Created
December 20, 2017 10:27
A custom view for Windows Event Viewer which shows security log events related to GPO changes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <ViewerConfig> | |
| <QueryConfig> | |
| <QueryParams> | |
| <UserQuery /> | |
| </QueryParams> | |
| <QueryNode> | |
| <Name>GPO Change Events</Name> | |
| <Description>Filters the security log for events related to GPO changes</Description> | |
| <QueryList> | |
| <Query Id="0" Path="Security"> | |
| <Select Path="Security"> | |
| *[ | |
| System[(EventID=5130 or EventID=5136 or EventID=5137 or EventID=5138 or EventID=4662)] | |
| and | |
| ( | |
| EventData[Data[@Name='ObjectClass'] and (Data="groupPolicyContainer")] | |
| or | |
| EventData[Data[@Name='ObjectType'] and (Data="%{f30e3bc2-9ff0-11d1-b603-0000f80367c1}")] | |
| ) | |
| ] | |
| </Select> | |
| </Query> | |
| </QueryList> | |
| </QueryNode> | |
| </QueryConfig> | |
| <ResultsConfig> | |
| <Columns> | |
| <Column Name="Level" Type="System.String" Path="Event/System/Level" Visible="">208</Column> | |
| <Column Name="Keywords" Type="System.String" Path="Event/System/Keywords">70</Column> | |
| <Column Name="Date and Time" Type="System.DateTime" Path="Event/System/TimeCreated/@SystemTime" Visible="">258</Column> | |
| <Column Name="Source" Type="System.String" Path="Event/System/Provider/@Name" Visible="">168</Column> | |
| <Column Name="Event ID" Type="System.UInt32" Path="Event/System/EventID" Visible="">168</Column> | |
| <Column Name="Task Category" Type="System.String" Path="Event/System/Task" Visible="">168</Column> | |
| <Column Name="User" Type="System.String" Path="Event/System/Security/@UserID">50</Column> | |
| <Column Name="Operational Code" Type="System.String" Path="Event/System/Opcode">110</Column> | |
| <Column Name="Log" Type="System.String" Path="Event/System/Channel">80</Column> | |
| <Column Name="Computer" Type="System.String" Path="Event/System/Computer">170</Column> | |
| <Column Name="Process ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessID">70</Column> | |
| <Column Name="Thread ID" Type="System.UInt32" Path="Event/System/Execution/@ThreadID">70</Column> | |
| <Column Name="Processor ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessorID">90</Column> | |
| <Column Name="Session ID" Type="System.UInt32" Path="Event/System/Execution/@SessionID">70</Column> | |
| <Column Name="Kernel Time" Type="System.UInt32" Path="Event/System/Execution/@KernelTime">80</Column> | |
| <Column Name="User Time" Type="System.UInt32" Path="Event/System/Execution/@UserTime">70</Column> | |
| <Column Name="Processor Time" Type="System.UInt32" Path="Event/System/Execution/@ProcessorTime">100</Column> | |
| <Column Name="Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@ActivityID">85</Column> | |
| <Column Name="Relative Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@RelatedActivityID">140</Column> | |
| <Column Name="Event Source Name" Type="System.String" Path="Event/System/Provider/@EventSourceName">140</Column> | |
| </Columns> | |
| </ResultsConfig> | |
| </ViewerConfig> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment