Filtering the Windows Security Log can be a pain in the arse if you don’t know how to use the XML filtering.
Here are two filtering options I use a lot in order to glean some information…
Filter Security Log by username:
Find all successful and unsuccessful logons from a particular user…
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">* [EventData[Data[@Name='TargetUserName']='USERNAME']]</Select> </Query> </QueryList>
Get NTLM Logons
Find all logons that were done with NTLM (good for finding the old crap on your network)
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">* [EventData[Data[@Name='AuthenticationPackageName']='NTLM']]</Select> </Query> </QueryList>
Some Downtime 