Dashboards & Visualizations

Applocker logs through WEC, sid translation for renderXml

rvaningh_bics
New Member

My clients are sending their applocker logs in cf:Events format to a windows event collector which runs an UF.

When running with renderXml=0 I only get the message %11 was allowed to run instead of the binary that ran.
This seems to be a WEC quirk and not Splunk related.
In this mode I get a proper sid resolution for the User field (setting evt_resolve_ad_obj = 0 results in NOT_RESOLVED)

When I turn the logs to XML mode by setting renderXml=1 I get the correct information in the logs and I can parse it out using xmlkv.

However no sid translation is done and I'm stuck with the numeric SID.

  • Is the %11 issue a generic Applocker-through-WEC issue ?
  • How did you work around it ... using renderXml ?
  • On which fields is the SID translation supposed to work ?
  • Any other workarounds than dumping the whole AD and using a lookup?

Thanks

Ronny

0 Karma

abpe
Path Finder

For the %11 issue, change your regional settings to English (United States).
I personally use renderXml but couldn't find anything regarding SID translation. I guess the SID matching is hardcoded in the application and it's not able to match in the applocker logs due to the difference in how the SID is presented there.

0 Karma

rvaningh_bics
New Member

I had already tried changing the system local on both the clients and the WEC server... no luck

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...