Advanced XPath Filtering Expand / Collapse
Posted 10/30/2019 11:58:49 AM
Hey All,

Randy mentioned in the description of one of his previous webinars that there was an undocumented limitation to how many entries can be in a Select/Suppress statement. I watched two of his webinars on the subject but never heard him mention that limitation (unless I missed it) and didnt see it in any of the slides for those webinars. Does anyone know what that number is?

I have been banging my head up against a wall for 3 days trying to get a Xpath filter to work for our Security Log subscription to suppress a fairly large number of event ID's by themselves and also event id's with process names and other qualifying data. I tried one large query that didnt work, then tried breaking it into 3 smaller ones thinking there might be a limitation but I am still having issues. Any help would be GREATLY appreciated.

Our events go into the Forwarded Events log file.

[System[(EventID=4656 or EventID=4658 or EventID=4660 or EventID=4661 or EventID=4662 or EventID=4663 or EventID=4664 or EventID=4665 or EventID=4666 or EventID=4667 or EventID=4673 or EventID=4675 or EventID=4690 or EventID=4700 or EventID=4701 or EventID=4702 or EventID=4717 or EventID=4779 or EventID=4793)]]

[System[(EventID=4905 or EventID=4907 or EventID=4931 or EventID=4932 or EventID=4933 or EventID=4944 or EventID=4945 or EventID=4957 or EventID=4985 or EventID=5012 or EventID=5056 or EventID=5058 or EventID=5059 or EventID=5061 or EventID=5145 or EventID=5152 or EventID=5154 or EventID=5156)]]

[System[(EventID=5157 or EventID=5158 or EventID=5379 or EventID=5440 or EventID=5442 or EventID=5444 or EventID=5447 or EventID=5448 or EventID=5450 or EventID=5632 or EventID=5633 or EventID=5889 or EventID=5890 or EventID=6278 or EventID=6419 or EventID=6421 or EventID=6422 or EventID=26401)]]

Posted 11/13/2019 4:22:32 AM
Using Supercharger I just created a raw managed filter using your first query and it work. Here's what I did.

1. Click on Settings.
2. Click on Manage Filters tab.
3. Create a new Raw managed filter.

Here is the xpath I used:

I then created a subscription using that managed filter and events were forwarded successfully. In our testing we did find the limit per query but I don't recall the exact number it's limited to at the moment. You can break it up in to separate queries per filter though. You can see this in the filter I built in Supercharger. Click on the VIEW button next to the Exabeam filter. You'll see the filter with multiple queries.
