My clients are sending their applocker logs in cf:Events format to a windows event collector which runs an UF.
When running with renderXml=0 I only get the message %11 was allowed to run instead of the binary that ran.
This seems to be a WEC quirk and not Splunk related.
In this mode I get a proper sid resolution for the User field (setting evt_resolve_ad_obj = 0 results in NOT_RESOLVED)
When I turn the logs to XML mode by setting renderXml=1 I get the correct information in the logs and I can parse it out using xmlkv.
However no sid translation is done and I'm stuck with the numeric SID.
Is the %11 issue a generic Applocker-through-WEC issue ?
How did you work around it ... using renderXml ?
On which fields is the SID translation supposed to work ?
Any other workarounds than dumping the whole AD and using a lookup?
For the %11 issue, change your regional settings to English (United States).
I personally use renderXml but couldn't find anything regarding SID translation. I guess the SID matching is hardcoded in the application and it's not able to match in the applocker logs due to the difference in how the SID is presented there.