pm_pattern - matchfield - Page 1 | Log collection solutions

#1 tiparker 3 years ago

Is the 'pm_pattern' module the best approach for trying to accomplish this? Can pattern matches in the patterndb.xml file be defined to drop matching messages? Would a viable approach be to define capture groups to set a variable, then just have something like 'Exec if defined $unwantedMatch { drop();}?

XPath Query: <Suppress Path="Security"> *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Level=4 or Level=0) and (EventID=4624 or EventID=4625 or EventID=4634)]] and *[EventData[ ( (Data[@Name='LogonType']='5' or Data[@Name='LogonType']='0') or Data[@Name='TargetUserName']='ANONYMOUS LOGON' or Data[@Name='TargetUserSID']='S-1-5-18' )]] </Suppress>

patterndb.xml attempt: 7 Suppress Service Logons EventID regexp 4624|4625|4634 Level regexp 0|4 if ( $LogonType =~ /0|5/ or $TargetUserName == 'ANONYMOUS LOGON' or $TargetUserSID == 'S-1-5-18' ) drop();

XPath Query:

patterndb.xml attempt: 2 Pass the Hash Success Detection EventID exact 4624 Severity exact INFO LogonType exact 3 AuthenticationPackageName exact NTLM TargetUserName regexp (?!ANONYMOUS LOGON) TargetDomainName regexp (?!TEST) $PatternID=2;

Thank you for any wisdom/assisstance.

Permalink

#2 tiparker 3 years ago

#1 tiparker

I'm trying to figure out a good way of only forwarding along events of significance and to filter out the rest - but without having hundreds of lines of XPath queries in nxlog.conf file. I understand that multiple blocks are AND'd together and that 'type' may only be "exact or regexp", but there doesn't appear to be any negation logic (e.g. NOT item or OR item). Is the 'pm_pattern' module the best approach for trying to accomplish this? Can pattern matches in the patterndb.xml file be defined to drop matching messages? Would a viable approach be to define capture groups to set a variable, then just have something like 'Exec if defined $unwantedMatch { drop();}? XPath Query: <Suppress Path="Security"> *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Level=4 or Level=0) and (EventID=4624 or EventID=4625 or EventID=4634)]] and *[EventData[ ( (Data[@Name='LogonType']='5' or Data[@Name='LogonType']='0') or Data[@Name='TargetUserName']='ANONYMOUS LOGON' or Data[@Name='TargetUserSID']='S-1-5-18' )]] </Suppress> patterndb.xml attempt: 7 Suppress Service Logons EventID regexp 4624|4625|4634 Level regexp 0|4 if ( $LogonType =~ /0|5/ or $TargetUserName == 'ANONYMOUS LOGON' or $TargetUserSID == 'S-1-5-18' ) drop(); XPath Query: *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Level=4 or Level=0) and EventID=4624]] and *[EventData[Data[@Name='LogonType']='3']] and *[EventData[Data[@Name='AuthenticationPackageName']='NTLM']] and *[EventData[Data[@Name='TargetUserName']!='ANONYMOUS LOGON']] and *[EventData[Data[@Name='TargetDomainName']!='TEST']] patterndb.xml attempt: 2 Pass the Hash Success Detection EventID exact 4624 Severity exact INFO LogonType exact 3 AuthenticationPackageName exact NTLM TargetUserName regexp (?!ANONYMOUS LOGON) TargetDomainName regexp (?!TEST) $PatternID=2; Thank you for any wisdom/assisstance.

     <pattern>
		<!-- Removes all service (success/failed) logons from being captured -->
		<!-- LogonType 5 and 0 are respectively used for services and system logons -->
        <id>1</id>
        <name>Suppress Service Logons</name>
        <matchfield>
            <name>EventID</name>
            <type>regexp</type>
            <value>(4624|4625|4634)</value>
			<capturedfield>
				<name>match_EventID</name>
				<type>string</type>
			</capturedfield>
        </matchfield>
        <matchfield>
            <name>Severity</name>
            <type>exact</type>
            <value>INFO</value>
        </matchfield>
		<matchfield>
			<name>LogonType</name>
			<type>regexp</type>
			<value>(0|5)</value>
			<capturedfield>
				<name>match_LogonType</name>
				<type>string</type>
			</capturedfield>
		</matchfield>			
        <exec>
			$dropEvent = TRUE;
			log_info("Suppress Logon types 0 or 5: " + $LogonType);
		</exec>
    </pattern>

The intended logic is simply: If ($EventID == '4624' AND $Severity == 'INFO' AND ($LogonType == 0 OR $LogonType == 5)) { $dropEvent = TRUE }

From two resultant matches on the above pattern: Apparently in the second one shows that '3' is equal to '0' or '5'? 2021-04-22 09:58:21 INFO Suppress Logon types 0 or 5: 5 2021-04-22 09:58:22 INFO Suppress Logon types 0 or 5: 3

It's just sheer madness that no matter how many variations I try it just does NOT work as expected - even when I manually validate the regexes against the expected data ($raw_data, or the individual fields themselves). I am really at wits end trying to make this work.