Forum Discussion
DCR xPath - Nomenclature modification?
Hello,
I have a question regarding the custom (xPath) configuration when creating a DCR for Windows Security Events via AMA
Below is the xPath I was using until now to exclude the following EventIDs 4689, 5449 and 5145. It was working perfectly fine:
Raw xPath: Security!*[System[(EventID!=4689 and EventID!=5449 and EventID!=5145)]]
Today I wanted to modify it to exclude another EventID, but got an error mentionning that "the event log you have specified is not a valid xPath":
Raw xPath: Security!*[System[(EventID!=4689 and EventID!=5449 and EventID!=5145 and EventID!=4625)]]
I tried to remove the "Security" channel from the xPath as below:
*[System[(EventID!=4689 and EventID!=5449 and EventID!=5145 and EventID!=4625)]]
But this throws an error:
Did the xPath nomenclature update or is there a new way to exclude specific Event IDs that I missed? Is anyone facing the same issue?
Thanks in advance.
- NicolasV1712Copper Contributor
Hello,
I had same problem, during conversation with Microsoft, we found workarround and it work for me, i follow this process Microsoft-Defender-for-Cloud/Powershell scripts/Create AMA DCR for Security Events collection at main ยท Azure/Microsoft-Defender-for-Cloud.
When i have lunch the script with my custom PathQuery, from sentinel i found my XPathQuery and link of DCR precedent created
I hope this link helps you
- tapiidkCopper Contributor
same issue here, Custom Collection rule does not work, we have changed to minimal collection until problem is solved
- iankb07Copper Contributor
Put double quotes at the start and end of the path.
"Security!*[System[(EventID!=4689 and EventID!=5449 and EventID!=5145)]]"
- A52Copper Contributor
Does it work on your side? When trying it with double quotes like you mentioned, no single logs are coming in, as if it was breaking the logic of the xPath.
- MHenshawBrass Contributor
Hi All
I've been playing around with it and it looks like you have to use the xml format that shows up in the event viewer -
so instead of this Security!*[System[(EventID=4799)]] or this Security!*[System[(EventID=4799)]]
use these instead
"Security">*[System[((EventID=4799))]] or to exclude use this "Security">*[System[not((EventID=4799))]]
- A52Copper Contributor
Hi, thanks a lot for your reply.
I just tried the above but unfortunately, I am getting the following error: "Missing '!' between channel name and query expression":
When trying to add a '!' character in the xPath query, the message "The event log you have specified is not a valid xPath." appears again.
- MHenshawBrass Contributor
Hey!
Yep you are right, however i've just managed to bypass the error by using the data collection tool kit which i believe is built off the API heres a link to it - Create, Edit, and Monitor Data Collection Rules with the Data Collection Rule Toolkit | Microsoft Community Hub
for context i only had the first 2 rules before this test and added the level 4 rule after and it seemed to have succeeded, potentially an issue with data validation on the DCR gui?
- maukkaCopper Contributor
Yep, exactly the same here.
Even if you copy a xPath expression from your existing (functioning) DCR and try to create a new one from it, you cannot do it anymore: "The event log you have specified is not a valid xPath."
Either broken or some fatal change... Frustrating. - iankb07Copper Contributor
I am getting exactly the same error.
Application!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0)]]
"The event log you have specified is not a valid xPath."