Here’s a quick example, which might help you, it filters by specific attributes (which you can’t get through the GUI) when you’re attempting to create a Custom View for Event Viewer.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[
System[
(EventID=4768 or EventID=4769 or EventID=4770 or EventID=4771)
]
and
EventData[
Data[@Name='TargetUserName']='user@DOMAIN.COM'
]
]
</Select>
</Query>
</QueryList>