In this very technical webinar I will take on you an in-depth tour of building XPath queries that get the events and logs you want while dropping as much of the noise as possible.
XPath allows you to go way beyond just specifying a list of Event IDs to include or exclude; you can filter on any data field within the event. It’s just a matter of specifying the name of the log in the correct format and then defining Select and/or Suppress statements with the applicable criteria.
For instance, here is a query fragment that collects Windows firewall events for inbound connections but leaves outbound connections behind
EventData[Data[@Name=’Direction’] = ‘%%14593’])
Notice the code number up there for direction – I’ll explain where you find stuff like that too.
You need that power if you are going to try collecting the Security and PowerShell logs from your workstations. For instance, tracking the programs running on your endpoints is a key way to detect ransomware, APTs and destructive attacks like Petya. But process start events are voluminous. Each workstation generates a large amount of these events every hour.
The good news though is that
- Most of process start events are not important to collect or analyze
- XPath allows you to filter these events out and leave 40% of them at the source
XPath does have its limitations though and I will share what I’ve found and what the possible workarounds are. Here’s a couple examples
- No support for wildcards or substrings
- Undocumented limit on how many expressions can go into one Select or Suppress
Of course, my free edition of Supercharger for Windows Event Collection makes all of this much easier with managed filters and I’ll highlight a little bit of that as well, along with a number of new pre-built filters we’re planning to add to Supercharger for this webinar.
Please join us for this advanced, real-training for free session.