1
response

Hello NXLog folks!!

I'm trying to send all powershell alerts to our logserver but I want to exclude those generated by a specific executable. Since the powershell transcription doesn't list the exe as $process, but instead in context info...how does one filter that out? In this case, anything coming from tsm.exe, or tsmv.exe or tsmv1.exe

All insight is welcome

Thanks

TP

Here:s a sample of the log:

CommandInvocation(Set-StrictMode): "Set-StrictMode"
ParameterBinding(Set-StrictMode): name="Version"; value="1.0"

Context:
Severity = Informational
Host Name = Windows PowerShell ISE Host
Host Version = 5.1.17134.858
Host ID = 8ae5c6dd-1af0-4e65-aeac-7a67be38f4e4
Host Application = C:\Program Files\TSM\TSM.exe
Engine Version = 1.0
Runspace ID = f1c12215-0436-4e63-8bf2-2bfadf608c65
Pipeline ID = 385
Command Name = Set-StrictMode
Command Type = Cmdlet
Script Name =
Command Path =
Sequence Number = 53836
User =
Connected User =
Shell ID =

Here's our Log selection snippet:

<Input in>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">*</Select>\
<Select Path="System">*[System/Level=4]</Select>\
<Select Path="Application">*</Select>\
<Select Path="Setup">*</Select>\
<Select Path='Windows PowerShell'>*</Select>\
<Select Path='Microsoft-Windows-AAD/Operational'>*</Select>\
<Select Path='Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant'>*</Select>\
<Select Path='Microsoft-Windows-Application-Experience/Program-Telemetry'>*</Select>\
<Select Path='Microsoft-Windows-AppLocker/EXE and DLL'>*</Select>\
<Select Path='Microsoft-Windows-AppLocker/MSI and Script'>*</Select>\
<Select Path='Microsoft-Windows-AppLocker/Packaged app-Deployment'>*</Select>\
<Select Path='Microsoft-Windows-AppLocker/Packaged app-Execution'>*</Select>\
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>\
<Select Path="Microsoft-Windows-PowerShell/Admin">*</Select>\
<Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>\
<Select Path='Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'>*</Select>\
<Select Path='Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose'>*</Select>\
</Query>\
</QueryList>
</Input>

AskedSeptember 12, 2019 - 1:22pm

Answer (1)

I haven't tested it, but if I understand your problem correctly, you could probably do something like :
Exec if $Message =~ /(?i)(tsm.exe|tsmv.exe|tsmv1.exe)/ drop();

This would drop any event where it finds one of those three items, in any case.