尝试了解 Windows 事件日志 (XML) 的 XPATH 过滤
Trying to understand XPATH Filtering for Windows Event Logs (XML)
所以现在我正在尝试通过使用收集器启动的订阅来设置和配置 Windows 事件收集。目前,我只收集安全事件日志 4624 和 4688。我看到很多噪音来自出于特定目的登录框的随机帐户。我想找出一种方法来过滤掉这些特定的帐户名称,以便订阅服务忽略它们。
当前 XML 文件是:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624 or EventID=4688)]]</Select>
</Query>
</QueryList>
事件日志XML如下。但我不希望我的 Windows 事件收集器收集 "Target User Name" 字段中包含“0xluka”的任何日志。
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event" xml:lang="en-US">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="" />
<EventID>4624</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2019-10-23T20:19:06.533771900Z" />
<EventRecordID>963937830</EventRecordID>
<Correlation ActivityID="" />
<Execution ProcessID="640" ThreadID="15576" />
<Channel>Security</Channel>
<Computer>0xluka.localdomain.com</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid"></Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid"></Data>
<Data Name="TargetUserName">0xluka</Data>
<Data Name="TargetDomainName"></Data>
<Data Name="TargetLogonId"></Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp</Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName"></Data>
<Data Name="LogonGuid"></Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">NTLM V2</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress"></Data>
<Data Name="IpPort"></Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1842</Data>
</EventData>
- <RenderingInfo Culture="en-US">
<Message>An account was successfully logged on. </Message>
<Level>Information</Level>
<Task>Logon</Task>
<Opcode>Info</Opcode>
<Channel>Security</Channel>
<Provider>Microsoft Windows security auditing.</Provider>
- <Keywords>
<Keyword>Audit Success</Keyword>
</Keywords>
</RenderingInfo>
</Event>
您可以通过向现有的 xpath 添加另一个条件来排除此 targetusername
。
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624 or EventID=4688)]] and
*[EventData[Data[@Name='TargetUserName'] and (Data!='0xluka')]]
</Select>
</Query>
</QueryList>
所以现在我正在尝试通过使用收集器启动的订阅来设置和配置 Windows 事件收集。目前,我只收集安全事件日志 4624 和 4688。我看到很多噪音来自出于特定目的登录框的随机帐户。我想找出一种方法来过滤掉这些特定的帐户名称,以便订阅服务忽略它们。
当前 XML 文件是:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624 or EventID=4688)]]</Select>
</Query>
</QueryList>
事件日志XML如下。但我不希望我的 Windows 事件收集器收集 "Target User Name" 字段中包含“0xluka”的任何日志。
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event" xml:lang="en-US">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="" />
<EventID>4624</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2019-10-23T20:19:06.533771900Z" />
<EventRecordID>963937830</EventRecordID>
<Correlation ActivityID="" />
<Execution ProcessID="640" ThreadID="15576" />
<Channel>Security</Channel>
<Computer>0xluka.localdomain.com</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid"></Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid"></Data>
<Data Name="TargetUserName">0xluka</Data>
<Data Name="TargetDomainName"></Data>
<Data Name="TargetLogonId"></Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp</Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName"></Data>
<Data Name="LogonGuid"></Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">NTLM V2</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress"></Data>
<Data Name="IpPort"></Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1842</Data>
</EventData>
- <RenderingInfo Culture="en-US">
<Message>An account was successfully logged on. </Message>
<Level>Information</Level>
<Task>Logon</Task>
<Opcode>Info</Opcode>
<Channel>Security</Channel>
<Provider>Microsoft Windows security auditing.</Provider>
- <Keywords>
<Keyword>Audit Success</Keyword>
</Keywords>
</RenderingInfo>
</Event>
您可以通过向现有的 xpath 添加另一个条件来排除此 targetusername
。
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624 or EventID=4688)]] and
*[EventData[Data[@Name='TargetUserName'] and (Data!='0xluka')]]
</Select>
</Query>
</QueryList>