M
momaydopod
I need to filter by event ID and AccessMask and Keyword = success and failure
Filter by Event viewer
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[band(Keywords,13510798882111488) and (EventID=4663)]]</Select>
</Query>
</QueryList>
XML file
Access Request Information:
Accesses: WriteData (or AddFile)
Access Mask: 0x2
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4663</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2018-12-24T07:57:21.373012200Z" />
<EventRecordID>533849319</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5116" />
<Channel>Security</Channel>
<Computer></Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-3973108871-1993391267-3055040726-4603</Data>
<Data Name="SubjectUserName"></Data>
<Data Name="SubjectDomainName"></Data>
<Data Name="SubjectLogonId">0x1e67c6c</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName"></Data>
<Data Name="HandleId">0x4d30</Data>
<Data Name="AccessList">%%4417
</Data>
<Data Name="AccessMask">0x2</Data>
<Data Name="ProcessId">0x4</Data>
<Data Name="ProcessName">
</Data>
<Data Name="ResourceAttributes"></Data>
</EventData>
</Event>
Continue reading...
Filter by Event viewer
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[band(Keywords,13510798882111488) and (EventID=4663)]]</Select>
</Query>
</QueryList>
XML file
Access Request Information:
Accesses: WriteData (or AddFile)
Access Mask: 0x2
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4663</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2018-12-24T07:57:21.373012200Z" />
<EventRecordID>533849319</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5116" />
<Channel>Security</Channel>
<Computer></Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-3973108871-1993391267-3055040726-4603</Data>
<Data Name="SubjectUserName"></Data>
<Data Name="SubjectDomainName"></Data>
<Data Name="SubjectLogonId">0x1e67c6c</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName"></Data>
<Data Name="HandleId">0x4d30</Data>
<Data Name="AccessList">%%4417
</Data>
<Data Name="AccessMask">0x2</Data>
<Data Name="ProcessId">0x4</Data>
<Data Name="ProcessName">
</Data>
<Data Name="ResourceAttributes"></Data>
</EventData>
</Event>
Continue reading...