Forum Discussion

mjomha's avatar
mjomha
Copper Contributor
Jun 08, 2022

Data Collection Rules and Xpath Queries Issue

Testing out the AMA to create custom filters for certain events. Still new to Xpath so have testing out some queries I've created. One query doesn't seem to work in sentinel the way I expect. Even though I tested in PowerShell and it works perfectly. Kind stuck as I am not sure exactly what is wrong with the query.

 

Sample of the query I am testing:

 

"*[System[EventID=4663] and EventData[Data[@Name='ProcessName']!='Path to a process'] and EventData[Data[@Name='SubjectUserName']!='Username']]"

 

(Removed the actual path to the process and username)

 

Basically I am looking to pull in all eventID 4663 events that do not contain a specific ProcessName and SubjectUsername. Both need to match in a single event.

 

Testing that in Powershell works perfectly (Get-WinEvent cmdlet). When I add that to my DCR rule it just brings in all Events for EventID 4663. Tried modifying the query to:

 

"*[System[(EventID=4663)]] and *[EventData[Data[@Name='ProcessName']!='Path to a process'] and *[EventData[Data[@Name='SubjectUserName']!='Username']]"

 

This partially worked but instead it filtered out all events (eventID4663) that matched on ProcessName value or on SubjectUserName. Basically matching on each instead of both. I was under the assumption the and boolean would indicate both values need to match.

 

I've read Xpath tutorials, Microsoft Docs and community blog posts about it but there's nothing about how queries actually work within the DCR.

 

Any help would be appreciated.


Thanks!

data collection
monitoring

3 Replies

  • KennethML's avatar
    KennethML
    MCT
    Apr 18, 2023
    You need to enclose the filter in the same brackets. This example will filter Security Eventlog with EventID=4663 and param1!="ProcessName":
    Security!*[System[(EventID=4663 and EventData.Data.param1!="ProcessName")]]

    /Kenneth ML
  • schrauf18713's avatar
    schrauf18713
    Copper Contributor
    Apr 02, 2023

    mjomhaI agree the concept of DCR's is great but I think there is not too much transparency yet on how it works! 

     

    What I was able to solve is to get Windows 11 AV Standard logs into Log Analytics with a XPath Query but the Key Value Pairs like FileName, Signature, User, ect. are still nested in a big XML Field.

    What is the best practice to extract only certain Values here?

    Do we have to do it via. Search Level?

    It would be much better to find an easy way to edit this?


    Pernille-Eskebo Some more insights would be great?

    • KennethML's avatar
      KennethML
      MCT
      Apr 18, 2023

      schrauf18713 
      As the data (probably) goes into the Event table, you are stuck with the schema. You can approach this in diffferent ways, either create a custom table for the AV events and build the DCR rules and parser needed or create a function that parses the XML content. It could be something like this:


      Event
      | where Source == "AVsource"
      | extend x = parse_xml(EventData)
      | extend filepath = x.DataItem.EventData.File.path

       

      /Kenneth ML

Resources