XPath AND question
Posted: Sat Apr 08, 2017 11:24 am
Hello,
I hope someone can assist me in this forum,
I use Windows operating system and PowerShell (script/shell language) some of the command (known as cmdlets) has the option to pass then an XPATH string when they perform their actions, for example filtering the Windows Security log for certain information.
One such command is get-WinEvent -LogName Security -FilterXPath <your XPATH string here>
One of my XPATH string is as follows
*[System[(EventID=4624)]]
this returns any entry in the log (which of course if in XML format) which has the EventID equal to 4624
Another of my XPATH strings in as follows
*[EventData[(Data[@Name='TargetUserName'] = 'MrUser')]]
The above will return and entry from the log where the TargetUserName equals MrUser
Question:
What I want to do is combine two XPATH strings into one, so I when I search the log both of the above must be true and therefore only data meeting both criteria will be returned from the log.
Below is a typical entry from the security log, any help most appreciated
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4799</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2017-04-08T08:21:20.606798800Z" />
<EventRecordID>86049</EventRecordID>
<Correlation ActivityID="{3FC9E59D-A9F5-0000-B3E5-C93FF5A9D201}" />
<Execution ProcessID="824" ThreadID="7100" />
<Channel>Security</Channel>
<Computer>DESKTOP-N58I331</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Administrators</Data>
<Data Name="TargetDomainName">Builtin</Data>
<Data Name="TargetSid">S-1-5-32-544</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-N58I331$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="CallerProcessId">0x998</Data>
<Data Name="CallerProcessName">C:\Windows\System32\consent.exe</Data>
</EventData>
</Event>
I hope someone can assist me in this forum,
I use Windows operating system and PowerShell (script/shell language) some of the command (known as cmdlets) has the option to pass then an XPATH string when they perform their actions, for example filtering the Windows Security log for certain information.
One such command is get-WinEvent -LogName Security -FilterXPath <your XPATH string here>
One of my XPATH string is as follows
*[System[(EventID=4624)]]
this returns any entry in the log (which of course if in XML format) which has the EventID equal to 4624
Another of my XPATH strings in as follows
*[EventData[(Data[@Name='TargetUserName'] = 'MrUser')]]
The above will return and entry from the log where the TargetUserName equals MrUser
Question:
What I want to do is combine two XPATH strings into one, so I when I search the log both of the above must be true and therefore only data meeting both criteria will be returned from the log.
Below is a typical entry from the security log, any help most appreciated
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4799</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2017-04-08T08:21:20.606798800Z" />
<EventRecordID>86049</EventRecordID>
<Correlation ActivityID="{3FC9E59D-A9F5-0000-B3E5-C93FF5A9D201}" />
<Execution ProcessID="824" ThreadID="7100" />
<Channel>Security</Channel>
<Computer>DESKTOP-N58I331</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Administrators</Data>
<Data Name="TargetDomainName">Builtin</Data>
<Data Name="TargetSid">S-1-5-32-544</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-N58I331$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="CallerProcessId">0x998</Data>
<Data Name="CallerProcessName">C:\Windows\System32\consent.exe</Data>
</EventData>
</Event>