Skip to content
/ XPathStudio Public

Simplified searching EventLog with XPath queries local and remote

7 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

canix1/XPathStudio

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
README.md
README.md
 
 
XPathStudio.png
XPathStudio.png
 
 
XPathStudio.ps1
XPathStudio.ps1
 
 
xpathfilter.json
xpathfilter.json
 
 

Repository files navigation

XPathStudio

XPathStudio

A tool to simplify searching local and remote eventlogs. It has a collection of XPath queries in an .json file that is available for selection in a list. Some XPath queries are prepared for your own input in prepared fields. In this example you need to add a TargetUserName value of your own , replacing REPLACEUSERNAME:

<!--- Name:Logon event by user name -->
<!-- Replace REPLACEUSERNAME -->
<QueryList>
<Query Id='0' Path='Security'>
<Select Path='Security'>*[System[EventID=4624]] and *[EventData[Data[@Name='TargetUserName']='REPLACEUSERNAME']]</Select>
</Query>
</QueryList>

Run against your local machine or a list of hosts. Do your filtering in XPath and/or in the Display Filter option.

The tool have a couple of Sysmon Xpath queries available from start. If you have your own please share and I will update the .json file.

Remember that you need to run the script as an elevated admin to read the Security and Sysmon log.

This is not a log collector! No database is used so if a lot data is retrieved performance will be affected.

About

Simplified searching EventLog with XPath queries local and remote

Resources

Readme
Activity

Stars

7 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages