Filtering the Windows Security Log

Filtering the Windows Security Log can be a pain in the arse if you don’t know how to use the XML filtering.

Here are two filtering options I use a lot in order to glean some information…

Filter Security Log by username:

Find all successful and unsuccessful logons from a particular user…

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">* [EventData[Data[@Name='TargetUserName']='USERNAME']]</Select>
</Query>
</QueryList>

Get NTLM Logons

Find all logons that were done with NTLM (good for finding the old crap on your network)

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">* [EventData[Data[@Name='AuthenticationPackageName']='NTLM']]</Select>
</Query>
</QueryList>

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

Filter Security Log by username:

Get NTLM Logons

Share this:

Like this:

Related

Published by thomas

Leave a Reply Cancel reply