Page 1 of 1

XPath AND question

Posted: Sat Apr 08, 2017 11:24 am
by AUser
Hello,

I hope someone can assist me in this forum,

I use Windows operating system and PowerShell (script/shell language) some of the command (known as cmdlets) has the option to pass then an XPATH string when they perform their actions, for example filtering the Windows Security log for certain information.

One such command is get-WinEvent -LogName Security -FilterXPath <your XPATH string here>

One of my XPATH string is as follows

*[System[(EventID=4624)]]

this returns any entry in the log (which of course if in XML format) which has the EventID equal to 4624

Another of my XPATH strings in as follows

*[EventData[(Data[@Name='TargetUserName'] = 'MrUser')]]

The above will return and entry from the log where the TargetUserName equals MrUser

Question:
What I want to do is combine two XPATH strings into one, so I when I search the log both of the above must be true and therefore only data meeting both criteria will be returned from the log.

Below is a typical entry from the security log, any help most appreciated :)

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4799</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2017-04-08T08:21:20.606798800Z" />
<EventRecordID>86049</EventRecordID>
<Correlation ActivityID="{3FC9E59D-A9F5-0000-B3E5-C93FF5A9D201}" />
<Execution ProcessID="824" ThreadID="7100" />
<Channel>Security</Channel>
<Computer>DESKTOP-N58I331</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Administrators</Data>
<Data Name="TargetDomainName">Builtin</Data>
<Data Name="TargetSid">S-1-5-32-544</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-N58I331$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="CallerProcessId">0x998</Data>
<Data Name="CallerProcessName">C:\Windows\System32\consent.exe</Data>
</EventData>
</Event>

Re: XPath AND question

Posted: Mon Apr 10, 2017 2:35 pm
by adrian
Hi,

Assuming the PowerShell command supports complex XPath, you just need to combine the two conditions with an "and" between them:

Code: Select all

*[System[(EventID=4624)] and EventData[(Data[@Name='TargetUserName'] = 'MrUser')]]
Regards,
Adrian

Re: XPath AND question

Posted: Mon Apr 10, 2017 4:46 pm
by AUser
Thanks Adrian

Worked a treat :)

Also, just brought a book on XPATH as I need to lear moor

Thanks again

AUser