name="KeyLength"] = "0"]] *[System[(EventID=4768)]][EventData[Data[@Name='Status'] = '0x42']] # And example under Execution *[System[Execution[@ProcessID='704' and @ThreadID='4520']]] ###XPath ##IpAddress ##Not *[EventData[Data[@Name="IpAddress"]!="185.243.96.63"]] ############################### ##current *[System[TimeCreated[timediff(@SystemTime) <= 3600000]]][EventData[Data[@Name="TargetUserName"] ="vvdttdm_nb"]] or *[System[TimeCreated[timediff(@SystemTime) <= 3600000]]][EventData[Data[@Name="TargetUserName"] ="vvttadm@vVette.com"]] or *[System[TimeCreated[timediff(@SystemTime) <= 3600000]]][EventData[Data[@Name="TargetUserName"] ="vvttdadm"]
