XPath query examples
Use XPath examples for monitoring events and retrieving logon credentials, as a reference when you create XPath queries.
For more information about XPath queries, see your Microsoft documentation.
Example: Monitoring events for a specific user
In this example, the query retrieves events from all Windows event logs for the guest user.
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[(Level=4 or Level=0) and
Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501
']]]</Select>
<Select Path="Security">*[System[(Level=4 or Level=0) and
Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501
']]]</Select>
<Select Path="Setup">*[System[(Level=4 or Level=0) and
Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501
']]]</Select>
<Select Path="System">*[System[(Level=4 or Level=0) and
Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501
']]]</Select>
</Query>
</QueryList>.
Example: Credential logon for Windows 2008
In this example, the query retrieves specific event IDs from the security log for Information-level events that are associated with the account authentication in Windows 2008.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(Level=4 or Level=0) and
( (EventID >= 4776 and EventID <= 4777) )]]</Select>
</Query>
</QueryList>
ID | Description |
---|---|
4776 | The domain controller attempted to validate credentials for an account. |
4777 | The domain controller failed to validate credentials for an account. |
Example: Retrieving events based on user
In this example, the query examines event IDs to retrieve specific events for a user account that is created on a fictional computer that contains a user password database.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(Computer='Password_DB') and
(Level=4 or Level=0) and (EventID=4720 or (EventID >= 4722
and EventID <= 4726) or (EventID >= 4741 and EventID
<= 4743) )]]</Select>
</Query>
</QueryList>
ID | Description |
---|---|
4720 | A user account was created. |
4722 | A user account was enabled. |
4723 | An attempt was made to change the password of an account. |
4724 | An attempt was made to reset password of an account. |
4725 | A user account was disabled. |
4726 | A user account was deleted. |
4741 | A user account was created. |
4742 | A user account was changed. |
4743 | A user account was deleted. |
Example: Retrieving DNS analytic logs
In this example, the query retrieves all events that are captured in DNS analytic logs.
<QueryList>
<Query Id="0" Path="Microsoft-Windows-DNSServer/Analytical">
<Select Path="Microsoft-Windows-DNSServer/Analytical">*</Select>
</Query>
</QueryList>
Example: Retrieving events with Sysinternals Sysmon
In this example, the query retrieves all events that are captured by SysInternals Sysmon.
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
</Query>
</QueryList>