I am in EST and I absolutely agree with you. I think we should spend no more than 30 minutes looking at your discovery, looking at logs in archives.log then , as you noted, requesting an enhancement to ensure those log values are sent over by the agent.
All the best Grant Leonard Castra Consulting, LLC <http://castraconsulting.com/#/> SOC : +1 919 595 8560 cell : +1 919 949 4002 On Tue, Mar 7, 2017 at 5:37 PM, Jahchan, Georges J. < gjahc...@compucenter.org> wrote: > I have no issues with creating decoders and rules, been doing it for years. > > But these do not make up for event information that the agent fails to > include in the event that it forwards to the OSSEC server. That is where > the problem lies -- agent-side *not* server-side. > > In the case of WMI, sufficient detail is forwarded. But in the case of > AppLocker, the information forwarded by the agent is woefully deficient. > > In the environment, sudowin is utilized to elevate privileges. So the user > name *can**not* be a criteria that allows the determination of whether a > user is privileged or not. In regulated environments this is crucial. The > Logon ID is what allows us to distinguish between unprivileged and > privileged user sessions for the same Account Name *and* Security ID. In > the XML event, it reports the logon ID plus rule/policy information. All > that the agent sends upstream is the user name and application path, and > whether it was blocked, allowed, or allowed in audit mode. Better than > nothing, but not good enough. Lots more information is definitely lurking > in XML, and it is *not* being picked up by the agent. > > Seems to me the agent is picking up the eventlog and not the eventchannel. > For WMI, there is little difference. between the two But for AppLocker the > story differs > eventlog is truly minimal. > > - <#m_7888497442240393591_> <Event > xmlns="*http://schemas.microsoft.com/win/2004/08/events/event > <http://schemas.microsoft.com/win/2004/08/events/event>*"> > - <#m_7888497442240393591_> <System> > <Provider Name="*Microsoft-Windows-AppLocker*" Guid=" > *{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}*" /> > <EventID>8003</EventID> > <Version>0</Version> > <Level>3</Level> > <Task>0</Task> > <Opcode>0</Opcode> > <Keywords>0x8000000000000000</Keywords> > <TimeCreated SystemTime="*2017-03-07T21:48:00.766807200Z*" /> > <EventRecordID>3367</EventRecordID> > <Correlation /> > <Execution ProcessID="*1144*" ThreadID="*19284*" /> > <Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel> > <Computer>Desktop</Computer> > <Security UserID="*S-1-5-21-*XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX" /> > </System> > - <#m_7888497442240393591_> <UserData> > - <#m_7888497442240393591_> <RuleAndFileData > xmlns="*http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0 > <http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0>*"> > <PolicyName>EXE</PolicyName> > <RuleId>{00000000-0000-0000-0000-000000000000}</RuleId> > <RuleName>-</RuleName> > <RuleSddl>-</RuleSddl> > <TargetUser>S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX</TargetUser> > <TargetProcessId>18476</TargetProcessId> > <FilePath>%OSDRIVE%\USERS\XXXXXXXX\APPDATA\LOCAL\CITRIX\ > GOTOMEETING\6441\G2MUPDATE.EXE</FilePath> > <FileHash>27BACB741B3A46B326905C18E67D809404FD69578711E00C94 > CB00067AE79899</FileHash> > <Fqbn>O=CITRIX ONLINE, L=FORT LAUDERDALE, S=FLORIDA, > C=US\GOTOMEETING\G2M.EXE\8.0.0.6441</Fqbn> > <TargetLogonId>0x3147a4</TargetLogonId> > </RuleAndFileData> > </UserData> > </Event> > > Yet, the following is all the agent picks up: > > Log Name: Microsoft-Windows-AppLocker/EXE and DLL > Source: Microsoft-Windows-AppLocker > Date: 2017-03-07 23:48:00 > Event ID: 8003 > Task Category: None > Level: Warning > Keywords: > User: DOMAIN\User > Computer: Computer > Description: > %OSDRIVE%\USERS\XXXXXXXX\APPDATA\LOCAL\CITRIX\GOTOMEETING\6441\G2MUPDATE.EXE > was allowed to run but would have been prevented from running if the > AppLocker policy were enforced. > > Open to a G2M to exchange info if you feel it necessary to move forward. > > Which time zone are you in? > ------------------------------ > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/ossec-list/GnA9qGZw9MU/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.