EventViewerCustomViews/xml/01D97C.xml at main · tomstryhn/EventViewerCustomViews · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<ViewerConfig>
    <QueryConfig>
        <QueryParams>
            <UserQuery />
        </QueryParams>
        <QueryNode>
            <Name>Administrator Logon (Failed)</Name>
            <Description>Failed Administrator Account Logons</Description>
            <QueryList>
                <Query Id="0" Path="Security">
                    <Select Path="Security">
                        *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4625)]] and
                        *[EventData[Data[@Name="TargetUserName"]="Administrator"]]
                    </Select>
                </Query>
            </QueryList>
        </QueryNode>
    </QueryConfig>
</ViewerConfig>