Can we also use more properties than are available on Event Log side for the XPath Query? For example if I want to have greater than or lower then it doesn't work on Event Log side because they support only a very limited XPath 1.0 filter set.
However, it's important to note that the above XPath does not directly filter out "usual" ports within the 0-1024 range, as "unusual" could vary based on context. This query simply checks for any client port within the 0 to 1024 range. Adjusting the query to exclude specific well-known ports would require additional conditions within the XPath, and the exact implementation might depend on the structure of the event log data and how the client port is represented.
If you have a specific list of ports considered "usual" that you want to exclude, you would need to add additional conditions to explicitly exclude those ports. XPath 1.0, commonly used in Windows event log queries, has limited capabilities for such detailed filtering, and often the filtering logic might need to be partly handled by the application processing the events after retrieval.
Can we also use more properties than are available on Event Log side for the XPath Query? For example if I want to have greater than or lower then it doesn't work on Event Log side because they support only a very limited XPath 1.0 filter set.
In the concrete example I want to filter for EventID 4768 Events (https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4768) only if they contain an unusual client port between 0 and 1024.
Something like the following:
<Event>
<System>
<EventID>4768</EventID>
</System>
<EventData>
<Data Name='ClientPort'>
*[number() > 0 and number() <= 1024]
</Data>
</EventData>
</Event>
However, it's important to note that the above XPath does not directly filter out "usual" ports within the 0-1024 range, as "unusual" could vary based on context. This query simply checks for any client port within the 0 to 1024 range. Adjusting the query to exclude specific well-known ports would require additional conditions within the XPath, and the exact implementation might depend on the structure of the event log data and how the client port is represented.
If you have a specific list of ports considered "usual" that you want to exclude, you would need to add additional conditions to explicitly exclude those ports. XPath 1.0, commonly used in Windows event log queries, has limited capabilities for such detailed filtering, and often the filtering logic might need to be partly handled by the application processing the events after retrieval.