none
Sysmon - Event filtering with & symbol error RRS feed

  • Question

  • I'm using the very latest Sysmon v9.0.

    I've tried using & and the filter is not filtering it correctly

    But, if I use & I'm receieving this error below. How do I go about escaping the & ?

    The event log query specified is invalid.


    Here's the XML event filter I'm using:

    <QueryList>
      <Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
        <Select Path="Microsoft-Windows-Sysmon/Operational">
         *[EventData[Data[@Name='Image'] = '\\169.254.62.153\NAS Storage\Programs & Windows Apps\winutilityapp.exe']]
        </Select>
      </Query>
    </QueryList>


    Tuesday, May 28, 2019 9:14 PM

All replies