Dashboards & Visualizations

Syntax of $XmlRegex property for white listing WinEventLog source rendered in XML

jeremyhagand61
Communicator

Hi,

I have a stanza which looks like this:

[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
disabled = 0
renderXml=true
#Block events
whitelist = $XmlRegex='Level="2"'
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5

If I remove the whitelist I get all the event types. However I only want the Error events. Without the renderXml option, my whitelist would look like this:

whitelist = Type="Error"

However, when rendered in Xml the event level is rendered like this <level>2</level>

However, the documentation has only the most basic example of searching for text when using renderXml.

Does anyone have any experience in advanced syntax for this option? I've tried:

whitelist = $XmlRegex='Level="2"'
whitelist = $XmlRegex=Level="2"
whitelist = $XmlRegex="\<Level\>2"
0 Karma
1 Solution

jeremyhagand61
Communicator

Thanks to @dan_mcinnes for his answer which made me think about testing my regex using Search. The tip about capturing groups wasn't actually needed. It was the escaping of the < which was causing it to fail. Actually none of the characters in <Level>2</Level> are special.

I always thought that unneeded escaping was "safe" so if you escaped a non-special character that it wouldn't affect the match, but it turns out it did.

View solution in original post

0 Karma

jeremyhagand61
Communicator

Thanks to @dan_mcinnes for his answer which made me think about testing my regex using Search. The tip about capturing groups wasn't actually needed. It was the escaping of the < which was causing it to fail. Actually none of the characters in <Level>2</Level> are special.

I always thought that unneeded escaping was "safe" so if you escaped a non-special character that it wouldn't affect the match, but it turns out it did.

0 Karma

dan_mcinnes
New Member

Hi,

I've actually just been looking into the same thing. It looks like you need to include a capture group within your regex that will match something in the event.

I found the best way to get this right the first time round is by starting with a search in Splunk web that includes the regex command to test your regex quickly. Something like the example below should match your event. (Change the index to suit your needs)

index=* | regex _raw="(?<=Level\>)(4)"

If this works then you know your regex is matching correctly, you should then be able to take that and add it to a blacklist or whitelist depending on what you want

 whitelist = $XmlRegex = '(?<=Level\>)(4)'
 blacklist = $XmlRegex = '(?<=Level\>)(4)'

I also like to use https://regex101.com/ when I'm doing anything with regex, I'd recommend checking it out.

0 Karma

jeremyhagand61
Communicator

Hi,
It's a standard windows event log. Apologies that my link to the Splunk documentation didn't work. You can see a sample event in here
https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/MonitorWindowseventlogdata

Scroll down to the heading: Display Windows Event Log events in XML

0 Karma

ashajambagi
Communicator

try using whitelist = $XmlRegex=Event.System.Level=2

0 Karma

jeremyhagand61
Communicator

Well I tried something very similar. Would you need to escape the <

Like this 2\

Forward slashes don't require escaping in my experience.

0 Karma

ashajambagi
Communicator

2<\/Level>

Without the escaping, the regex isn't working

0 Karma

jeremyhagand61
Communicator

Hmm, the web portal mangled my reply.

Have you tested the above? I tried something very similar (see my OP) and it didn't work.

0 Karma

jeremyhagand61
Communicator

Thanks for your suggestion, but it didn't work. Here is a sample of the actual event:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-AppLocker' Guid='{cbda4dbf-8d5d-4f69-9578-be14aa540d22}'/><EventID>8002</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2020-01-20T22:30:09.805334100Z'/><EventRecordID>28242</EventRecordID><Correlation/><Execution ProcessID='4640' ThreadID='7872'/><Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel><Computer>HOSTNAME</Computer><Security UserID='S-1-5-21-3206126476-1968031584-1518185873-1130'/></System><UserData><RuleAndFileData xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0'><PolicyNameLength>3</PolicyNameLength><PolicyName>DLL</PolicyName><RuleId>{bac4b0bf-6f1b-40e8-8627-8545fa89c8b6}</RuleId><RuleNameLength>37</RuleNameLength><RuleName>(Default Rule) Microsoft Windows DLLs</RuleName><RuleSddlLength>57</RuleSddlLength><RuleSddl>D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains "%WINDIR%\*"))</RuleSddl><TargetUser>S-1-5-21-3206126476-1968031584-1518185873-1130</TargetUser><TargetProcessId>4640</TargetProcessId><FilePathLength>22</FilePathLength><FilePath>%SYSTEM32%\NTMARTA.DLL</FilePath><FileHashLength>0</FileHashLength><FileHash></FileHash><FqbnLength>117</FqbnLength><Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\NTMARTA.DLL\10.0.17763.01</Fqbn><TargetLogonId>0x71c37ca</TargetLogonId></RuleAndFileData></UserData></Event>
0 Karma

ashajambagi
Communicator

2<\/Level> tried this?

0 Karma

jeremyhagand61
Communicator

Thanks for your suggestion, but this whitelist didn't work. With the input enabled all events are forwarded. I've tried it as you suggested and have put the "2" in quotes.

Here is a copy and paste of an actual event:

xmlns='http://schemas.microsoft.com/win/2004/08/events/event'> Name='Microsoft-Windows-AppLocker'
Guid='{cbda4dbf-8d5d-4f69-9578-be14aa540d22}'/>800204000x8000000000000000 SystemTime='2020-01-20T22:30:09.805334100Z'/>28242 ProcessID='4640'
ThreadID='7872'/>Microsoft-Windows-AppLocker/EXE
and
DLLZPVWMGT01X.dmz.amsa.gov.au UserID='S-1-5-21-3206126476-1968031584-1518185873-1130'/> xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0'>3DLL{bac4b0bf-6f1b-40e8-8627-8... Rule) Microsoft Windows
DLLs57D:(XA;;FX;;;S-1-1-0;(APPID://PATH
Contains
"%WINDIR%*"))S-1-5-21-3206126476-1968031584-1518185873-1130464022%SYSTEM32%\NTMARTA.DLL0117O=MICROSOFT
CORPORATION, L=REDMOND, S=WASHINGTON,
C=US\MICROSOFT® WINDOWS® OPERATING
SYSTEM\NTMARTA.DLL\10.0.17763.010x71c37ca

0 Karma

ashajambagi
Communicator

Can you provide a sample event?

0 Karma
Get Updates on the Splunk Community!

Checksum mismatch on Deployment Clients which were rebuilt with same IP but different ...

We recently rebuilt a server which had splunk UF installed. After the rebuild, the IP remained same but ...

KVStore failure after upgrade to 9.0

After upgrading to Splunk 9.0 on a single instance, we occasionally get KV Store errors.&nbsp;<span ...

Clear text password in command line

mogod command line argument having clear text password like "--sslPEMKeyPassword=password"how to avoid clear ...