Windows Event Viewer AppLocker XPath filter

applockereventviewerwindows-event-logwindows-server-2008-r2xpath

I'm running AppLocker and would like to filter out some noise from the events being logged in Event Viewer using XPath. Specifically, I want to hide any events which related to CMD.exe

Here's an example entry I want to get rid of: 

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Microsoft-Windows-AppLocker" Guid="{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}" /> 
        <EventID>8003</EventID> 
        <Version>0</Version> 
        <Level>3</Level> 
        <Task>0</Task> 
        <Opcode>0</Opcode> 
        <Keywords>0x8000000000000000</Keywords> 
        <TimeCreated SystemTime="2014-05-29T05:47:09.625405200Z" /> 
        <EventRecordID>257765</EventRecordID> 
        <Correlation /> 
        <Execution ProcessID="1108" ThreadID="2652" /> 
        <Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel> 
        <Computer>COMPUTERNAME.DOMAIN</Computer> 
        <Security UserID="S-1-5-21-123456789-123456789-123456789-123456" /> 
    </System>
    <UserData>
        <RuleAndFileData xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0">
            <PolicyName>EXE</PolicyName> 
            <RuleId>{00000000-0000-0000-0000-000000000000}</RuleId> 
            <RuleName>-</RuleName> 
            <RuleSddl>-</RuleSddl> 
            <TargetUser>S-1-5-21-123456789-123456789-123456789-123456</TargetUser> 
            <TargetProcessId>3224</TargetProcessId> 
            <FilePath>%SYSTEM32%\CMD.EXE</FilePath> 
            <FileHash>5F98965FF2650B89586176B38F007CA13A9E525E877DDCCBCDCE0A90408672D5</FileHash> 
            <Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CMD.EXE\6.1.7601.17514</Fqbn> 
        </RuleAndFileData>
    </UserData>
</Event>

I want something to the effect of: Hide event if FilePath is equal to "%SYSTEM32%\CMD.EXE"

I've tried something along the line of:

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-AppLocker/EXE and DLL">
    <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*[System[(Level=1  or Level=2 or Level=3)]]</Select>
    <Suppress Path="Microsoft-Windows-AppLocker/EXE and DLL">*[UserData[FileAndFileData[FilePath = '%SYSTEM32%\CMD.EXE' ]]]</Suppress>
  </Query>
</QueryList>

But this doesn't seem to do anything. I've been looking at random XPath examples online (including similar questions on Server Fault), but most are written when the XML in question is listed under "EventData" instead of "UserData", and the target tag is directly under that EventData, and not below yet another tag (in this example 'RuleAndFileData').

Has anyone got an example XPath code I could give a go?

Best Answer

It looks like you have used wrong xpath tag in suppress section, check your code for any error.

Replace:

FileAndFileData

With:

RuleAndFileData
Related Topic