I am in EST and I absolutely agree with you. I think we should spend no
more than 30 minutes looking at your discovery, looking at logs in
archives.log then , as you noted, requesting an enhancement to ensure those
log values are sent over by the agent.

All the best



Grant Leonard
Castra Consulting, LLC <http://castraconsulting.com/#/>
SOC : +1 919 595 8560
cell : +1 919 949 4002

On Tue, Mar 7, 2017 at 5:37 PM, Jahchan, Georges J. <
gjahc...@compucenter.org> wrote:

> I have no issues with creating decoders and rules, been doing it for years.
>
> But these do not make up for event information that the agent fails to
> include in the event that it forwards to the OSSEC server. That is where
> the problem lies -- agent-side *not* server-side.
>
> In the case of WMI, sufficient detail is forwarded. But in the case of
> AppLocker, the information forwarded by the agent is woefully deficient.
>
> In the environment, sudowin is utilized to elevate privileges. So the user
> name *can**not* be a criteria that allows the determination of whether a
> user is privileged or not. In regulated environments this is crucial. The
> Logon ID is what allows us to distinguish between unprivileged and
> privileged user sessions for the same Account Name *and* Security ID. In
> the XML event, it reports the logon ID plus rule/policy information. All
> that the agent sends upstream is the user name and application path, and
> whether it was blocked, allowed, or allowed in audit mode. Better than
> nothing, but not good enough. Lots more information is definitely lurking
> in XML, and it is *not* being picked up by the agent.
>
> Seems to me the agent is picking up the eventlog and not the eventchannel.
> For WMI, there is little difference. between the two But for AppLocker the
> story differs
>  eventlog is truly minimal.
>
> - <#m_7888497442240393591_> <Event 
> xmlns="*http://schemas.microsoft.com/win/2004/08/events/event
> <http://schemas.microsoft.com/win/2004/08/events/event>*">
> - <#m_7888497442240393591_> <System>
>   <Provider Name="*Microsoft-Windows-AppLocker*" Guid="
> *{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}*" />
>   <EventID>8003</EventID>
>   <Version>0</Version>
>   <Level>3</Level>
>   <Task>0</Task>
>   <Opcode>0</Opcode>
>   <Keywords>0x8000000000000000</Keywords>
>   <TimeCreated SystemTime="*2017-03-07T21:48:00.766807200Z*" />
>   <EventRecordID>3367</EventRecordID>
>   <Correlation />
>   <Execution ProcessID="*1144*" ThreadID="*19284*" />
>   <Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel>
>   <Computer>Desktop</Computer>
>   <Security UserID="*S-1-5-21-*XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX" />
>   </System>
> - <#m_7888497442240393591_> <UserData>
> - <#m_7888497442240393591_> <RuleAndFileData 
> xmlns="*http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0
> <http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0>*">
>   <PolicyName>EXE</PolicyName>
>   <RuleId>{00000000-0000-0000-0000-000000000000}</RuleId>
>   <RuleName>-</RuleName>
>   <RuleSddl>-</RuleSddl>
>   <TargetUser>S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX</TargetUser>
>   <TargetProcessId>18476</TargetProcessId>
>   <FilePath>%OSDRIVE%\USERS\XXXXXXXX\APPDATA\LOCAL\CITRIX\
> GOTOMEETING\6441\G2MUPDATE.EXE</FilePath>
>   <FileHash>27BACB741B3A46B326905C18E67D809404FD69578711E00C94
> CB00067AE79899</FileHash>
>   <Fqbn>O=CITRIX ONLINE, L=FORT LAUDERDALE, S=FLORIDA,
> C=US\GOTOMEETING\G2M.EXE\8.0.0.6441</Fqbn>
>   <TargetLogonId>0x3147a4</TargetLogonId>
>   </RuleAndFileData>
>   </UserData>
>   </Event>
>
> Yet, the following is all the agent picks up:
>
> Log Name:      Microsoft-Windows-AppLocker/EXE and DLL
> Source:        Microsoft-Windows-AppLocker
> Date:          2017-03-07 23:48:00
> Event ID:      8003
> Task Category: None
> Level:         Warning
> Keywords:
> User:          DOMAIN\User
> Computer:      Computer
> Description:
> %OSDRIVE%\USERS\XXXXXXXX\APPDATA\LOCAL\CITRIX\GOTOMEETING\6441\G2MUPDATE.EXE
> was allowed to run but would have been prevented from running if the
> AppLocker policy were enforced.
>
> Open to a G2M to exchange info if you feel it necessary to move forward.
>
> Which time zone are you in?
> ------------------------------
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/ossec-list/GnA9qGZw9MU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to