search

palantir / windows-event-forwarding

A repository for using windows event forwarding for incident detection and response
Other
1.22k stars 267 forks source link

Software-Restriction-Policies.xml incorrect syntax #52

Open appelboom opened 3 years ago

appelboom commented 3 years ago

XPATH should be

Not

clong commented 3 years ago

I don't think this is correct as this page shows this event in the Microsoft-Windows-SoftwareRestrictionPolicies channel: http://intelligentsystemsmonitoring.com/knowledgebase/windows-operating-system/event-id-software-restriction-policy-notification-13844/#:~:text=Windows%20Operating%20System-,Event%20ID%20865%20%E2%80%94%20Software%20Restriction%20Policy%20Notification,not%20allowed%20by%20the%20policy.

b1t-hunter commented 2 years ago

I have checked this in the log manifest on a test system , all referenced events appear in the Application channel. Also as @appelboom has pointed out, the Subscription Query is incorrect. The first selector (*[Application[) in the XPath query string does not reference the channel, but the system header of the event XML. This header, including the provider specification, is always located in the System element. Therefore the query should be as follows:

*[System[Provider[@Name='Microsoft-Windows-SoftwareRestrictionPolicies'] and (EventID=865 or EventID=866 or EventID=867 or EventID=868 or EventID=882)]]