Xpath Filter upward limit


Xpath Filter upward limit

b

Example...

<QueryList>
   <Query Id="0" ...>
      <Select Path="Security" ...>
   </Query>
   <Query Id="1" ...>
      <Select Path="Security" ...>
   </Query>
 </QueryList>

Does the "Query List have a limit to number of "Query Id"?  ( Is it possible to have "Query Id=30"?)

Does "Query Id=0" have an upward limit to number of events to select or suppress?

Thanks.
Tamas Lengyel

bobbychan - 2/13/2018
Example...

<QueryList>
   <Query Id="0" ...>
      <Select Path="Security" ...>
   </Query>
   <Query Id="1" ...>
      <Select Path="Security" ...>
   </Query>
 </QueryList>

Does the "Query List have a limit to number of "Query Id"?  ( Is it possible to have "Query Id=30"?)

Does "Query Id=0" have an upward limit to number of events to select or suppress?

Thanks.

I couldn't find anything in the documentations on this, but a quick test revealed that the query id can go up to 4,294,967,295, which is 2^32-1. I would assume similar high limits would be true for other parts of XPath filters. Of course, in practice, memory, storage limitations and other factors could also impose limits on the total size of an XPath filter.


b

Tamas Lengyel - 2/13/2018
bobbychan - 2/13/2018
Example...

<QueryList>
   <Query Id="0" ...>
      <Select Path="Security" ...>
   </Query>
   <Query Id="1" ...>
      <Select Path="Security" ...>
   </Query>
 </QueryList>

Does the "Query List have a limit to number of "Query Id"?  ( Is it possible to have "Query Id=30"?)

Does "Query Id=0" have an upward limit to number of events to select or suppress?

Thanks.

I couldn't find anything in the documentations on this, but a quick test revealed that the query id can go up to 4,294,967,295, which is 2^32-1. I would assume similar high limits would be true for other parts of XPath filters. Of course, in practice, memory, storage limitations and other factors could also impose limits on the total size of an XPath filter.


I'm still having issues in consolidating my multiple subscriptions into one bigger subscription.  There is a total of 19 query Ids in the one big subscription, but nothing gets logged.  However, when i bring the query ids down to 7 or 8, they start logging.  I even tried collecting on Event IDs that are pertinent without any suppress tags, which i deemed was about 100 events ids, but the logs aren't received.  Any help is appreciated.
Tamas Lengyel

bobbychan - 2/16/2018
Tamas Lengyel - 2/13/2018
bobbychan - 2/13/2018
Example...

<QueryList>
   <Query Id="0" ...>
      <Select Path="Security" ...>
   </Query>
   <Query Id="1" ...>
      <Select Path="Security" ...>
   </Query>
 </QueryList>

Does the "Query List have a limit to number of "Query Id"?  ( Is it possible to have "Query Id=30"?)

Does "Query Id=0" have an upward limit to number of events to select or suppress?

Thanks.

I couldn't find anything in the documentations on this, but a quick test revealed that the query id can go up to 4,294,967,295, which is 2^32-1. I would assume similar high limits would be true for other parts of XPath filters. Of course, in practice, memory, storage limitations and other factors could also impose limits on the total size of an XPath filter.


I'm still having issues in consolidating my multiple subscriptions into one bigger subscription.  There is a total of 19 query Ids in the one big subscription, but nothing gets logged.  However, when i bring the query ids down to 7 or 8, they start logging.  I even tried collecting on Event IDs that are pertinent without any suppress tags, which i deemed was about 100 events ids, but the logs aren't received.  Any help is appreciated.

Would you mind sharing your XPath filter with the 19 query IDs? You can do it privately, if you wish.

b

Tamas Lengyel - 2/21/2018
bobbychan - 2/16/2018
Tamas Lengyel - 2/13/2018
bobbychan - 2/13/2018
Example...

<QueryList>
   <Query Id="0" ...>
      <Select Path="Security" ...>
   </Query>
   <Query Id="1" ...>
      <Select Path="Security" ...>
   </Query>
 </QueryList>

Does the "Query List have a limit to number of "Query Id"?  ( Is it possible to have "Query Id=30"?)

Does "Query Id=0" have an upward limit to number of events to select or suppress?

Thanks.

I couldn't find anything in the documentations on this, but a quick test revealed that the query id can go up to 4,294,967,295, which is 2^32-1. I would assume similar high limits would be true for other parts of XPath filters. Of course, in practice, memory, storage limitations and other factors could also impose limits on the total size of an XPath filter.


I'm still having issues in consolidating my multiple subscriptions into one bigger subscription.  There is a total of 19 query Ids in the one big subscription, but nothing gets logged.  However, when i bring the query ids down to 7 or 8, they start logging.  I even tried collecting on Event IDs that are pertinent without any suppress tags, which i deemed was about 100 events ids, but the logs aren't received.  Any help is appreciated.

Would you mind sharing your XPath filter with the 19 query IDs? You can do it privately, if you wish.

<QueryList>
<Query Id="0" Path="Security">
  <Select Path="Security">*[System[(EventID=4740 or EventID=4767)]]</Select>
</Query>
<Query Id="1" Path="Security">
  <Select Path="Security">*[System[( (EventID &gt;= 4717 and EventID &lt;= 4718) or EventID=4739)]]</Select>
</Query>
<Query Id="2" Path="Security">
  <Select Path="Security">*[System[(EventID=4704 or EventID=4705)]]</Select>
  <Suppress Path="Security">*[EventData[Data[@Name="ObjectType"] and (Data="xoxo")]]</Suppress>
</Query>
<Query Id="3" Path="Security">
  <Select Path="Security">*[System[(EventID=4776)]]</Select>
  <Suppress Path="Security">*[System[EventID=4776]] and *[EventData[Data[@Name="TargetUserName"] and (Data="xoxo")]]</Suppress>
</Query>
<Query Id="4" Path="Security">
  <Select Path="Security">*[System[(EventID=5145)]]</Select>
  <Suppress Path="Security">*[EventData[Data[@Name="SubjectUserName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="IpAddress"] and (Data='0.0.0.0')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="IpAddress"] and (Data="0.0.0.0")]] and *[EventData[Data[@Name="RelativeTargetName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="RelativeTargetName"] and (Data="xoxo")]] or *[EventData[Data[@Name="RelativeTargetName"] and (Data="xoxo")]] or *[EventData[Data[@Name="RelativeTargetName"] and (Data="xoxo")]] or *[EventData[Data[@Name="RelativeTargetName"] and (Data="xoxo")]] or *[EventData[Data[@Name="RelativeTargetName"] and (Data="xoxo")]] or *[EventData[Data[@Name="RelativeTargetName"] and (Data="xoxo")]] or *[EventData[Data[@Name="RelativeTargetName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="RelativeRargetName"] and (Data="xoxo")]] and *[EventData[Data[@Name="RelativeRargetName"] and (Data="xoxo")]] and *[EventData[Data[@Name="RelativeRargetName"] and (Data="xoxo")]]</Suppress>
</Query>
<Query Id="5" Path="Security">
  <Select Path="Security">*[System[(EventID=4656 or EventID=4658 or EventID=4660 or (EventID &gt;= 4663 and EventID &lt;= 4664) or EventID=4670)]]</Select>
  <Suppress Path="Security">*[EventData[Data[@Name="ObjectType"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="SubjectLogonId"] and (Data="xoxo")]] and *[EventData[Data[@Name="ObjectName"] and (Data="xoxo")]] and *[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="File-System">*[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="File-System">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task = 12812]] and *[System[(EventID=4656 or EventID=4658 or EventID=4663)]]</Suppress>
  <Suppress Path="File-System">*[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
</Query>
<Query Id="6" Path="Security">
  <Select Path="Security">*[System[(EventID=5140 or (EventID &gt;= 5142 and EventID &lt;= 5144) )]]</Select>
  <Suppress Path="Security">*[System[EventID=5140]] and *[EventData[Data[@Name="ShareName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="SubjectUserName"] and (Data="xoxo")]] and *[EventData[Data[@Name="ShareName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]] or *[EventData[Data[@Name="IpAddress"] and (Data='xoxo')]]</Suppress>
</Query>
<Query Id="7" Path="Security">
  <Select Path="Security">*[System[( (EventID &gt;= 5148 and EventID &lt;= 5151) or (EventID &gt;= 5154 and EventID &lt;= 5159) )]]</Select>
  <Suppress Path="Security">*[System[EventID=5157]] and *[EventData[Data[@Name="SourceAddress"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[System[EventID=5157]] and *[EventData[Data[@Name="DestAddress"]="xoxo" or Data[@Name="DestAddress"]="xoxo" or Data[@Name="DestAddress"]="xoxo"]]</Suppress>
  <Suppress Path="Security">*[System[EventID=5157]] and *[EventData[Data[@Name="SourcePort"] and (Data="67")]] and *[EventData[Data[@Name="DestPort"] and (Data="68")]]</Suppress>
  <Suppress Path="Security">*[System[EventID=5157]] and *[EventData[Data[@Name="DestPort"]="137" or Data[@Name="DestPort"]="138" or Data[@Name="DestPort"]="443" or Data[@Name="DestPort"]="80" or Data[@Name="DestPort"]="8082" or Data[@Name="DestPort"]="389"]]</Suppress>
  <Suppress Path="Security">*[System[EventID=5157]] and *[EventData[Data[@Name="DestPort"] and (Data="8013") and *[EventData[Data[@Name="DestAddress"] and (Data="xoxo")]]</Suppress>
</Query>
<Query Id="8" Path="Security">
  <Select Path="Security">*[System[(EventID=4627)]]</Select>
  <Suppress Path="Security">*[EventData[Data[@Name="TargetUserName"] and (Data="xoxo")]] and *[EventData[Data[@Name="TargetLogonId"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="TargetUserName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="TargetUserName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="TargetUserName"] and (Data="xoxo")]]</Suppress>
</Query>
<Query Id="9" Path="Security">
  <Select Path="Security">*[System[(EventID=1102)]]</Select>
</Query>
<Query Id="10" Path="Security">
  <Select Path="Security">*[System[(EventID=4634 or EventID=4647)]]</Select>
  <Suppress Path="Security">*[EventData[Data[@Name="TargetUserName"] and (Data="xoxo") or (Data="xoxo") or (Data="xoxo")]]</Suppress>
</Query>
<Query Id="11" Path="Security">
  <Select Path="Security">*[System[( (EventID &gt;= 4624 and EventID &lt;= 4625) or EventID=4648)]]</Select>
  <Suppress Path="Security">*[EventData[Data[@Name="TargetUserName"] and (Data='xoxo')]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="TargetUserName"] and (Data='xoxo')]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="TargetUserName"] and (Data='xoxo')]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="TargetUserName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="TargetUserName"] and (Data="xoxo")]]</Suppress>
</Query>
<Query Id="12" Path="Security">
  <Select Path="Security">*[System[(EventID=4714 or (EventID &gt;= 6144 and EventID &lt;= 6145) )]]</Select>
  <Suppress Path="Security">*[System[EventID=5477]] and *[EventData[Data[@Name="SubjectUserSid"] and (Data="xoxo")]]</Suppress>
</Query>
<Query Id="13" Path="Security">
  <Select Path="Security">*[System[(EventID=4649 or (EventID &gt;= 4778 and EventID &lt;= 4779) or (EventID &gt;= 4800 and EventID &lt;= 4803) )]]</Select>
</Query>
<Query Id="14" Path="Security">
  <Select Path="Security">*[System[( (EventID &gt;= 4698 and EventID &lt;= 4702) )]]</Select>
</Query>
<Query Id="15" Path="Security">
  <Select Path="Security">*[System[( (EventID &gt;= 5024 and EventID &lt;= 5025) or (EventID &gt;= 5027 and EventID &lt;= 5030) or (EventID &gt;= 5033 and EventID &lt;= 5035) or EventID=5037)]]</Select>
</Query>
<Query Id="16" Path="Security">
  <Select Path="Security">*[System[(EventID=4715 or EventID=4719 or EventID=4817 or (EventID &gt;= 4906 and EventID &lt;= 4908) or EventID=4912)]]</Select>
  <Suppress Path="Security">*[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[System[EventID=4907]] and *[EventData[Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo']]</Suppress>
  <Suppress Path="Security">*[System[(EventID=4904 or EventId=4905)]] and *[EventData[Data[@Name="AuditSourceName"] and (Data="xoxo")]]</Suppress>
</Query>
<Query Id="17" Path="Security">
  <Select Path="Security">*[System[(EventID=4688)]]</Select>
  <Suppress Path="Security">*[System[EventID=4688]] and *[EventData[Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
]]</Suppress>
  <Suppress Path="Security">*[System[EventID=4688]] and *[EventData[Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo' or Data[@Name='NewProcessName'] = 'xoxo' or Data[@Name='NewProcessName'] = 'xoxo'
or Data[@Name='NewProcessName'] = 'xoxo' or Data[@Name='NewProcessName'] = 'xoxo' or Data[@Name='NewProcessName'] = 'xoxo' or Data[@Name='NewProcessName'] = 'xoxo' or Data[@Name='NewProcessName'] = 'xoxo']]</Suppress>
</Query>
<Query Id="18" Path="Security">
  <Select Path="Security">*[System[(EventID=4689)]]</Select>
  <Suppress Path="Security">*[System[EventID=4689]] and *[EventData[Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
]]</Suppress>
  <Suppress Path="Security">*[System[EventID=4689]] and *[EventData[Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo'
or Data[@Name='ProcessName'] = 'xoxo' or Data[@Name='ProcessName'] = 'xoxo' or Data[@Name='ProcessName'] = 'xoxo' or Data[@Name='ProcessName'] = 'xoxo' or Data[@Name='ProcessName'] = 'xoxo' or Data[@Name='ProcessName'] = 'xoxo' or Data[@Name='ProcessName'] = 'xoxo']]</Suppress>
</Query>
<Query Id="19" Path="Security">
  <Select Path="Security">*[System[(EventID=4657)]]</Select>
  <Suppress Path="Security">*[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
</Query>
<Query Id="20" Path="Security">
  <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task = 12812 and (EventID=4656 or EventID=4658 or EventID=4663)]]
</Select>
  <Suppress Path="Security">*[EventData[Data[@Name="SubjectUserName"] and (Data="xoxo")]] and *[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="SubjectUserName"] and (Data="xoxo")]] and *[EventData[Data[@Name="ProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="ObjectName"] and (Data="xoxo") or (Data="xoxo") or (Data="xoxo") or (Data="xoxo") or (Data="xoxo") or (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="ProcessName"] and (Data="xoxo") or (Data="xoxo") or (Data="xoxo")or (Data="xoxo") or (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="SubjectUserSid"] and (Data="xoxo")]]</Suppress>
</Query>
<Query Id="21" Path="Security">
  <Select Path="Security">*[System[(EventID=4610 or EventID=4697)]]</Select>
  <Suppress Path="Security">*[EventData[Data[@Name="SubjectUserSid" and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="AuthenticationPackageName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="NotificationPackageName" and (Data="xoxo" or Data="xoxo" or Data="xoxo" or Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="SecurityPackageName" and (Data="xoxo" or Data="xoxo" or Data="xoxo" or Data="xoxo" or Data="xoxo" or Data="xoxo" or Data="xoxo" or Data="xoxo" or Data="xoxo" or Data="xoxo")]]</Suppress>
</Query>
<Query Id="22" Path="Security">
  <Select Path="Security">*[System[((EventID &gt;= 4731 and EventID &lt;= 4735) or EventID=4799)]]</Select>
  <Suppress Path="Security">*[System[EventID=4799]] and *[EventData[Data[@Name="SubjectUserName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[System[EventID=4799]] and *[EventData[Data[@Name="TargetUserName"] and [(Data="xoxo") or Data="xoxo"]]] and *[EventData[Data[@Name="CallerProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[System[EventID=4799]] and *[EventData[Data[@Name="TargetUserName"] and [(Data="xoxo") or Data="xoxo"]]] and *[EventData[Data[@Name="CallerProcessName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[System[EventID=4799]] and *[EventData[Data[@Name="TargetUserName"] and [(Data="xoxo") or Data="xoxo"]]] and *[EventData[Data[@Name="CallerProcessName"] and (Data="xoxo")]]</Suppress>
</Query>
<Query Id="23" Path="Security">
  <Select Path="Security">*[System[(EventID=4672 or EventID=4964)]]</Select>
  <Suppress Path="Security">*[EventData[Data[@Name="SubjectUserName"] and (Data="xoxo")]] and *[EventData[Data[@Name="SubjectLogonId"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="SubjectUserName"] and (Data="xoxo")]] or *[EventData[Data[@Name="SubjectUserName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="SubjectUserName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="SubjectUserName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="SubjectUserName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="SubjectUserName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="SubjectUserName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[EventData[Data[@Name="SubjectUserName"] and (Data="xoxo")]]</Suppress>
</Query>
<Query Id="24" Path="Security">
  <Select Path="Security">*[System[(EventID=4618 or EventID=5038 or EventID=6281 or EventID=6410)]]</Select>
  <Suppress Path="Security">*[EventData[Data[@Name="SubjectUserSid" and (Data="xoxo" or Data="xoxo")]] and *[EventData[Data[@Name="SubjectUserName' and (Data="xoxo")]]</Suppress>
</Query>
<Query Id="25" Path="Security">
  <Select Path="Security">*[System[(EventID=4720 or (EventID &gt;= 4722 and EventID &lt;= 4726) or EventID=4738 or EventID=4740 or (EventID &gt;= 4765 and EventID &lt;= 4766) or (EventID &gt;= 4780 and EventID &lt;= 4781) or EventID=4798 or (EventID &gt;= 5376 and EventID &lt;= 5377) )]]</Select>
  <Suppress Path="Security">*[EventData[Data[@Name="SubjectUserName"] and (Data="xoxo")]]</Suppress>
  <Suppress Path="Security">*[System[EventID=4798]] and *[EventData[Data[@Name="SubjectLogonId"] and (Data="xoxo" or Data="xoxo")]]</Suppress>
</Query>
<Query Id="26" Path="Security">
  <Select Path="Security">*[System[( (EventID &gt;= 4946 and EventID &lt;= 4948) )]]</Select>
</Query>
</QueryList>

GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search