Event Selection - MSDN
Advanced XML Filtering - by Ned Pyle
Authoring Event Rules in OpsMgr – by christow
Example:
# XPath compound filter
$filter=@"
*[System[(EventID=4624)]] and
*[EventData[Data[@Name='TargetUserName'] and (Data='$targetusername')]]
"@
# collect all events
$events=@()
$username=Get-Username
$domain=[system.directoryservices.activedirectory.domain]::GetCurrentDomain()
Foreach($dc in $domain.DomainControllers){
$events+=Get-WinEvent -LogName security -FilterXPath $filter -ComputerName $dc
}