Dashboards & Visualizations

Syntax of $XmlRegex property for white listing WinEventLog source rendered in XML

Path Finder

Hi,

I have a stanza which looks like this:

[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
disabled = 0
renderXml=true
#Block events
whitelist = $XmlRegex='Level="2"'
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5

If I remove the whitelist I get all the event types. However I only want the Error events. Without the renderXml option, my whitelist would look like this:

whitelist = Type="Error"

However, when rendered in Xml the event level is rendered like this <level>2</level>

However, the documentation has only the most basic example of searching for text when using renderXml.

Does anyone have any experience in advanced syntax for this option? I've tried:

whitelist = $XmlRegex='Level="2"'
whitelist = $XmlRegex=Level="2"
whitelist = $XmlRegex="\<Level\>2"
0 Karma
1 Solution

Path Finder

Thanks to @dan_mcinnes for his answer which made me think about testing my regex using Search. The tip about capturing groups wasn't actually needed. It was the escaping of the < which was causing it to fail. Actually none of the characters in <Level>2</Level> are special.

I always thought that unneeded escaping was "safe" so if you escaped a non-special character that it wouldn't affect the match, but it turns out it did.

View solution in original post

0 Karma

Path Finder

Thanks to @dan_mcinnes for his answer which made me think about testing my regex using Search. The tip about capturing groups wasn't actually needed. It was the escaping of the < which was causing it to fail. Actually none of the characters in <Level>2</Level> are special.

I always thought that unneeded escaping was "safe" so if you escaped a non-special character that it wouldn't affect the match, but it turns out it did.

View solution in original post

0 Karma

New Member

Hi,

I've actually just been looking into the same thing. It looks like you need to include a capture group within your regex that will match something in the event.

I found the best way to get this right the first time round is by starting with a search in Splunk web that includes the regex command to test your regex quickly. Something like the example below should match your event. (Change the index to suit your needs)

index=* | regex _raw="(?<=Level\>)(4)"

If this works then you know your regex is matching correctly, you should then be able to take that and add it to a blacklist or whitelist depending on what you want

 whitelist = $XmlRegex = '(?<=Level\>)(4)'
 blacklist = $XmlRegex = '(?<=Level\>)(4)'

I also like to use https://regex101.com/ when I'm doing anything with regex, I'd recommend checking it out.

0 Karma

Path Finder

Hi,
It's a standard windows event log. Apologies that my link to the Splunk documentation didn't work. You can see a sample event in here
https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/MonitorWindowseventlogdata

Scroll down to the heading: Display Windows Event Log events in XML

0 Karma

Communicator

try using whitelist = $XmlRegex=Event.System.Level=2

0 Karma

Path Finder

Well I tried something very similar. Would you need to escape the <

Like this 2\

Forward slashes don't require escaping in my experience.

0 Karma

Communicator

2<\/Level>

Without the escaping, the regex isn't working

0 Karma

Path Finder

Hmm, the web portal mangled my reply.

Have you tested the above? I tried something very similar (see my OP) and it didn't work.

0 Karma

Path Finder

Thanks for your suggestion, but it didn't work. Here is a sample of the actual event:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-AppLocker' Guid='{cbda4dbf-8d5d-4f69-9578-be14aa540d22}'/><EventID>8002</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2020-01-20T22:30:09.805334100Z'/><EventRecordID>28242</EventRecordID><Correlation/><Execution ProcessID='4640' ThreadID='7872'/><Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel><Computer>HOSTNAME</Computer><Security UserID='S-1-5-21-3206126476-1968031584-1518185873-1130'/></System><UserData><RuleAndFileData xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0'><PolicyNameLength>3</PolicyNameLength><PolicyName>DLL</PolicyName><RuleId>{bac4b0bf-6f1b-40e8-8627-8545fa89c8b6}</RuleId><RuleNameLength>37</RuleNameLength><RuleName>(Default Rule) Microsoft Windows DLLs</RuleName><RuleSddlLength>57</RuleSddlLength><RuleSddl>D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains "%WINDIR%\*"))</RuleSddl><TargetUser>S-1-5-21-3206126476-1968031584-1518185873-1130</TargetUser><TargetProcessId>4640</TargetProcessId><FilePathLength>22</FilePathLength><FilePath>%SYSTEM32%\NTMARTA.DLL</FilePath><FileHashLength>0</FileHashLength><FileHash></FileHash><FqbnLength>117</FqbnLength><Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\NTMARTA.DLL\10.0.17763.01</Fqbn><TargetLogonId>0x71c37ca</TargetLogonId></RuleAndFileData></UserData></Event>
0 Karma

Communicator

2<\/Level> tried this?

0 Karma

Path Finder

Thanks for your suggestion, but this whitelist didn't work. With the input enabled all events are forwarded. I've tried it as you suggested and have put the "2" in quotes.

Here is a copy and paste of an actual event:

xmlns='http://schemas.microsoft.com/win/2004/08/events/event'> Name='Microsoft-Windows-AppLocker'
Guid='{cbda4dbf-8d5d-4f69-9578-be14aa540d22}'/>800204000x8000000000000000 SystemTime='2020-01-20T22:30:09.805334100Z'/>28242 ProcessID='4640'
ThreadID='7872'/>Microsoft-Windows-AppLocker/EXE
and
DLLZPVWMGT01X.dmz.amsa.gov.au UserID='S-1-5-21-3206126476-1968031584-1518185873-1130'/> xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0'>3DLL{bac4b0bf-6f1b-40e8-8627-8... Rule) Microsoft Windows
DLLs57D:(XA;;FX;;;S-1-1-0;(APPID://PATH
Contains
"%WINDIR%*"))S-1-5-21-3206126476-1968031584-1518185873-1130464022%SYSTEM32%\NTMARTA.DLL0117O=MICROSOFT
CORPORATION, L=REDMOND, S=WASHINGTON,
C=US\MICROSOFT® WINDOWS® OPERATING
SYSTEM\NTMARTA.DLL\10.0.17763.010x71c37ca

0 Karma

Communicator

Can you provide a sample event?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!