Red John
Red John

Reputation: 167

Windows Event Log XML Query gives unintended results

I am trying to query certain process creation events from Security Audit logs and my query looks like below:

 <QueryList>
 <Query Id="0" Path="Security">
   <Select Path="Security">
        *[EventData[Data[@Name='NewProcessName'] and (Data='C:\Windows\System32\process0.exe'  or Data='C:\Windows\System32\process1.exe' or Data='C:\Windows\process2.exe')]]
        and 
        *[System[(EventID=4688)]]
    </Select>
 </Query>
</QueryList>

This, however, works on Windows Server 2012 OS but does not work on Windows 10 Desktop OS.

Upvotes: 1

Views: 439

Answers (1)

Red John
Red John

Reputation: 167

My workaround is to separate the search attribute values, something like this:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
        (*[EventData[Data[@Name='NewProcessName'] ='C:\Windows\System32\process0.exe']] 
         or
         *[EventData[Data[@Name='NewProcessName'] ='C:\Windows\process1.exe']]
         or
         *[EventData[Data[@Name='NewProcessName'] = 'C:\Windows\process2.exe']])
        and 
        *[System[(EventID=4688)]]
    </Select>
  </Query>
</QueryList>

Upvotes: 1

Related Questions