Testing out the AMA to create custom filters for certain events. Still new to Xpath so have testing out some queries I've created. One query doesn't seem to work in sentinel the way I expect. Even though I tested in PowerShell and it works perfectly. Kind stuck as I am not sure exactly what is wrong with the query.
Sample of the query I am testing:
"*[System[EventID=4663] and EventData[Data[@Name='ProcessName']!='Path to a process'] and EventData[Data[@Name='SubjectUserName']!='Username']]"
(Removed the actual path to the process and username)
Basically I am looking to pull in all eventID 4663 events that do not contain a specific ProcessName and SubjectUsername. Both need to match in a single event.
Testing that in Powershell works perfectly (Get-WinEvent cmdlet). When I add that to my DCR rule it just brings in all Events for EventID 4663. Tried modifying the query to:
"*[System[(EventID=4663)]] and *[EventData[Data[@Name='ProcessName']!='Path to a process'] and *[EventData[Data[@Name='SubjectUserName']!='Username']]"
This partially worked but instead it filtered out all events (eventID4663) that matched on ProcessName value or on SubjectUserName. Basically matching on each instead of both. I was under the assumption the and boolean would indicate both values need to match.
I've read Xpath tutorials, Microsoft Docs and community blog posts about it but there's nothing about how queries actually work within the DCR.