dan, I have this from the alerts log:
** Alert 1461339927.2762520: - windows,system_error, 2016 Apr 22 08:45:27 (VICTIM0) 10.0.1.100->WinEvtLog Rule: 18103 (level 5) -> 'Windows error event.' User: cuckoo 2016 Apr 22 11:46:32 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004): Microsoft-Windows-AppLocker: user: VICTIM0.domain.com: \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from running. Side note: I have been running logtest and executing the play, though nothing shows in logtest. Should I see the event fire as output in my terminal session? Thanks, Rob On Friday, April 22, 2016 at 11:35:10 AM UTC-4, dan (ddpbsd) wrote: > > Can you provide a log sample? > > On Fri, Apr 22, 2016 at 11:30 AM, Rob B <[email protected] <javascript:>> > wrote: > > Hi Folks, > > > > I have a rule for applocker created as follows: > > > > <rule id="100046" level="12"> > > <if_sid>18103</if_sid> > > <status>^8004$</status> > > <description>AppLocker - blocked program.</description> > > </rule> > > > > Problem: I only see the windows "error event" as a level "5" coming in > > from sid 18103, the error event contains all teh information I am > looking > > for. > > But my rule 100046 above does nothing. > > > > As additional info, I also have the following rule: > > > > <rule id="100045" level="12" > > > <if_sid>18100</if_sid> > > <status>^8003$|^8004$</status> > > <description>Applocker - blocked program.</description> > > </rule> > > > > (Could this possibly cause a conflict?) > > > > > > Question: Overall, Could someone shed some light here as to why rule > 100046 > > does not fire? > > > > Thanks!!! > > > > Rob > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
