How to filter a Powershell Message to NOT send

#1 Thomas_Powers 4 years ago

Hello NXLog folks!!

I'm trying to send all powershell alerts to our logserver but I want to exclude those generated by a specific executable. Since the powershell transcription doesn't list the exe as $process, but instead in context info...how does one filter that out? In this case, anything coming from tsm.exe, or tsmv.exe or tsmv1.exe

All insight is welcome

Thanks

Here:s a sample of the log:

CommandInvocation(Set-StrictMode): "Set-StrictMode" ParameterBinding(Set-StrictMode): name="Version"; value="1.0"

Context: Severity = Informational Host Name = Windows PowerShell ISE Host Host Version = 5.1.17134.858 Host ID = 8ae5c6dd-1af0-4e65-aeac-7a67be38f4e4 Host Application = C:\Program Files\TSM\TSM.exe Engine Version = 1.0 Runspace ID = f1c12215-0436-4e63-8bf2-2bfadf608c65 Pipeline ID = 385 Command Name = Set-StrictMode Command Type = Cmdlet Script Name = Command Path = Sequence Number = 53836 User = Connected User = Shell ID =

Here's our Log selection snippet:

<Input in> Module im_msvistalog Query <QueryList>
<Query Id="0">
<Select Path="Security"></Select>
<Select Path="System">[System/Level=4]</Select>
<Select Path="Application"></Select>
<Select Path="Setup"></Select>
<Select Path='Windows PowerShell'></Select>
<Select Path='Microsoft-Windows-AAD/Operational'></Select>
<Select Path='Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant'></Select>
<Select Path='Microsoft-Windows-Application-Experience/Program-Telemetry'></Select>
<Select Path='Microsoft-Windows-AppLocker/EXE and DLL'></Select>
<Select Path='Microsoft-Windows-AppLocker/MSI and Script'></Select>
<Select Path='Microsoft-Windows-AppLocker/Packaged app-Deployment'></Select>
<Select Path='Microsoft-Windows-AppLocker/Packaged app-Execution'></Select>
<Select Path="Microsoft-Windows-Sysmon/Operational"></Select>
<Select Path="Microsoft-Windows-PowerShell/Admin"></Select>
<Select Path="Microsoft-Windows-PowerShell/Operational"></Select>
<Select Path='Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'></Select>
<Select Path='Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose'>*</Select>
</Query>
</QueryList> </Input>

Permalink

#2 Zhengshi Nxlog ✓ 4 years ago

#1 Thomas_Powers

Hello NXLog folks!! I'm trying to send all powershell alerts to our logserver but I want to exclude those generated by a specific executable. Since the powershell transcription doesn't list the exe as $process, but instead in context info...how does one filter that out? In this case, anything coming from tsm.exe, or tsmv.exe or tsmv1.exe All insight is welcome Thanks TP Here:s a sample of the log: CommandInvocation(Set-StrictMode): "Set-StrictMode" ParameterBinding(Set-StrictMode): name="Version"; value="1.0" Context: Severity = Informational Host Name = Windows PowerShell ISE Host Host Version = 5.1.17134.858 Host ID = 8ae5c6dd-1af0-4e65-aeac-7a67be38f4e4 Host Application = C:\Program Files\TSM\TSM.exe Engine Version = 1.0 Runspace ID = f1c12215-0436-4e63-8bf2-2bfadf608c65 Pipeline ID = 385 Command Name = Set-StrictMode Command Type = Cmdlet Script Name = Command Path = Sequence Number = 53836 User = Connected User = Shell ID = Here's our Log selection snippet: <Input in> Module im_msvistalog Query <QueryList> <Query Id="0"> <Select Path="Security"></Select> <Select Path="System">[System/Level=4]</Select> <Select Path="Application"></Select> <Select Path="Setup"></Select> <Select Path='Windows PowerShell'></Select> <Select Path='Microsoft-Windows-AAD/Operational'></Select> <Select Path='Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant'></Select> <Select Path='Microsoft-Windows-Application-Experience/Program-Telemetry'></Select> <Select Path='Microsoft-Windows-AppLocker/EXE and DLL'></Select> <Select Path='Microsoft-Windows-AppLocker/MSI and Script'></Select> <Select Path='Microsoft-Windows-AppLocker/Packaged app-Deployment'></Select> <Select Path='Microsoft-Windows-AppLocker/Packaged app-Execution'></Select> <Select Path="Microsoft-Windows-Sysmon/Operational"></Select> <Select Path="Microsoft-Windows-PowerShell/Admin"></Select> <Select Path="Microsoft-Windows-PowerShell/Operational"></Select> <Select Path='Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'></Select> <Select Path='Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose'>*</Select> </Query> </QueryList> </Input>

I haven't tested it, but if I understand your problem correctly, you could probably do something like :
Exec if $Message =~ /(?i)(tsm.exe|tsmv.exe|tsmv1.exe)/ drop();

This would drop any event where it finds one of those three items, in any case.