XPath AND question
-
AUser
- Posts: 2
- Joined: Sat Apr 08, 2017 11:11 am
XPath AND question
Hello,
I hope someone can assist me in this forum,
I use Windows operating system and PowerShell (script/shell language) some of the command (known as cmdlets) has the option to pass then an XPATH string when they perform their actions, for example filtering the Windows Security log for certain information.
One such command is get-WinEvent -LogName Security -FilterXPath <your XPATH string here>
One of my XPATH string is as follows
*[System[(EventID=4624)]]
this returns any entry in the log (which of course if in XML format) which has the EventID equal to 4624
Another of my XPATH strings in as follows
*[EventData[(Data[@Name='TargetUserName'] = 'MrUser')]]
The above will return and entry from the log where the TargetUserName equals MrUser
Question:
What I want to do is combine two XPATH strings into one, so I when I search the log both of the above must be true and therefore only data meeting both criteria will be returned from the log.
Below is a typical entry from the security log, any help most appreciated
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4799</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2017-04-08T08:21:20.606798800Z" />
<EventRecordID>86049</EventRecordID>
<Correlation ActivityID="{3FC9E59D-A9F5-0000-B3E5-C93FF5A9D201}" />
<Execution ProcessID="824" ThreadID="7100" />
<Channel>Security</Channel>
<Computer>DESKTOP-N58I331</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Administrators</Data>
<Data Name="TargetDomainName">Builtin</Data>
<Data Name="TargetSid">S-1-5-32-544</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-N58I331$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="CallerProcessId">0x998</Data>
<Data Name="CallerProcessName">C:\Windows\System32\consent.exe</Data>
</EventData>
</Event>
I hope someone can assist me in this forum,
I use Windows operating system and PowerShell (script/shell language) some of the command (known as cmdlets) has the option to pass then an XPATH string when they perform their actions, for example filtering the Windows Security log for certain information.
One such command is get-WinEvent -LogName Security -FilterXPath <your XPATH string here>
One of my XPATH string is as follows
*[System[(EventID=4624)]]
this returns any entry in the log (which of course if in XML format) which has the EventID equal to 4624
Another of my XPATH strings in as follows
*[EventData[(Data[@Name='TargetUserName'] = 'MrUser')]]
The above will return and entry from the log where the TargetUserName equals MrUser
Question:
What I want to do is combine two XPATH strings into one, so I when I search the log both of the above must be true and therefore only data meeting both criteria will be returned from the log.
Below is a typical entry from the security log, any help most appreciated
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4799</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2017-04-08T08:21:20.606798800Z" />
<EventRecordID>86049</EventRecordID>
<Correlation ActivityID="{3FC9E59D-A9F5-0000-B3E5-C93FF5A9D201}" />
<Execution ProcessID="824" ThreadID="7100" />
<Channel>Security</Channel>
<Computer>DESKTOP-N58I331</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Administrators</Data>
<Data Name="TargetDomainName">Builtin</Data>
<Data Name="TargetSid">S-1-5-32-544</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-N58I331$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="CallerProcessId">0x998</Data>
<Data Name="CallerProcessName">C:\Windows\System32\consent.exe</Data>
</EventData>
</Event>
-
adrian
- Posts: 2879
- Joined: Tue May 17, 2005 4:01 pm
Re: XPath AND question
Hi,
Assuming the PowerShell command supports complex XPath, you just need to combine the two conditions with an "and" between them:
Regards,
Adrian
Assuming the PowerShell command supports complex XPath, you just need to combine the two conditions with an "and" between them:
Code: Select all
*[System[(EventID=4624)] and EventData[(Data[@Name='TargetUserName'] = 'MrUser')]]Adrian
Adrian Buza
<oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger
http://www.oxygenxml.com
<oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger
http://www.oxygenxml.com
-
AUser
- Posts: 2
- Joined: Sat Apr 08, 2017 11:11 am
Re: XPath AND question
Thanks Adrian
Worked a treat
Also, just brought a book on XPATH as I need to lear moor
Thanks again
AUser
Worked a treat
Also, just brought a book on XPATH as I need to lear moor
Thanks again
AUser