I have no issues with creating decoders and rules, been doing it for years.
But these do not make up for event information that the agent fails to include in the event that it forwards to the OSSEC server. That is where the problem lies -- agent-side /not/ server-side. In the case of WMI, sufficient detail is forwarded. But in the case of AppLocker, the information forwarded by the agent is woefully deficient. In the environment, sudowin is utilized to elevate privileges. So the user name _can__not_ be a criteria that allows the determination of whether a user is privileged or not. In regulated environments this is crucial. The Logon ID is what allows us to distinguish between unprivileged and privileged user sessions for the same Account Name /and/ Security ID. In the XML event, it reports the logon ID plus rule/policy information. All that the agent sends upstream is the user name and application path, and whether it was blocked, allowed, or allowed in audit mode. Better than nothing, but not good enough. Lots more information is definitely lurking in XML, and it is /not/ being picked up by the agent. Seems to me the agent is picking up the eventlog and not the eventchannel. For WMI, there is little difference. between the two But for AppLocker the story differs eventlog is truly minimal. - <#> <Eventxmlns="*http://schemas.microsoft.com/win/2004/08/events/event*";> - <#> <System> <Provider Name="*Microsoft-Windows-AppLocker*"Guid="*{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}*"/> <EventID>8003</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="*2017-03-07T21:48:00.766807200Z*"/> <EventRecordID>3367</EventRecordID> <Correlation /> <Execution ProcessID="*1144*"ThreadID="*19284*"/> <Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel> <Computer>Desktop</Computer> <Security UserID="*S-1-5-21-*XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX"/> </System> - <#> <UserData> - <#> <RuleAndFileDataxmlns="*http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0*";> <PolicyName>EXE</PolicyName> <RuleId>{00000000-0000-0000-0000-000000000000}</RuleId> <RuleName>-</RuleName> <RuleSddl>-</RuleSddl> <TargetUser>S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX</TargetUser> <TargetProcessId>18476</TargetProcessId> <FilePath>%OSDRIVE%\USERS\XXXXXXXX\APPDATA\LOCAL\CITRIX\GOTOMEETING\6441\G2MUPDATE.EXE</FilePath> <FileHash>27BACB741B3A46B326905C18E67D809404FD69578711E00C94CB00067AE79899</FileHash> <Fqbn>O=CITRIX ONLINE, L=FORT LAUDERDALE, S=FLORIDA, C=US\GOTOMEETING\G2M.EXE\8.0.0.6441</Fqbn> <TargetLogonId>0x3147a4</TargetLogonId> </RuleAndFileData> </UserData> </Event> Yet, the following is all the agent picks up: Log Name: Microsoft-Windows-AppLocker/EXE and DLL Source: Microsoft-Windows-AppLocker Date: 2017-03-07 23:48:00 Event ID: 8003 Task Category: None Level: Warning Keywords: User: DOMAIN\User Computer: Computer Description: %OSDRIVE%\USERS\XXXXXXXX\APPDATA\LOCAL\CITRIX\GOTOMEETING\6441\G2MUPDATE.EXE was allowed to run but would have been prevented from running if the AppLocker policy were enforced. Open to a G2M to exchange info if you feel it necessary to move forward. Which time zone are you in? ------------------------------------------------------------------------ -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
