Forum Discussion

A52's avatar
A52
Copper Contributor
Nov 18, 2024

DCR xPath - Nomenclature modification?

Hello, I have a question regarding the custom (xPath) configuration when creating a DCR for Windows Security Events via AMA Below is the xPath I was using until now to exclude the following EventID...
azure
data collection
siem
MHenshaw's avatar
MHenshaw
Brass Contributor
Nov 19, 2024

Hi All 

I've been playing around with it and it looks like you have to use the xml format that shows up in the event viewer - 

so instead of this Security!*[System[(EventID=4799)]] or this Security!*[System[(EventID=4799)]]

use these instead

"Security">*[System[((EventID=4799))]] or to exclude use this "Security">*[System[not((EventID=4799))]] 

A52's avatar
A52
Copper Contributor
Nov 19, 2024

Hi, thanks a lot for your reply.

I just tried the above but unfortunately, I am getting the following error: "Missing '!' between channel name and query expression":

When trying to add a '!' character in the xPath query, the message "The event log you have specified is not a valid xPath." appears again.

  • MHenshaw's avatar
    MHenshaw
    Brass Contributor
    Nov 19, 2024

    Hey! 

     

    Yep you are right, however i've just managed to bypass the error by using the data collection tool kit which i believe is built off the API heres a link to it - Create, Edit, and Monitor Data Collection Rules with the Data Collection Rule Toolkit | Microsoft Community Hub

    for context i only had the first 2 rules before this test and added the level 4 rule after and it seemed to have succeeded, potentially an issue with data validation on the DCR gui?

     

     

    • A52's avatar
      A52
      Copper Contributor
      Nov 24, 2024

      Thanks for your reply! It seems that it is the only alternative as for now. I will keep the discussion open to see if the situation evolves in the coming days. 

Resources