Windows Event logs under the format EVTX are actually recorded with XML. You can use XPATH to query XML. I deally, you would never need to do this, as you can export Windows Event Logs to a SIEM. However, you may need to query the Event Log Directly, and the bui;t in search is pretty terrible. If you get used to the XPATH Sytanx, you can make it a lot easier to query the Windows Event Log.
First, Open the Windows Event Log. In our examples, we will be querying the Security Event Log. In the Right panel, press "Filter Current Log..."
Click the XML Tab at the top right, then select at the bottom "Edit Query Manually"
Specific Account logging on:
For whatever reason, The "User" field in the Filter does not actually work post Windows 2003, which is very frustrating. we can actually search for users via XPATH. In this example I am looking for a specific Windows Event IDs 4648 and 4624.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4648 or EventID=4624)] and EventData[Data[@Name="TargetUserName"]="accountname"]]</Select>
</Query>
</QueryList>
Checking a user login to a specific process:
In this example, we have multiple Sites in IIS that AD users can authenticate to. We want to look at just one of those web apps, as to not have to sift through all the sign ins. The ProcessName field can be filtered down to the name of any process, in this case, IIS.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4648)] and EventData[Data[@Name="TargetUserName"]="bob"] and EventData[Data[@Name="ProcessName"]="C:\inetpub\sites\ecommerce\ecommerceweb\Bank.Web.exe"]]</Select>
</Query>
</QueryList>
Query for NTLM v1
As part of auditing, you may be looking to eliminate NTLMv1 usage. This can be quieried with XPATH like such:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624)] and EventData[Data[@Name="LmPackageName"]="NTLM V1"]]</Select>
</Query>
</QueryList>
