-
Notifications
You must be signed in to change notification settings - Fork 1
/
xpathfilter.json
340 lines (290 loc) · 19.9 KB
/
xpathfilter.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
// Name:XPathFilter.json
// Author:Robin Granberg ([email protected])
// Contains Xpath queries for event log search
// "Name": is the name of the filter
// "Query": is the XPath query
// The XML string should not conain double quotation, carriage return or line feed.
// Replace double qoutation with single quotation and remove carriage return and line feed.
{
"Queries":
[
{
"Name": "All events from System Log",
"Category": "System",
"Query": "<QueryList><Query Id='0' Path='System'><Select Path='System'>*</Select></Query></QueryList>"
},
{
"Name": "All events",
"Category": "Sysmon",
"Query": "<QueryList><Query Id='0' Path='Microsoft-Windows-Sysmon/Operational'><Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select></Query></QueryList>"
},
{
"Name": "Process Created",
"Category": "Sysmon",
"Query": "<QueryList><Query Id='0' Path='Microsoft-Windows-Sysmon/Operational'><Select Path='Microsoft-Windows-Sysmon/Operational'>*[System[(EventID=1)]]</Select></Query></QueryList>"
},
{
"Name": "Process Created by user name",
"Category": "Sysmon",
"Query": "<!-- Replace REPLACEUSERNAME --><QueryList><Query Id='0' Path='Microsoft-Windows-Sysmon/Operational'><Select Path='Microsoft-Windows-Sysmon/Operational'>*[System[(EventID=1)]] and *[EventData[Data[@Name='User']='REPLACEUSERNAME']]</Select></Query></QueryList>"
},
{
"Name": "Process Created by image",
"Category": "Sysmon",
"Query": "<!-- Replace REPLACEIMAGE --><QueryList><Query Id='0' Path='Microsoft-Windows-Sysmon/Operational'><Select Path='Microsoft-Windows-Sysmon/Operational'>*[System[(EventID=1)]] and *[EventData[Data[@Name='Image']='REPLACEIMAGE']]</Select></Query></QueryList>"
},
{
"Name": "File creation time changed",
"Category": "Sysmon",
"Query": "<QueryList><Query Id='0' Path='Microsoft-Windows-Sysmon/Operational'><Select Path='Microsoft-Windows-Sysmon/Operational'>*[System[(EventID=2)]]</Select></Query></QueryList>"
},
{
"Name": "Network connection detected",
"Category": "Sysmon",
"Query": "<QueryList><Query Id='0' Path='Microsoft-Windows-Sysmon/Operational'><Select Path='Microsoft-Windows-Sysmon/Operational'>*[System[(EventID=3)]]</Select></Query></QueryList>"
},
{
"Name": "Network connection detected by user name",
"Category": "Sysmon",
"Query": "<!-- Replace REPLACEUSERNAME --><QueryList><Query Id='0' Path='Microsoft-Windows-Sysmon/Operational'><Select Path='Microsoft-Windows-Sysmon/Operational'>*[System[(EventID=3)]] and *[EventData[Data[@Name='User']='REPLACEUSERNAME']]</Select></Query></QueryList>"
},
{
"Name": "Network connection detected by destination port",
"Category": "Sysmon",
"Query": "<!-- Replace REPLACEPORT --><QueryList><Query Id='0' Path='Microsoft-Windows-Sysmon/Operational'><Select Path='Microsoft-Windows-Sysmon/Operational'>*[System[(EventID=3)]] and *[EventData[Data[@Name='DestinationPort']='REPLACEPORT']]</Select></Query></QueryList>"
},
{
"Name": "Network connection detected by image",
"Category": "Sysmon",
"Query": "<!-- Replace REPLACEIMAGE --><QueryList><Query Id='0' Path='Microsoft-Windows-Sysmon/Operational'><Select Path='Microsoft-Windows-Sysmon/Operational'>*[System[(EventID=3)]] and *[EventData[Data[@Name='Image']='REPLACEIMAGE']]</Select></Query></QueryList>"
},
{
"Name": "Sysmon service state changed",
"Category": "Sysmon",
"Query": "<QueryList><Query Id='0' Path='Microsoft-Windows-Sysmon/Operational'><Select Path='Microsoft-Windows-Sysmon/Operational'>*[System[(EventID=4)]]</Select></Query></QueryList>"
},
{
"Name": "File creation time changed",
"Category": "Sysmon",
"Query": "<QueryList><Query Id='0' Path='Microsoft-Windows-Sysmon/Operational'><Select Path='Microsoft-Windows-Sysmon/Operational'>*[System[(EventID=5)]]</Select></Query></QueryList>"
},
{
"Name": "Driver loaded",
"Category": "Sysmon",
"Query": "<QueryList><Query Id='0' Path='Microsoft-Windows-Sysmon/Operational'><Select Path='Microsoft-Windows-Sysmon/Operational'>*[System[(EventID=6)]]</Select></Query></QueryList>"
},
{
"Name": "Image loaded",
"Category": "Sysmon",
"Query": "<QueryList><Query Id='0' Path='Microsoft-Windows-Sysmon/Operational'><Select Path='Microsoft-Windows-Sysmon/Operational'>*[System[(EventID=7)]]</Select></Query></QueryList>"
},
{
"Name": "File created",
"Category": "Sysmon",
"Query": "<QueryList><Query Id='0' Path='Microsoft-Windows-Sysmon/Operational'><Select Path='Microsoft-Windows-Sysmon/Operational'>*[System[(EventID=11)]]</Select></Query></QueryList>"
},
{
"Name": "Pipe Created",
"Category": "Sysmon",
"Query": "<QueryList><Query Id='0' Path='Microsoft-Windows-Sysmon/Operational'><Select Path='Microsoft-Windows-Sysmon/Operational'>*[System[(EventID=17)]]</Select></Query></QueryList>"
},
{
"Name": "Pipe Connected Sysmon Log",
"Category": "Sysmon",
"Query": "<QueryList><Query Id='0' Path='Microsoft-Windows-Sysmon/Operational'><Select Path='Microsoft-Windows-Sysmon/Operational'>*[System[(EventID=18)]]</Select></Query></QueryList>"
},
{
"Name": "Windows Start Event",
"Category": "System",
"Query": "<QueryList><Query Id='0' Path='System'><Select Path='System'>*[System[(EventID=6009)]]</Select></Query></QueryList>"
},
{
"Name": "Single EventID",
"Category": "Template",
"Query": "<!-- Replace REPLACELOG and REPLACEID --><QueryList><Query Id='0' Path='REPLACELOG'><Select Path='REPLACELOG'>*[System[(EventID=REPLACEID)]]</Select></Query></QueryList>"
},
{
"Name": "Exclude EventID",
"Category": "Template",
"Query": "<!-- Replace REPLACELOG and REPLACEID --><QueryList><Query Id='0' Path='REPLACELOG'><Select Path='REPLACELOG'>*</Select><Suppress Path='REPLACELOG'>*[System[(EventID=REPLACEID)]]</Suppress></Query></QueryList>"
},
{
"Name": "Event level critical and Error",
"Category": "Template",
"Query": "<!-- Replace REPLACELOG --><QueryList><Query Id='0' Path='REPLACELOG'><Select Path='REPLACELOG'>*[System[(Level=1 or Level=2)]]</Select></Query></QueryList>"
},
{
"Name": "EventID and Provider",
"Category": "Template",
"Query": "<!-- Replace REPLACELOG and REPLACEID --><QueryList><Query Id='0' Path='REPLACELOG'><Select Path='REPLACELOG'>*[System[Provider[@Name='REPLACEPROVIDER'] and (EventID=REPLACEID)]]</Select></Query></QueryList>"
},
{
"Name": "EventID with time range",
"Category": "Template",
"Query": "<!-- Replace REPLACELOG ,REPLACEID and REPLACEDATE --><QueryList> <Query Id='0' Path='REPLACELOG'><Select Path='REPLACELOG'>*[System[(EventID=REPLACEID) and TimeCreated[@SystemTime>='REPLACEDATE' and @SystemTime<='REPLACEDATE']]]</Select> </Query></QueryList>"
},
{
"Name": "Logon event",
"Category": "Logon",
"Query": "<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624 or EventID=4648)]]</Select></Query></QueryList>"
},
{
"Name": "Logon event by user name",
"Category": "Logon",
"Query": "<!-- Replace REPLACEUSERNAME --><QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[EventID=4624]] and *[EventData[Data[@Name='TargetUserName']='REPLACEUSERNAME']]</Select></Query></QueryList>"
},
{
"Name": "Logon event by user name in within time range",
"Category": "Logon",
"Query": "<!-- Replace REPLACEUSERNAME and REPLACEDATE --><QueryList><Query Id='0' Path='Security'><Select Path='Security'> *[System[(EventID=4624) and TimeCreated[@SystemTime>='REPLACEDATE' and @SystemTime<='REPLACEDATE']]] and *[EventData[Data[@Name='TargetUserName']='REPLACEUSERNAME']]</Select></Query></QueryList>"
},
{
"Name": "Logon over trust outgoing",
"Category": "Logon",
"Query": "<!-- Replace REPLACEDOMAIN --><QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[EventID=4769]] and *[EventData[Data[@Name='ServiceName']='REPLACEDOMAIN']]</Select></Query></QueryList>"
},
{
"Name": "Logon over trust incoming",
"Category": "Logon",
"Query": "<!-- Replace REPLACEDOMAIN --><QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[EventID=4769]] and *[EventData[Data[@Name='TargetDomainName']='REPLACEDOMAIN']]</Select></Query></QueryList>"
},
{
"Name": "Logon events except system",
"Category": "Logon",
"Query": "<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[EventID=4624]] and *[EventData[Data[@Name='TargetUserName']!='SYSTEM']]</Select></Query></QueryList>"
},
{
"Name": "Special Group Logon event",
"Category": "Logon",
"Query": "<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4964]]</Select></Query></QueryList>"
},
{
"Name": "Directory Service Change",
"Category": "Directory Services",
"Query": "<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[EventID=5136 or EventID=5137 or EventID=5138 or EventID=5139 or EventID=5141]]</Select></Query></QueryList>"
},
{
"Name": "Directory Service Change by User",
"Category": "Directory Services",
"Query": "<!-- Replace REPLACEUSERNAME --><QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[EventID=5136 or EventID=5137 or EventID=5138 or EventID=5139 or EventID=5141]] and *[EventData[Data[@Name='SubjectUserName']='REPLACEUSERNAME ']]</Select></Query></QueryList>"
},
{
"Name": "Directory Service Change object created",
"Category": "Directory Services",
"Query": "<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[EventID=5137]]</Select></Query></QueryList>"
},
{
"Name": "Directory Service Change object deleted",
"Category": "Directory Services",
"Query": "<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[EventID=5141]]</Select></Query></QueryList>"
},
{
"Name": "Directory Service Change object undeleted",
"Category": "Directory Services",
"Query": "<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[EventID=5138]]</Select></Query></QueryList>"
},
{
"Name": "Directory Service Change object modified",
"Category": "Directory Services",
"Query": "<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[EventID=5136]]</Select></Query></QueryList>"
},
{
"Name": "Group Policy modifications",
"Category": "Group Policy",
"Query": "<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[EventID=5136 or EventID=5137 or EventID=5138 or EventID=5139 or EventID=5141]] and *[EventData[Data[@Name='ObjectClass']='groupPolicyContainer']]</Select></Query></QueryList>"
},
{
"Name": "Accepted and dropped Inbound firewall connection",
"Category": "Firewall",
"Query": "<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=5152 or EventID=5156 or EventID=5157)]] and *[EventData[Data[@Name='Direction'] and (Data='%%14592')]]</Select></Query></QueryList>"
},
{
"Name": "Accepted Inbound firewall connection",
"Category": "Firewall",
"Query": "<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task = 12810 and EventID=5156]] and *[EventData[Data[@Name='Direction']='%%14592']]</Select></Query></QueryList>"
},
{
"Name": "Accepted Inbound Dst Port Number firewall connection",
"Category": "Firewall",
"Query": "<!-- Replace REPLACEPORT--><QueryList>
<Query Id='0' Path='Security'>
<Select Path='Security'>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task = 12810 and EventID=5156]] and *[EventData[Data[@Name='Direction']='%%14592']] and *[EventData[Data[@Name='DestPort']='REPLACEPORT']]</Select>
</Query>
</QueryList>"
},
{
"Name": "Accepted Inbound firewall connection from IP address",
"Category": "Firewall",
"Query": "<!-- Replace REPLACEIP --><QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task = 12810 and EventID=5156]] and *[EventData[Data[@Name='SourceAddress']='REPLACEIP']] and *[EventData[Data[@Name='Direction']='%%14592']]</Select></Query></QueryList>"
},
{
"Name": "Accepted Inbound Dst Port Number firewall connection from IP address",
"Category": "Firewall",
"Query": "<!-- Replace REPLACEIP and REPLACEPORT--><QueryList>
<Query Id='0' Path='Security'>
<Select Path='Security'>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task = 12810 and EventID=5156]] and *[EventData[Data[@Name='Direction']='%%14592']] and *[EventData[Data[@Name='DestPort']='REPLACEPORT']] and *[EventData[Data[@Name='SourceAddress']='REPLACEIP']]</Select>
</Query>
</QueryList>"
},
{
"Name": "Dropped Inbound firewall connection",
"Category": "Firewall",
"Query": "<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Task=12809 or Task=12810) and (EventID=5152 or EventID=5157)]] and *[EventData[Data[@Name='Direction']='%%14592']] and *[EventData[Data[@Name='Protocol'] and (Data=6 or Data=17)]] </Select></Query></QueryList>"
},
{
"Name": "Dropped Inbound firewall connection with time rance",
"Category": "Firewall",
"Query": "<!-- Replace the two REPLACEDATE,mind the DateZone difference --><QueryList>
<Query Id='0' Path='Security'>
<Select Path='Security'>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Task=12809 or Task=12810) and (EventID=5152 or EventID=5157) and TimeCreated[@SystemTime>='REPLACEDATE' and @SystemTime<='REPLACEDATE']]] and *[EventData[Data[@Name='Direction']='%%14592']]</Select>
</Query>
</QueryList>"
},
{
"Name": "Dropped Inbound firewall connection from IP address",
"Category": "Firewall",
"Query": "<!-- Replace REPLACEIP --><QueryList>
<Query Id='0' Path='Security'>
<Select Path='Security'>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Task=12809 or Task=12810) and (EventID=5152 or EventID=5157)]] and *[EventData[Data[@Name='Direction']='%%14592']] and *[EventData[Data[@Name='SourceAddress']='REPLACEIP']]</Select>
</Query>
</QueryList>"
},
{
"Name": "Dropped Inbound Dst Port Number firewall connection",
"Category": "Firewall",
"Query": "<!-- Replace REPLACEPORT--><QueryList>
<Query Id='0' Path='Security'>
<Select Path='Security'>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Task=12809 or Task=12810) and (EventID=5152 or EventID=5157)]] and *[EventData[Data[@Name='Direction']='%%14592']] and *[EventData[Data[@Name='Protocol'] and (Data=6 or Data=17)]] and *[EventData[Data[@Name='DestPort']='REPLACEPORT']]</Select>
</Query>
</QueryList>"
},
{
"Name": "Dropped Inbound Src Port Number firewall connection",
"Category": "Firewall",
"Query": "<!-- Replace REPLACEPORT--><QueryList>
<Query Id='0' Path='Security'>
<Select Path='Security'>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Task=12809 or Task=12810) and (EventID=5152 or EventID=5157)]] and *[EventData[Data[@Name='Direction']='%%14592']] and *[EventData[Data[@Name='Protocol'] and (Data=6 or Data=17)]] and *[EventData[Data[@Name='SourcePort']='REPLACEPORT']]</Select>
</Query>
</QueryList>"
},
{
"Name": "Dropped Inbound Dst Port Number firewall connection from IP address",
"Category": "Firewall",
"Query": "<!-- Replace REPLACEIP and REPLACEPORT--><QueryList>
<Query Id='0' Path='Security'>
<Select Path='Security'>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Task=12809 or Task=12810) and (EventID=5152 or EventID=5157)]] and *[EventData[Data[@Name='Direction']='%%14592']] and *[EventData[Data[@Name='Protocol'] and (Data=6 or Data=17)]] and *[EventData[Data[@Name='DestPort']='REPLACEPORT']] and *[EventData[Data[@Name='SourceAddress']='REPLACEIP']]</Select>
</Query>
</QueryList>"
},
{
"Name": "List Windows Update Client events in System log",
"Category": "Windows Update",
"Query": "<QueryList><Query Id='0' Path='System'><Select Path='System'>*[System[Provider[@Name='Microsoft-Windows-WindowsUpdateClient']]]</Select></Query></QueryList>"
},
{
"Name": "List Windows Update Client events in WindowsUpdateClient/Operational log",
"Category": "Windows Update",
"Query": "<QueryList><Query Id='0' Path='Microsoft-Windows-WindowsUpdateClient/Operational'><Select Path='Microsoft-Windows-WindowsUpdateClient/Operational'>*[System[Provider[@Name='Microsoft-Windows-WindowsUpdateClient']]]</Select></Query></QueryList>"
}
]
}