XPath query examples

Use XPath examples for monitoring events and retrieving logon credentials, as a reference when you create XPath queries.

For more information about XPath queries, see your Microsoft documentation.

Note: XPath uses only the MSEVEN6 event protocol.

Example: Monitoring events for a specific user

In this example, the query retrieves events from all Windows event logs for the guest user.

Important: XPath queries cannot filter Windows Forwarded Events.

<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[(Level=4 or Level=0) and
Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501
']]]</Select>
<Select Path="Security">*[System[(Level=4 or Level=0) and
Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501
']]]</Select>
<Select Path="Setup">*[System[(Level=4 or Level=0) and
Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501
']]]</Select>
<Select Path="System">*[System[(Level=4 or Level=0) and
Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501
']]]</Select>

</Query>
</QueryList>.

Example: Credential logon for Windows 2008

In this example, the query retrieves specific event IDs from the security log for Information-level events that are associated with the account authentication in Windows 2008.

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(Level=4 or Level=0) and
( (EventID &gt;= 4776 and EventID &lt;= 4777) )]]</Select>
</Query>
</QueryList>

Table 1. Event IDs used in credential logon example
ID	Description
4776	The domain controller attempted to validate credentials for an account.
4777	The domain controller failed to validate credentials for an account.

Example: Retrieving events based on user

In this example, the query examines event IDs to retrieve specific events for a user account that is created on a fictional computer that contains a user password database.

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(Computer='Password_DB') and
(Level=4 or Level=0) and (EventID=4720 or (EventID &gt;= 4722
and EventID &lt;= 4726) or (EventID &gt;= 4741 and EventID
&lt;= 4743) )]]</Select>
</Query>
</QueryList>

Table 2. Event IDs used in database example
ID	Description
4720	A user account was created.
4722	A user account was enabled.
4723	An attempt was made to change the password of an account.
4724	An attempt was made to reset password of an account.
4725	A user account was disabled.
4726	A user account was deleted.
4741	A user account was created.
4742	A user account was changed.
4743	A user account was deleted.

Example: Retrieving DNS analytic logs

In this example, the query retrieves all events that are captured in DNS analytic logs.

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-DNSServer/Analytical">
    <Select Path="Microsoft-Windows-DNSServer/Analytical">*</Select>
  </Query>
</QueryList>

Example: Retrieving events with Sysinternals Sysmon

In this example, the query retrieves all events that are captured by SysInternals Sysmon.

<QueryList>
<Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
</Query>
</QueryList>