Create Task scheduler-run for event with specific Result Code

New Contributor

I would like to trigger the task only if the login attempt is against a disabled account. This includes the Result Code 0x12. How can I add this to the trigger? Any help would be much appreciated. Thanks.

 

Here is the event.

a102ndyh_0-1650469947460.png

 

Here is the event details XML View:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
  <EventID>4768</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>14339</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8010000000000000</Keywords> 
  <TimeCreated SystemTime="2022-04-19T16:40:04.842900000Z" /> 
  <EventRecordID>562602120</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="528" ThreadID="106016" /> 
  <Channel>Security</Channel> 
  <Computer>XXXXXXXXXX</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="TargetUserName">XXXXXXXX</Data> 
  <Data Name="TargetDomainName">XXXXXXX</Data> 
  <Data Name="TargetSid">S-1-0-0</Data> 
  <Data Name="ServiceName">krbtgt/mie</Data> 
  <Data Name="ServiceSid">S-1-0-0</Data> 
  <Data Name="TicketOptions">0x40810010</Data> 
  <Data Name="Status">0x12</Data> 
  <Data Name="TicketEncryptionType">0xffffffff</Data> 
  <Data Name="PreAuthType">-</Data> 
  <Data Name="IpAddress">::ffff:192.168.240.79</Data> 
  <Data Name="IpPort">50126</Data> 
  <Data Name="CertIssuerName" /> 
  <Data Name="CertSerialNumber" /> 
  <Data Name="CertThumbprint" /> 
  </EventData>
  </Event>

Here is a task trigger that includes everything but the result code:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[band(Keywords,4503599627370496) and (EventID=4768)]]</Select>
  </Query>
</QueryList>

Not sure where to put the Result Code 0x12

<Data Name="Status">0x12</Data>

0 Replies