I talked recently about XPath queries in relations to the new Windows Security Events Data Connector in Azure Sentinel. To catch up to that discussion, see: How to Limit What Azure Sentinel Collects from Windows Systems.
XPath queries are something you’ll need to become comfortable with creating to use Data Collection Rules (DCRs) that are part of using the new agent – the Azure Monitor Agent (AMA).
Learn more about XPath queries: Configure data collection for the Azure Monitor agent (preview) – Azure Monitor | Microsoft Docs
However, there’s a shortcut (cheater’s) trick to creating your XPath queries using good, old Event Viewer.
Open up Event Viewer on any Windows system and select the log file where you want to pull Event IDs from.
 Choose the Filter Current Log… option, then  enter the Event IDs you want to collect, and then  go to the XML tab in the filter to find the XPath query.
Lastly, take the XPath query part (as shown in the next image), and copy and paste it into your new DCR in the Windows Security Events Data Connector.
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]