[Winlogbeat] Investigate if chaining XPath queries in XML query bypasses 22 clause limit.

[taylor-swanson]

Windows Event Queries specify a limit of 22 clauses for XPath queries and exceeding this limit results in the following error:

The specified query is invalid.

Winlogbeat will construct a structured XML query based on a number of input parameters, (event_id and ignore_older to name a few). Currently, we construct a single XPath query based on these parameters and embed it in a structured XML query.

For example, if event_id is: 1000,2000-2004,3000, the resulting XPath query would look like this:

*[System[(EventID=1000 or  (EventID >= 2000 and EventID <= 2004)  or EventID=3000)]]

and the structured XML query would like this:

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[System[(EventID=1000 or  (EventID &gt;= 2000 and EventID &lt;= 2004)  or EventID=3000)]]</Select>
  </Query>
</QueryList>

This works fine if the number of event ID clauses doesn't exceed 22 (or 21 if a mixture of single IDs, ranges, AND ignore_older is specified). It will fail if the clause limit is exceeded. It is worth nothing that while the xml_query option does exist for winlogbeat, it is a very advanced option and a difficult one to expose in integrations like the System integration. What this issue proposes is adding logic to the query builder to split Event IDs across multiple XPath queries if the number of clauses exceeds a limit. A limit of 20 clauses per XPath query should be safe.

A good way to test XML queries is to use Windows Event Viewer. A custom filter can be created by filtering the current log and switching to the XML tab.

Further Reading

• EvtQuery
• Querying for Events
• Query Schema

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)