Forum Discussion

mjomha's avatar
mjomha
Copper Contributor
Jun 08, 2022

Data Collection Rules and Xpath Queries Issue

Testing out the AMA to create custom filters for certain events. Still new to Xpath so have testing out some queries I've created. One query doesn't seem to work in sentinel the way I expect. Even th...
data collection
monitoring
schrauf18713's avatar
schrauf18713
Copper Contributor
Apr 02, 2023

mjomhaI agree the concept of DCR's is great but I think there is not too much transparency yet on how it works! 

 

What I was able to solve is to get Windows 11 AV Standard logs into Log Analytics with a XPath Query but the Key Value Pairs like FileName, Signature, User, ect. are still nested in a big XML Field.

What is the best practice to extract only certain Values here?

Do we have to do it via. Search Level?

It would be much better to find an easy way to edit this?


Pernille-Eskebo Some more insights would be great?

  • KennethML's avatar
    KennethML
    MCT
    Apr 18, 2023

    schrauf18713 
    As the data (probably) goes into the Event table, you are stuck with the schema. You can approach this in diffferent ways, either create a custom table for the AV events and build the DCR rules and parser needed or create a function that parses the XML content. It could be something like this:


    Event
    | where Source == "AVsource"
    | extend x = parse_xml(EventData)
    | extend filepath = x.DataItem.EventData.File.path

     

    /Kenneth ML

Resources