Dears,

I'm trying to filter out XML formatted events and below is sample event and REGEX which we used:

Sample Events:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>1</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-03-18T07:29:59.988001100Z'/><EventRecordID>11295805761</EventRecordID><Correlation/><Execution ProcessID='796' ThreadID='25576'/><Channel>Security</Channel><Computer>DC01.XXXX.COM</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>UCXXX\XXXDSOD02$</Data><Data Name='TargetUserName'>XXXDSOD02$</Data><Data Name='TargetDomainName'>UCXXX</Data><Data Name='TargetLogonId'>0x13443956d5</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>Kerberos</Data><Data Name='AuthenticationPackageName'>Kerberos</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{5517AA4A-D860-6053-03FD-1FE752FC995B}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>172.X.X.73</Data><Data Name='IpPort'>53681</Data><Data Name='ImpersonationLevel'>%%1833</Data></EventData></Event>

Regex Implemented in inputs.conf file:

blacklist10 = EventCode="4624" Message="SubjectUserSid:\s+(NULL SID)"
blacklist11 = $xmlRegex="\<EventID\>4624.*\'SubjectUserSid\'\>NULL\sSID\<.+SubjectUserName\'\>\-\<.+SubjectDomainName\'\>\-\<.+SubjectLogonId\'\>0x0\<"
blacklist12 = EventCode="4624" WorkstationName="-"

Props.conf:

TRANSFORMS-null=setnull

Transforms.conf:

[setnull]
SOURCE_KEY = _raw
REGEX = (\<EventID\>4624.+\'SubjectUserSid\'\>NULL\sSID\<.+SubjectUserName\'\>\-\<.+SubjectDomainName\'\>\-\<.+SubjectLogonId\'\>0x0\<)
DEST_KEY = queue
FORMAT = nullQueue

Please suggest if you have solution for this.

Thanks,

Suraj