ashwatts Absent Member.
Absent Member.
1547 views

AppLocker or other non-supported Windows logs


Hi Guys,

I was wondering if anyone is picking up AppLocker logs from Windows? If not, are you picking up any of the non-supported windows logs?

I have done some basic testing with retrieving these logs from their standard AppLocker folder, however no useful information is being parsed.

I have thought about using the native Windows event forwarding, possibly to the application folder, to see if any more info will come through.

I wanted to see if anyone had any alternatives, or options before I spend too much more time on it.

Any info would be appreciated.

Regards,

Ash

Labels (1)
Tags (3)
0 Likes
Reply
12 Replies
edwardli Absent Member.
Absent Member.

Re: AppLocker or other non-supported Windows logs

Hi Ash,

I'm in the same boat and I have had somewhat success reading the AppLocker logs (on Windows 2008). When I added something like (as per the WUC documentation)

agents[0].windowshoststable[7].eventlogtypes=Microsoft-Windows-AppLocker/EXE and DLL

to the agent.properties, I get messed up Applications logs, but ArcSight will happily report they are AppLocker logs. Somehow ArcSight just can't read logs nested in the Applications and Services Logs.

So first thing I tried was adding a registry key (blank key) called "Microsoft-Windows-AppLocker/EXE and DLL" under HKLM/SYSTEM/CurrentControlSet/services/eventlog

Doing so will create an entry in Event Viewer on the top level under Applications and Services Logs. It will also enable the WUC to read the actual AppLocker logs.

Now you'll need to create a parser under $ARCSIGHT_HOME/user/agent/fcp/windowsfg/windows_2008 following the WUC documentation. I've got a basic setup so I'm happy to send that out to you if you need one to get started.

The problem, however, is that after the registry hack, AppLocker stops writing logs except when the AppLocker service is restarted and it'll write an event about policy getting updated. Strangely though I deleted the registry key and the WUC still knows how to read the AppLocker logs.

Even more so, somehow after a few hours AppLocker started writing logs again. I still haven't been able to work out the conditions and reproduce it.

I'm not a Windows logging expert and I think there's some dark magic going on with the WUC somehow getting hold of the AppLocker logging facility handle (or GUID or whatever).

Just throwing this out there hopefully it helps and if someone has found a solution.

Cheers,
Ed

0 Likes
Reply
ashwatts Absent Member.
Absent Member.

Re: AppLocker or other non-supported Windows logs

Hi Ed,

Thanks for your reply. It sounds like you have jumped through all of the same hoops as me!

I did the same thing with the registry as you did, where the applocker event log would stop logging. With some help from the Windows team, we were able to tweak it a bit to get it working again. However, we had event forwarding set up to a centralised server (to avoid collecting directly from workstations), and the registry entry didn't work on any events that didn't originate on the server.

In stead of of mucking around with AppLocker and Windows to try and have the additional key event fields added to the log, I modified the custom parser file to use a regex string and pull the fields we needed. This worked a treat, and I now have AppLocker successfully forwarding to ArcSight.

Regards,

Ash


0 Likes
Reply
edwardli Absent Member.
Absent Member.

Re: AppLocker or other non-supported Windows logs

Hi Ash,

That’s really good news as we still haven’t been able to get AppLocker logs working. So did you end up forwarding the AppLocker logs to a centralised server but still using WUC to grab the logs? We are thinking of forwarding the logs using the Windows Event Collector to a Windows Server 2008/2012, and then use WUC to get the logs, but I wouldn’t have a clue how and if AppLocker would work that way. Do you mind sharing the custom parser file with me?

Thanks,

Ed

0 Likes
Reply
ashwatts Absent Member.
Absent Member.

Re: AppLocker or other non-supported Windows logs


Hi Ed,

Yes, it is great news! It took a while but we got there in the end.

Yes, we are forwarding the AppLocker logs from a subset  of workstations to a centralised Windows 2008R2 server. We are using the application event log as the destination log source. This seems to be handled better by the WUC, rather than the standard AppLocker event log. However, the parser file should work the same for both, it would just need to be named accordingly.

The native windows event forwarding is very easy to set up, I'm sure if you work with your Windows team you wont have any trouble. You are also able to filter by Windows event ID at the source workstation, to prevent bandwidth utilisation etc.

We are only interested in applications running that would have otherwise been prevented if the applocker policy were enforced (8003), but I have included both 8002 and 8003 events in the parser file below.

I hope it helps!

Cheers,

Ash

application.microsoft_windows_applocker.sdkkeyvaluefilereader.properties

************************************************************************************************************************************************

key.delimiter=&&

key.value.delimiter==

key.regexp=([^&=]+)

additionaldata.enabled=true

event.deviceVendor=__getVendor(Microsoft)

event.deviceProduct=__stringConstant(AppLocker)

conditionalmap.count=1

conditionalmap[0].field=event.externalId

conditionalmap[0].mappings.count=2

conditionalmap[0].mappings[0].values=8002

conditionalmap[0].mappings[0].event.message=__regexToken(Key[0],".*\(.*)\.*")

conditionalmap[0].mappings[0].event.filePath=__regexToken(Key[0],".*\(.*)\.*")

conditionalmap[0].mappings[1].values=8003

conditionalmap[0].mappings[1].event.message=__regexToken(Key[0],".*\(.*)\.*")

conditionalmap[0].mappings[1].event.filePath=__regexToken(Key[0],".*\(.*)\.*")


******************************************************************************************************************************************************

0 Likes
Reply
edwardli Absent Member.
Absent Member.

Re: AppLocker or other non-supported Windows logs

Hi Ash,

Thanks a lot! We’ll try it out ASAP – it’ll be a lifesaver!

Cheers,

Ed

0 Likes
Reply
seniorj@bennett Absent Member.
Absent Member.

Re: AppLocker or other non-supported Windows logs

Hey Ash, how did you get the logs to go anywhere but ForwardedEvents ? You mentioned you were able to dump them into Application, but it seems I can't get that far here.

0 Likes
Reply
peter.evans2@hp Absent Member.
Absent Member.

Re: AppLocker or other non-supported Windows logs

Hi JP,

You can set this on the collecting server.  In the subscriptions part of event viewer you can set the destination log.

Pete

0 Likes
Reply
seniorj@bennett Absent Member.
Absent Member.

Re: AppLocker or other non-supported Windows logs

Thanks Peter!

I'm surprised I missed out on that.

After that small hint I was able to add some more information to the applocker events before they hit arcsight.

Splitting up the data a little further made it easier for me to build some use cases, dashboards and notifications elsewhere.

$ARCSIGHT_HOME\current\user\agent\fcp\windowsfg\windows_2008\application.microsoft_windows_applocker.sdkkeyvaluefilereader.properties

--------------------------------------

#The MIT License (MIT)

#

#Copyright (c) 2014 JP Senior (jp.senior@gmail.com)

#

#Permission is hereby granted, free of charge, to any person obtaining a copy

#of this software and associated documentation files (the "Software"), to deal

#in the Software without restriction, including without limitation the rights

#to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

#copies of the Software, and to permit persons to whom the Software is

#furnished to do so, subject to the following conditions:

#The above copyright notice and this permission notice shall be included in

#all copies or substantial portions of the Software.

#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

#IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

#FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

#AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

#LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

#OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN

#THE SOFTWARE.

key.delimiter=&&

key.value.delimiter==

key.regexp=([^&=]+)

comments.starts.with=#

additionaldata.enabled=true

event.deviceVendor=__getVendor(Microsoft)

event.deviceProduct=__stringConstant(AppLocker)

conditionalmap.count=1

conditionalmap[0].field=event.externalId

conditionalmap[0].mappings.count=1

#Reference from http://technet.microsoft.com/en-us/library/ee844150.aspx

conditionalmap[0].mappings[0].values=8000,8001,8002,8003,8004,8005,8006,8007,8020,8021,8022,8023,8024,8025,8027

conditionalmap[0].mappings[0].event.message=__regexToken(Key[0],"<Message>(.+?)<\/Message>")

conditionalmap[0].mappings[0].event.filePath=__regexToken(Key[0],"<FilePath>(.+?)<\/FilePath>")

conditionalmap[0].mappings[0].event.fileHash=__regexToken(Key[0],"<FileHash>(.+?)<\/FileHash>")

conditionalmap[0].mappings[0].event.fileName=__regexToken(Key[0],"<FilePath>.*\\\\(.*)</FilePath>")

conditionalmap[0].mappings[0].event.sourceProcessId=__regexTokenAsInteger(Key[0],"<Execution ProcessID>='(\\d+)'</Execution ProcessID>")

conditionalmap[0].mappings[0].event.destinationProcessId=__regexTokenAsInteger(Key[0],"<TargetProcessId>(\\d+)</TargetProcessId>")

conditionalmap[0].mappings[0].event.sourceUserName=User

conditionalmap[0].mappings[0].event.sourceHostName=__regexToken(Key[0],"<Computer>(.+?)<\/Computer>")

--------------------------------------

Some small device maps work well here; i wasn't able to match externalId, so i'm using a bit of a clunky method matching deviceEventClassId.  I may be able to move some of this logic into the sdk file above, but I'm just getting started here.

$ARCSIGHT_HOME\current\user\agent\acp\categorizer\current\microsoft\applocker.csv

--------------------------------------

#The MIT License (MIT)

#

#Copyright (c) 2014 JP Senior (jp.senior@gmail.com)

#

#Permission is hereby granted, free of charge, to any person obtaining a copy

#of this software and associated documentation files (the "Software"), to deal

#in the Software without restriction, including without limitation the rights

#to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

#copies of the Software, and to permit persons to whom the Software is

#furnished to do so, subject to the following conditions:

#The above copyright notice and this permission notice shall be included in

#all copies or substantial portions of the Software.

#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

#IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

#FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

#AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

#LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

#OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN

#THE SOFTWARE.


#Reference from http://technet.microsoft.com/en-us/library/ee844150.aspx

event.deviceEventClassId,set.event.name,set.event.categoryOutcome,set.event.categoryDeviceGroup,set.event.categoryBehavior,set.event.categorySignificance,set.event.categoryDeviceType,set.event.categoryTechnique,set.event.categoryObject

Microsoft-Windows-AppLocker:8000,Operating System Identity Policy conversion failed,/Failure,/Application,/Execute,/Informational/Error,Operating System,/Policy,/Host/Resource/Process

Microsoft-Windows-AppLocker:8001,Applocker policy applied successfully,/Success,/Application,/Execute,/Informational,Operating System,/Policy/Compliant,/Host/Resource/Process

Microsoft-Windows-AppLocker:8002,Applocker EXE or DLL permitted,/Success,/Application,/Execute,/Informational,Operating System,/Policy/Compliant,/Host/Resource/Process

Microsoft-Windows-AppLocker:8003,Applocker EXE or DLL audited,/Success,/Application,/Execute,/Informational/Warning,Operating System,/Policy/Breach,/Host/Resource/Process

Microsoft-Windows-AppLocker:8004,Applocker EXE or DLL denied,/Failure,/Application,/Execute,/Suspicious,Operating System,/Policy/Breach,/Host/Resource/Process

Microsoft-Windows-AppLocker:8005,Applocker MSI or script permitted,/Success,/Application,/Execute,/Informational,Operating System,/Policy/Compliant,/Host/Resource/Process

Microsoft-Windows-AppLocker:8006,Applocker MSI or script audited,/Success,/Application,/Execute,/Informational/Warning,Operating System,/Policy/Breach,/Host/Resource/Process

Microsoft-Windows-AppLocker:8007,Applocker MSI or script denied,/Failure,/Application,/Execute,/Suspicious,Operating System,/Policy/Breach,/Host/Resource/Process

Microsoft-Windows-AppLocker:8020,Applocker packaged app allowed,/Success,/Application,/Execute,/Informational,Operating System,/Policy/Compliant,/Host/Resource/Process

Microsoft-Windows-AppLocker:8021,Applocker packaged app audited,/Success,/Application,/Execute,/Informational/Warning,Operating System,/Policy/Breach,/Host/Resource/Process

Microsoft-Windows-AppLocker:8022,Applocker packaged app disabled,/Failure,/Application,/Execute,/Suspicious,Operating System,/Policy/Breach,/Host/Resource/Process

Microsoft-Windows-AppLocker:8023,Applocker packaged app installation allowed,/Success,/Application,/Execute,/Informational,Operating System,/Policy/Compliant,/Host/Resource/Process

Microsoft-Windows-AppLocker:8024,Applocker packaged app installation audited,/Success,/Application,/Execute,/Informational/Warning,Operating System,/Policy/Breach,/Host/Resource/Process

Microsoft-Windows-AppLocker:8025,Applocker packaged app installation disabled,/Failure,/Application,/Execute,/Suspicious,Operating System,/Policy/Breach,/Host/Resource/Process

Microsoft-Windows-AppLocker:8027,Applocker no packaged app rule configured,/Failure,/Application,/Execute,/Informational/Error,Operating System,/Policy/Breach,/Host/Resource/Process

--------------------------------------

0 Likes
Reply
RichieB Absent Member.
Absent Member.

Re: Re: AppLocker or other non-supported Windows logs

We had the same issues as Ed Li described, except our EXE and MSI logs never recovered after the registry hack (the MSI and Script log did). We were not to keen on using Event Forwarding as this uses Windows Remote Management which is a pain to secure.

Eventually we settled on using http://nxlog.org/ to send the logs directly over syslog. The nxlog.conf is below. My colleague will post the ArcSight parser later.

## This is a sample configuration file. See the nxlog reference manual about the

## configuration options. It should be installed locally and is also available

## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,

## otherwise it will not start.

define ROOT C:\Program Files\nxlog

#define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules

CacheDir %ROOT%\data

Pidfile %ROOT%\data\nxlog.pid

SpoolDir %ROOT%\data

LogFile %ROOT%\data\nxlog.log

<Extension syslog>

    Module    xm_syslog

</Extension>

<Extension kvp>

    Module        xm_kvp

    KVPDelimiter     ,

    KVDelimiter        =

    EscapeChar        \\

</Extension>

<Input in>

    Module im_msvistalog

    Query <QueryList>\

        <Query Id="0">\

            <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*</Select>\

            <Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select>\

        </Query>\

    </QueryList>

</Input>

<Output out>

    Module      om_tcp

    Host     arcsight.local

    Port     514

    Exec        kvp->to_kvp(); $Message = $raw_event; to_syslog_bsd();

</Output>

<Route 1>

    Path        in => out

</Route>

0 Likes
Reply
Highlighted
maabe Absent Member.
Absent Member.

Re: AppLocker or other non-supported Windows logs

We are recieving Applocker Events from a Windows server and with the parser override everything is parsed correctly.

However we would like to do the same with Microsoft SCCM 2012 events and also Microsoft EMET events.

All the events are getting a correct ExternalID so the WUC parser does that for us, but when we try do a parsing override on the events to get additional info it does nothing.

Could anyone please give us a hint on what might be wrong?

Our Parser (application.microsoft_windows_applocker.sdkkeyvaluefilereader.properties) looks like this:

key.delimiter=&&

key.value.delimiter==

key.regexp=([^&=]+)

comments.starts.with=#

additionaldata.enabled=true

event.deviceVendor=__getVendor(Microsoft)

conditionalmap.count=1

conditionalmap[0].field=event.externalId

conditionalmap[0].mappings.count=3

#Applocker events

#Reference from http://technet.microsoft.com/en-us/library/ee844150.aspx

conditionalmap[0].mappings[0].values=8000,8001,8002,8003,8004,8005,8006,8007,8020,8021,8022,8023,8024,8025,8027

conditionalmap[0].mappings[0].event.deviceProduct=__stringConstant(AppLocker)

conditionalmap[0].mappings[0].event.message=__regexToken(Key[0],"<Message>(.+?)<\/Message>")

conditionalmap[0].mappings[0].event.filePath=__regexToken(Key[0],"<FilePath>(.+?)<\/FilePath>")

conditionalmap[0].mappings[0].event.fileHash=__regexToken(Key[0],"<FileHash>(.+?)<\/FileHash>")

conditionalmap[0].mappings[0].event.fileName=__regexToken(Key[0],"<FilePath>.*\\\\(.*)</FilePath>")

conditionalmap[0].mappings[0].event.sourceProcessId=__regexTokenAsInteger(Key[0],"<Execution ProcessID>='(\\d+)'</Execution ProcessID>")

conditionalmap[0].mappings[0].event.destinationProcessId=__regexTokenAsInteger(Key[0],"<TargetProcessId>(\\d+)</TargetProcessId>")

conditionalmap[0].mappings[0].event.sourceUserName=User

conditionalmap[0].mappings[0].event.sourceHostName=__regexToken(Key[0],"<Computer>(.+?)<\/Computer>")

#EMET events

conditionalmap[0].mappings[1].values=2,11,21,41

conditionalmap[0].mappings[1].event.deviceProduct=__stringConstant(EMET)

conditionalmap[0].mappings[1].event.message=Key[0]

conditionalmap[0].mappings[1].event.name=__stringConstant(Test-EMET)

#SCEP events

conditionalmap[0].mappings[2].values=1116,2001

conditionalmap[0].mappings[2].event.deviceProduct=__stringConstant(SCCM 2012)

conditionalmap[0].mappings[2].event.name=Key[5]

conditionalmap[0].mappings[2].event.fileName=Key[17]

conditionalmap[0].mappings[2].event.name=__stringConstant(Test-SCEP)

0 Likes
Reply
seniorj@bennett Absent Member.
Absent Member.

Re: AppLocker or other non-supported Windows logs

Mattias, SCCM/EMET events may actually have a different event source name.  I'm sorry, I don't have these particular logs in my environment so I can't test my advice below.

The Connector uses the specific filesystem naming context based on where the event came from.

We have two variables:

A) Log Name

If your connector is installed locally, the Log Name will be "Application" - if you're using WEF (I was) the log source name is "HardwareEvents".  "Security", "System", and so on.

B) Log Source.  I think this is what you are missing here.

Look at the Log Source name in the Event Viewer.   This is the second part of our filename.

E.g. application.research_monitor, application.vss, system.service_control_manager

The SmartConnector parser simply won't look at the parsing file if you put these EMET and SCEP events in the 'applocker' file.

You will need TWO parser files in addition to the one you are using for Applocker:

application.emet.sdkkeyvaluefilereader.properties


and


application.scep.sdkkeyvaluefilereader.properties


or something like

application.certificationauthority.sdkkeyvaluefilereader.properties



0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.