Xml 为Windows事件日志中的数据列表构造XPath查询

正在尝试针对ID为“4703”的事件日志中的“EnabledPrivilegesList”属性组合查询。但是，我的XML查询：

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and (EventID=4703)]] and * [EventData[Data[@Name='EnabledPrivilegeList'] and (Data='SeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege')]]</Select>
  </Query>
</QueryList>

*[System[（Level=1或Level=2或Level=3或Level=4或Level=0或Level=5）和（EventID=4703）]和*[EventData[Data[@Name='EnabledPrivilegeList']和（Data='SeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege Sesecurity SetMakerOwnershipprivilege SeLoadDriverPrivilege SeSystemTime Privilege SeBackupPrivilege SeShutdown Privilege SeSystemEnvironment Privilege SeUndockPrivilege SeManageVolumePrivilege'）]]

不会呈现我想要呈现的日志。但是，如果我将数据属性更改为其中一个，或者在两者之间放置“或”布尔值，则效果会非常好。我不能放置“和”布尔值，否则它会将其呈现为无效查询。原始XML日志以相同的顺序包含它们：

  <Data Name="TargetDomainName">WORKGROUP</Data> 
  <Data Name="TargetLogonId">0x3e7</Data> 
  <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data> 
  <Data Name="ProcessId">0xac0</Data> 
  <Data Name="EnabledPrivilegeList">SeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege</Data> 
  <Data Name="DisabledPrivilegeList">-</Data> 
  </EventData>
  </Event>

工作组
0x3e7
C:\Windows\System32\svchost.exe
0xac0
SeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege Sesecurity SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemTime Privilege SeBackupPrivilege SeShutdown Privilege SeSystemEnvironment Privilege SeEndock Privilege SeUndockPrivilege SeManageVolumePrivilege
- 

如何提取包含完整列表的日志