1
response

I'm trying to figure out a good way of only forwarding along events of significance and to filter out the rest - but without having hundreds of lines of XPath queries in nxlog.conf file. I understand that multiple blocks are AND'd together and that 'type' may only be "exact or regexp", but there doesn't appear to be any negation logic (e.g. NOT item or OR item).

Is the 'pm_pattern' module the best approach for trying to accomplish this? Can pattern matches in the patterndb.xml file be defined to drop matching messages? Would a viable approach be to define capture groups to set a variable, then just have something like 'Exec if defined $unwantedMatch { drop();}?

XPath Query: *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Level=4 or Level=0) and (EventID=4624 or EventID=4625 or EventID=4634)]] and *[EventData[ ( (Data[@Name='LogonType']='5' or Data[@Name='LogonType']='0') or Data[@Name='TargetUserName']='ANONYMOUS LOGON' or Data[@Name='TargetUserSID']='S-1-5-18' )]]

patterndb.xml attempt: 7Suppress Service LogonsEventIDregexp4624|4625|4634Levelregexp0|4
if ( $LogonType =~ /0|5/ or $TargetUserName == 'ANONYMOUS LOGON' or $TargetUserSID == 'S-1-5-18' ) drop();

XPath Query: *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Level=4 or Level=0) and EventID=4624]] and *[EventData[Data[@Name='LogonType']='3']] and *[EventData[Data[@Name='AuthenticationPackageName']='NTLM']] and *[EventData[Data[@Name='TargetUserName']!='ANONYMOUS LOGON']] and *[EventData[Data[@Name='TargetDomainName']!='TEST']]

patterndb.xml attempt: 2Pass the Hash Success DetectionEventIDexact4624SeverityexactINFOLogonTypeexact3AuthenticationPackageNameexactNTLMTargetUserNameregexp(?!ANONYMOUS LOGON)TargetDomainNameregexp(?!TEST)$PatternID=2;

Thank you for any wisdom/assisstance.

AskedApril 21, 2021 - 5:41pm

Comments (1)

  • tiparker's picture

         <pattern>
            <!-- Removes all service (success/failed) logons from being captured -->
            <!-- LogonType 5 and 0 are respectively used for services and system logons -->
            <id>1</id>
            <name>Suppress Service Logons</name>
            <matchfield>
                <name>EventID</name>
                <type>regexp</type>
                <value>(4624|4625|4634)</value>
                <capturedfield>
                    <name>match_EventID</name>
                    <type>string</type>
                </capturedfield>
            </matchfield>
            <matchfield>
                <name>Severity</name>
                <type>exact</type>
                <value>INFO</value>
            </matchfield>
            <matchfield>
                <name>LogonType</name>
                <type>regexp</type>
                <value>(0|5)</value>
                <capturedfield>
                    <name>match_LogonType</name>
                    <type>string</type>
                </capturedfield>
            </matchfield>           
            <exec>
                $dropEvent = TRUE;
                log_info("Suppress Logon types 0 or 5: " + $LogonType);
            </exec>
        </pattern>
    

    The intended logic is simply: If ($EventID == '4624' AND $Severity == 'INFO' AND ($LogonType == 0 OR $LogonType == 5)) { $dropEvent = TRUE }

    From two resultant matches on the above pattern: Apparently in the second one shows that '3' is equal to '0' or '5'? 2021-04-22 09:58:21 INFO Suppress Logon types 0 or 5: 5 2021-04-22 09:58:22 INFO Suppress Logon types 0 or 5: 3

    It's just sheer madness that no matter how many variations I try it just does NOT work as expected - even when I manually validate the regexes against the expected data ($raw_data, or the individual fields themselves). I am really at wits end trying to make this work.

Answers (0)