Highlighted
Absent Member.
Absent Member.
1699 views

Event messages from AppLocker

Jump to solution

I am using WiNC64 and I can pull AppLocker logs, but I do not see the event message in the ArcSight Events and I also do not see where I can use additional mapping in the connector. For example, I can see Device Event Class ID : Microsoft-Windows-AppLocker:8002 , but I don't get the Event Message: <File name> was allowed to run. Anyone using AppLocker have these events coming in?

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
New Member.

Re: Event messages from AppLocker

Jump to solution

You have to create two JSON parsers, Applocker is using two channels for sending events, one is for EXE and DLL files and one for MSI and SCRIPT files. Send me an email if you need more help.

View solution in original post

0 Likes
11 Replies
Highlighted
Absent Member.
Absent Member.

Re: Event messages from AppLocker

Jump to solution

Is anyone using a parser for AppLocker? Need to know how to pull the message field out of forwarded events using WiNC.

0 Likes
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

Re: Event messages from AppLocker

Jump to solution

Do you have any RAW events you can post?  Or maybe a screen capture of the Windows Log with the XML portion?

Been working on App Logs for other products so I might be able to assist.

0 Likes
Highlighted
New Member.

Re: Event messages from AppLocker

Jump to solution

You have to create two JSON parsers, Applocker is using two channels for sending events, one is for EXE and DLL files and one for MSI and SCRIPT files. Send me an email if you need more help.

View solution in original post

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Event messages from AppLocker

Jump to solution

Did you get anywhere with this? This is how our raw event looks like:

{"System":{"EventId":"8006","Version":"0","Channel":"Microsoft-Windows-AppLocker/MSI and Script","ProviderName":"Microsoft-Windows-AppLocker","Computer":"pc.domain.com","EventRecordID":"10507","Keywords":"None","Level":"Warning","Opcode":"Info","Task":"None","ProcessID":"4864","ThreadID":"824","TimeCreated":"1450347962658","UserId":"AD\\user"},"EventData":{},"UserData":{"RuleAndFileData":{"@xmlns:auto-ns2":"http://schemas.microsoft.com/win/2004/08/events","@_xmlns_":"http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0","PolicyName":"SCRIPT","RuleId":"{00000000-0000-0000-0000-000000000000}","RuleName":"-","RuleSddl":"-","TargetUser":"S-1-5-21-555555555-5555555555-555555555-55555","TargetProcessId":"4864","FilePath":"G:\\FILE.VBS","FileHash":"6138FA46BA3F978B3055555FE455555CF5270555556B404FF30555551864C77F","Fqbn":"-"}}}


Regards

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Event messages from AppLocker

Jump to solution

I had an HP engineer create 2 JSON parsers for us. So basically we made a flex connector with JSON files to parse what we wanted.

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Event messages from AppLocker

Jump to solution

Hi john,

would it be possible for you to share those 2 JSON parsers? It would be much appreciated!

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Event messages from AppLocker

Jump to solution

Hello Victor, John

Do you have these 2 JSON Parsers and can you share ?

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Event messages from AppLocker

Jump to solution

Hi Evren,

Regrettably no. I never received them from John.

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Event messages from AppLocker

Jump to solution

i am working on it, if i will manage, i share under this topic.

Thanks.

0 Likes
Highlighted

Re: Event messages from AppLocker

Jump to solution

Hello,

Did you get anything going?

0 Likes
Trusted Contributor.
Trusted Contributor.

Re: Event messages from AppLocker

Jump to solution

Any success on that? I have WINC and I'm trying to get the filepath that was blocked, an essential information that Micro Focus skipped -.-

 

I even created a post about it.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.