Confirmed George walked through the events with me. The event channel is read, though in archives.log , post decryption, only part of the event is sent over. For most events this is not an issue, but for Applocker and other more detailed events writing to Event Channels, there is a second level of XML that has VERY interesting traffic. There are some good security features in Windows OS that are worth reading correctly with any tool.
It is worth noting that, It did not matter which rule set was being used, this was an agent thing. (Default versus custom). Further in comparison with another "open source windows event agent to syslog" utility, the same issue was present. Grant On Wednesday, March 8, 2017 at 2:49:59 PM UTC-5, Grant Leonard wrote: > > I am in EST and I absolutely agree with you. I think we should spend no > more than 30 minutes looking at your discovery, looking at logs in > archives.log then , as you noted, requesting an enhancement to ensure those > log values are sent over by the agent. > > All the best > > Grant Leonard > Castra Consulting, LLC <http://castraconsulting.com/#/> > > > On Tuesday, March 7, 2017 at 5:38:02 PM UTC-5, InfoSec wrote: >> >> I have no issues with creating decoders and rules, been doing it for >> years. >> >> But these do not make up for event information that the agent fails to >> include in the event that it forwards to the OSSEC server. That is where >> the problem lies -- agent-side *not* server-side. >> >> In the case of WMI, sufficient detail is forwarded. But in the case of >> AppLocker, the information forwarded by the agent is woefully deficient. >> >> In the environment, sudowin is utilized to elevate privileges. So the >> user name *can**not* be a criteria that allows the determination of >> whether a user is privileged or not. In regulated environments this is >> crucial. The Logon ID is what allows us to distinguish between unprivileged >> and privileged user sessions for the same Account Name *and* Security >> ID. In the XML event, it reports the logon ID plus rule/policy information. >> All that the agent sends upstream is the user name and application path, >> and whether it was blocked, allowed, or allowed in audit mode. Better than >> nothing, but not good enough. Lots more information is definitely lurking >> in XML, and it is *not* being picked up by the agent. >> >> Seems to me the agent is picking up the eventlog and not the >> eventchannel. For WMI, there is little difference. between the two But for >> AppLocker the story differs >> eventlog is truly minimal. >> >> - >> <#2edbed17-053f-42cd-9721-42470f5b8993@googlegroups.com_5116bc32-52df-0ed9-7252-dadf18cdb890@Compucenter.org_> >> >> <Event xmlns="*http://schemas.microsoft.com/win/2004/08/events/event >> <http://schemas.microsoft.com/win/2004/08/events/event>*"> >> - >> <#2edbed17-053f-42cd-9721-42470f5b8993@googlegroups.com_5116bc32-52df-0ed9-7252-dadf18cdb890@Compucenter.org_> >> >> <System> >> <Provider Name="*Microsoft-Windows-AppLocker*" Guid=" >> *{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}*" /> >> <EventID>8003</EventID> >> <Version>0</Version> >> <Level>3</Level> >> <Task>0</Task> >> <Opcode>0</Opcode> >> <Keywords>0x8000000000000000</Keywords> >> <TimeCreated SystemTime="*2017-03-07T21:48:00.766807200Z*" /> >> <EventRecordID>3367</EventRecordID> >> <Correlation /> >> <Execution ProcessID="*1144*" ThreadID="*19284*" /> >> <Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel> >> <Computer>Desktop</Computer> >> <Security UserID="*S-1-5-21-*XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX" /> >> </System> >> - >> <#2edbed17-053f-42cd-9721-42470f5b8993@googlegroups.com_5116bc32-52df-0ed9-7252-dadf18cdb890@Compucenter.org_> >> >> <UserData> >> - >> <#2edbed17-053f-42cd-9721-42470f5b8993@googlegroups.com_5116bc32-52df-0ed9-7252-dadf18cdb890@Compucenter.org_> >> >> <RuleAndFileData >> xmlns="*http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0 >> <http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0>*"> >> <PolicyName>EXE</PolicyName> >> <RuleId>{00000000-0000-0000-0000-000000000000}</RuleId> >> <RuleName>-</RuleName> >> <RuleSddl>-</RuleSddl> >> <TargetUser>S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX</TargetUser> >> <TargetProcessId>18476</TargetProcessId> >> <FilePath> >> %OSDRIVE%\USERS\XXXXXXXX\APPDATA\LOCAL\CITRIX\GOTOMEETING\6441\G2MUPDATE.EXE >> </FilePath> >> <FileHash> >> 27BACB741B3A46B326905C18E67D809404FD69578711E00C94CB00067AE79899</ >> FileHash> >> <Fqbn>O=CITRIX ONLINE, L=FORT LAUDERDALE, S=FLORIDA, >> C=US\GOTOMEETING\G2M.EXE\8.0.0.6441</Fqbn> >> <TargetLogonId>0x3147a4</TargetLogonId> >> </RuleAndFileData> >> </UserData> >> </Event> >> >> Yet, the following is all the agent picks up: >> >> Log Name: Microsoft-Windows-AppLocker/EXE and DLL >> Source: Microsoft-Windows-AppLocker >> Date: 2017-03-07 23:48:00 >> Event ID: 8003 >> Task Category: None >> Level: Warning >> Keywords: >> User: DOMAIN\User >> Computer: Computer >> Description: >> %OSDRIVE%\USERS\XXXXXXXX\APPDATA\LOCAL\CITRIX\GOTOMEETING\6441\G2MUPDATE.EXE >> was allowed to run but would have been prevented from running if the >> AppLocker policy were enforced. >> >> Open to a G2M to exchange info if you feel it necessary to move forward. >> >> Which time zone are you in? >> ------------------------------ >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
