The ESM uses Perl Compatible Regular Expressions (PCRE) when creating specific filter (discard) rules. This article describes how to create filter rules that tag matched events from a custom rule with a Do not parse tag. This tag prevents the event from getting added to the data source's data file for parsing.
NOTE: This article assumes that you're familiar with the
regex and creation of custom rules in the policy editor.
- Name the rule, for example, WMI logon events generated by system accounts.
- Set the Severity level to 90.
- Select the Case Insensitive option.
- Select the Send Log to ELM and Stop Processing Filtering Rules options.
The following PCRE expression looks for one of the event codes listed inside the brackets and then another field in the message text containing one of two strings. The specific strings are Account Name or User Name. They're followed by a string of characters, spaces, or tabs before the final $ sign at the end of the User or Account name. The $ sign indicates that the events are computer-generated logon events that occur all day, every day, on Windows systems. They aren't useful in forensics reports, but are more useful to search for user account names that contain the source workstation name or IP address in the message text of the event.
(?s)\s*(?:538|540|624|626|672|675|4634|4636|4720|4722|4724|4768|4771).*?(?:Account|User)\s+Name:\s*[^\r\n]*?\$
- Name the rule, for example, Window Firewall Rule notice events.
- Set the Severity level to 90.
- Select the Case Insensitive option.
- Select the Send Log to ELM and Stop Processing Filtering Rules options.
The following PCRE expression looks for Microsoft Windows event code
4771 and a text string of characters after 4771 has been detected.
This regex expression looks for Event ID 4771 and the text string Windows Firewall did not supply the following rule in the event header fields:
(?s)\s*(?:4771).*?(?:Windows+.+Firewall+.+did+.+not+.+supply+.+the+.+following+.+rule)
- Name the rule: Window Filtering Platform events.
- Set the Severity level to 90.
- Select the Case Insensitive option.
- Select the Send Log to ELM and Stop Processing Filtering Rules options.
The following PCRE expression looks for a specific text string listed in the message text of a Windows event. In the following example, it looks for Windows Filtering Platform in the message text and takes the appropriate route. (Send to ELM or discard. No route):
(?s)\s*(?:Windows\sFiltering\sPlatform)
- Name the rule: Outside IPs coming from trusted IP address range.
- Set the Severity level to 90.
- Select the Case Insensitive option.
- Select the Send Log to ELM and Stop Processing Filtering Rules options.
The following PCRE expression looks for a text string 'outside' followed by any number of characters until the first three octets of an IP address 64.39.111 are detected. In the following example, it would include any events with the text string 'outside' and any IP address that matches the first three octets:
(?s)\s*(?:outside+.+64.39.111.)
- Name of Rule: 'ZZ_Catch_All' rule. (This rule catches every event that doesn't match a filter rule. It sends these events to be routed to the appropriate data source inbox folder. This rule matches everything that 'fell through' the custom discard filters and is selected for parsing.
- Set the Severity level to 50.
- Select the Match All option.
- Select the Send Log to Parser, Send Log to ELM, and Stop Processing Filtering Rules options.
