Xml filter problem

1

Hello,

I’m trying to protect an ADFS server.
To do so, I’m inspecting Win Events for event ID 1205 and 1201.
Today I can’t extract the IP of the attacker.
When I check the details of these events, the data is stored in an XML included in the Win Event XML.:

2024-02-29_17h26_41
2024-02-29_17h26_411210×447 23.7 KB

I have tried try to use XMLGetNodeValue(…). But I’m not able to obtain the IP.
Does someone knows how should I call XMLGetNodeValue to extract date that are in an XML stored in another xml?
Or is there a better way to create my parser?

Thank you

2

Would be useful to user that want to help to have the XML in text form. However, the CrowdSec team purpose this

XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[2]/AuditBase/Component[@xsi:type='RequestAuditComponent']/IpAddress")

However, we cant test without the XML

3

Thanks for your response.
I’ve tried, but I still have the problem. Here are my crowdsec logs:

time=“2024-03-01T13:36:36+01:00” level=debug msg=" [XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[2]/AuditBase/Component[@xsi:type=‘RequestAuditComponent’]/IpAddress")] XMLGetNodeValue("/Event/EventData[1]/Data[2]/AuditBase/Co…", "<Event xmlns='http://schemas.microsoft.c…") = " id=dawn-shape name=crowdsecurity/adfs-auth stage=s01-parse
time=“2024-03-01T13:36:36+01:00” level=debug msg=“Empty value for .Meta[source_ip], skip.” id=dawn-shape name=crowdsecurity/adfs-auth stage=s01-parse

I have tried the follwing without more success
XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[2]/AuditBase/ContextComponents/Component[@xsi:type='RequestAuditComponent']/IpAddress")

The xml obtained from the ADFS server is the following:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="AD FS Auditing" /> 
  <EventID Qualifiers="0">1201</EventID> 
  <Level>0</Level> 
  <Task>3</Task> 
  <Keywords>0x8090000000000000</Keywords> 
  <TimeCreated SystemTime="2024-02-29T12:00:13.526836800Z" /> 
  <EventRecordID>18206112</EventRecordID> 
  <Channel>Security</Channel> 
  <Computer>srv-adfs-01.domain.fr</Computer> 
  <Security UserID="S-1-5-21-111111111-111111111-111111111-11111" /> 
  </System>
- <EventData>
  <Data>537f38fc-7dc6-41b6-b60b-0080000000fe</Data> 
  <Data><?xml version="1.0" encoding="utf-16"?> <AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AppTokenAudit"> <AuditType>AppToken</AuditType> <AuditResult>Failure</AuditResult> <FailureType>GenericError</FailureType> <ErrorCode>N/A</ErrorCode> <ContextComponents> <Component xsi:type="ResourceAuditComponent"> <RelyingParty>http://adfs.domain.fr/adfs/services/trust</RelyingParty> <ClaimsProvider>N/A</ClaimsProvider> <UserId>rzarfzet</UserId> </Component> <Component xsi:type="AuthNAuditComponent"> <PrimaryAuth>N/A</PrimaryAuth> <DeviceAuth>false</DeviceAuth> <DeviceId>N/A</DeviceId> <MfaPerformed>false</MfaPerformed> <MfaMethod>N/A</MfaMethod> <TokenBindingProvidedId>false</TokenBindingProvidedId> <TokenBindingReferredId>false</TokenBindingReferredId> <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel> </Component> <Component xsi:type="ProtocolAuditComponent"> <OAuthClientId>N/A</OAuthClientId> <OAuthGrant>N/A</OAuthGrant> </Component> <Component xsi:type="RequestAuditComponent"> <Server>http://adfs.domain.fr/adfs/services/trust</Server> <AuthProtocol>WSFederation</AuthProtocol> <NetworkLocation>Extranet</NetworkLocation> <IpAddress>1.2.3.4</IpAddress> <ForwardedIpAddress>1.2.3.4</ForwardedIpAddress> <ProxyIpAddress>N/A</ProxyIpAddress> <NetworkIpAddress>N/A</NetworkIpAddress> <ProxyServer>adfswap</ProxyServer> <UserAgentString>Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; MALCJS; rv:11.0) like Gecko</UserAgentString> <Endpoint>/adfs/ls/</Endpoint> </Component> </ContextComponents> </AuditBase></Data> 
  </EventData>
  </Event>

Thank you again for your help

4

Hello,

The ContextComponents tag was missing.
This seems to work: XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[2]/AuditBase/ContextComponents/Component[@xsi:type='RequestAuditComponent']/IpAddress")

I get this output when running on your log with a test parser (this reading is from a file, not directly from the event log, but it should work the same):

time="2024-03-01T15:59:21+01:00" level=debug msg=" [XMLGetNodeValue(evt.Line.Raw, \"/Event/EventData[1]/Data[2]/AuditBase/ContextComponents/Component[@xsi:type='RequestAuditComponent']/IpAddress\")] XMLGetNodeValue(\"/Event/EventData[1]/Data[2]/AuditBase/Co...\", \"<Event xmlns=\\\"http://schemas.microsoft.c...\") = " id=frosty-mountain name=foo/bar stage=s01-parse
time="2024-03-01T15:59:21+01:00" level=debug msg=".Meta[source_ip] = '1.2.3.4'" id=frosty-mountain name=foo/bar stage=s01-parse
5

Thanks all for your help,
Finally, the expression which works on ADFS server is the following:

XMLGetNodeValue((XMLGetNodeValue(evt.Line.Raw, ‘/Event/EventData[1]/Data[2]’)),“/AuditBase/ContextComponents/Component[@xsi:type=‘RequestAuditComponent’]/IpAddress”

1 Like