Created
March 17, 2014 23:49
-
-
Save thekingofspain/9610822 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <QueryList> | |
| <Query Id="0" Path="Security"> | |
| <Select Path="Security"> | |
| *[EventData[Data[@Name='TargetUserName'] and (Data='ebCQ47')]] and | |
| *[System[(EventID=512 or EventID=513 or EventID=528 or EventID=538 or EventID=551 or EventID=4608 or EventID=4609 or EventID=4624 or EventID=4634 or EventID=4647 or EventID=4778 or EventID=4779 or EventID=4780 or EventID=4781 or EventID=4782 or EventID=4783)]]</Select> | |
| <Select Path="Microsoft-Windows-Security-Audit-Configuration-Client/Operational"> | |
| *[EventData[Data[@Name='TargetUserName'] and (Data='ebCQ47')]] and | |
| *[System[(EventID=512 or EventID=513 or EventID=528 or EventID=538 or EventID=551 or EventID=4608 or EventID=4609 or EventID=4624 or EventID=4634 or EventID=4647 or EventID=4778 or EventID=4779 or EventID=4780 or EventID=4781 or EventID=4782 or EventID=4783)]]</Select> | |
| <Select Path="Microsoft-Windows-Security-IdentityListener/Operational"> | |
| *[EventData[Data[@Name='TargetUserName'] and (Data='ebCQ47')]] and | |
| [System[(EventID=512 or EventID=513 or EventID=528 or EventID=538 or EventID=551 or EventID=4608 or EventID=4609 or EventID=4624 or EventID=4634 or EventID=4647 or EventID=4778 or EventID=4779 or EventID=4780 or EventID=4781 or EventID=4782 or EventID=4783)]]</Select> | |
| </Query> | |
| </QueryList> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment