topic Re: Syntax of $XmlRegex property for white listing WinEventLog source rendered in XML in Dashboards & Visualizations

Syntax of $XmlRegex property for white listing WinEventLog source rendered in XML

jeremyhagand61 — Mon, 20 Jan 2020 04:30:03 GMT

Hi,

I have a stanza which looks like this:

[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
disabled = 0
renderXml=true
#Block events
whitelist = $XmlRegex='Level="2"'
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5

If I remove the whitelist I get all the event types. However I only want the Error events. Without the renderXml option, my whitelist would look like this:

whitelist = Type="Error"

However, when rendered in Xml the event level is rendered like this <level>2</level>

However, the documentation has only the most basic example of searching for text when using renderXml.

Does anyone have any experience in advanced syntax for this option? I've tried:

whitelist = $XmlRegex='Level="2"'
whitelist = $XmlRegex=Level="2"
whitelist = $XmlRegex="\<Level\>2"

Re: Syntax of $XmlRegex property for white listing WinEventLog source rendered in XML

ashajambagi — Mon, 20 Jan 2020 07:09:20 GMT

Can you provide a sample event?

Re: Syntax of $XmlRegex property for white listing WinEventLog source rendered in XML

jeremyhagand61 — Mon, 20 Jan 2020 07:15:55 GMT

Hi,
It's a standard windows event log. Apologies that my link to the Splunk documentation didn't work. You can see a sample event in here
https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/MonitorWindowseventlogdata

Scroll down to the heading: Display Windows Event Log events in XML

Re: Syntax of $XmlRegex property for white listing WinEventLog source rendered in XML

ashajambagi — Mon, 20 Jan 2020 07:44:19 GMT

try using whitelist = $XmlRegex=Event.System.Level=2

Re: Syntax of $XmlRegex property for white listing WinEventLog source rendered in XML

jeremyhagand61 — Mon, 20 Jan 2020 22:35:56 GMT

Thanks for your suggestion, but this whitelist didn't work. With the input enabled all events are forwarded. I've tried it as you suggested and have put the "2" in quotes.

Here is a copy and paste of an actual event:

xmlns='http://schemas.microsoft.com/win/2004/08/events/event'> Name='Microsoft-Windows-AppLocker'
Guid='{cbda4dbf-8d5d-4f69-9578-be14aa540d22}'/>800204000x8000000000000000 SystemTime='2020-01-20T22:30:09.805334100Z'/>28242 ProcessID='4640'
ThreadID='7872'/>Microsoft-Windows-AppLocker/EXE
and
DLLZPVWMGT01X.dmz.amsa.gov.au UserID='S-1-5-21-3206126476-1968031584-1518185873-1130'/> xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0'>3DLL{bac4b0bf-6f1b-40e8-8627-8545fa89c8b6}37(Default Rule) Microsoft Windows
DLLs57D:(XA;;FX;;;S-1-1-0;(APPID://PATH
Contains
"%WINDIR%*"))S-1-5-21-3206126476-1968031584-1518185873-1130464022%SYSTEM32%\NTMARTA.DLL0117O=MICROSOFT
CORPORATION, L=REDMOND, S=WASHINGTON,
C=US\MICROSOFT® WINDOWS® OPERATING
SYSTEM\NTMARTA.DLL\10.0.17763.010x71c37ca

Re: Syntax of $XmlRegex property for white listing WinEventLog source rendered in XML

jeremyhagand61 — Mon, 20 Jan 2020 22:37:48 GMT

Thanks for your suggestion, but it didn't work. Here is a sample of the actual event:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-AppLocker' Guid='{cbda4dbf-8d5d-4f69-9578-be14aa540d22}'/><EventID>8002</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2020-01-20T22:30:09.805334100Z'/><EventRecordID>28242</EventRecordID><Correlation/><Execution ProcessID='4640' ThreadID='7872'/><Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel><Computer>HOSTNAME</Computer><Security UserID='S-1-5-21-3206126476-1968031584-1518185873-1130'/></System><UserData><RuleAndFileData xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0'><PolicyNameLength>3</PolicyNameLength><PolicyName>DLL</PolicyName><RuleId>{bac4b0bf-6f1b-40e8-8627-8545fa89c8b6}</RuleId><RuleNameLength>37</RuleNameLength><RuleName>(Default Rule) Microsoft Windows DLLs</RuleName><RuleSddlLength>57</RuleSddlLength><RuleSddl>D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains "%WINDIR%\*"))</RuleSddl><TargetUser>S-1-5-21-3206126476-1968031584-1518185873-1130</TargetUser><TargetProcessId>4640</TargetProcessId><FilePathLength>22</FilePathLength><FilePath>%SYSTEM32%\NTMARTA.DLL</FilePath><FileHashLength>0</FileHashLength><FileHash></FileHash><FqbnLength>117</FqbnLength><Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\NTMARTA.DLL\10.0.17763.01</Fqbn><TargetLogonId>0x71c37ca</TargetLogonId></RuleAndFileData></UserData></Event>

Re: Syntax of $XmlRegex property for white listing WinEventLog source rendered in XML

ashajambagi — Tue, 21 Jan 2020 05:31:54 GMT

2<\/Level> tried this?

Re: Syntax of $XmlRegex property for white listing WinEventLog source rendered in XML

jeremyhagand61 — Wed, 22 Jan 2020 01:11:01 GMT

Well I tried something very similar. Would you need to escape the <

Like this 2\

Forward slashes don't require escaping in my experience.

Re: Syntax of $XmlRegex property for white listing WinEventLog source rendered in XML

ashajambagi — Wed, 22 Jan 2020 05:25:29 GMT

2<\/Level>

Without the escaping, the regex isn't working

Re: Syntax of $XmlRegex property for white listing WinEventLog source rendered in XML

jeremyhagand61 — Wed, 22 Jan 2020 05:36:21 GMT

Hmm, the web portal mangled my reply.

Have you tested the above? I tried something very similar (see my OP) and it didn't work.

Re: Syntax of $XmlRegex property for white listing WinEventLog source rendered in XML

dan_mcinnes — Wed, 22 Jan 2020 09:29:45 GMT

Hi,

I've actually just been looking into the same thing. It looks like you need to include a capture group within your regex that will match something in the event.

I found the best way to get this right the first time round is by starting with a search in Splunk web that includes the regex command to test your regex quickly. Something like the example below should match your event. (Change the index to suit your needs)

index=* | regex _raw="(?<=Level\>)(4)"

If this works then you know your regex is matching correctly, you should then be able to take that and add it to a blacklist or whitelist depending on what you want

 whitelist = $XmlRegex = '(?<=Level\>)(4)'
 blacklist = $XmlRegex = '(?<=Level\>)(4)'

I also like to use https://regex101.com/ when I'm doing anything with regex, I'd recommend checking it out.

Re: Syntax of $XmlRegex property for white listing WinEventLog source rendered in XML

jeremyhagand61 — Wed, 22 Jan 2020 22:01:39 GMT

Thanks to @dan_mcinnes for his answer which made me think about testing my regex using Search. The tip about capturing groups wasn't actually needed. It was the escaping of the < which was causing it to fail. Actually none of the characters in <Level>2</Level> are special.

I always thought that unneeded escaping was "safe" so if you escaped a non-special character that it wouldn't affect the match, but it turns out it did.