Reputation: 167
I am trying to query certain process creation events from Security Audit logs and my query looks like below:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='NewProcessName'] and (Data='C:\Windows\System32\process0.exe' or Data='C:\Windows\System32\process1.exe' or Data='C:\Windows\process2.exe')]]
and
*[System[(EventID=4688)]]
</Select>
</Query>
</QueryList>
This, however, works on Windows Server 2012 OS but does not work on Windows 10 Desktop OS.
Upvotes: 1
Views: 439
Reputation: 167
My workaround is to separate the search attribute values, something like this:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
(*[EventData[Data[@Name='NewProcessName'] ='C:\Windows\System32\process0.exe']]
or
*[EventData[Data[@Name='NewProcessName'] ='C:\Windows\process1.exe']]
or
*[EventData[Data[@Name='NewProcessName'] = 'C:\Windows\process2.exe']])
and
*[System[(EventID=4688)]]
</Select>
</Query>
</QueryList>
Upvotes: 1