Dashboards & Visualizations

Applocker logs through WEC, sid translation for renderXml

rvaningh_bics
New Member

My clients are sending their applocker logs in cf:Events format to a windows event collector which runs an UF.

When running with renderXml=0 I only get the message %11 was allowed to run instead of the binary that ran.
This seems to be a WEC quirk and not Splunk related.
In this mode I get a proper sid resolution for the User field (setting evt_resolve_ad_obj = 0 results in NOT_RESOLVED)

When I turn the logs to XML mode by setting renderXml=1 I get the correct information in the logs and I can parse it out using xmlkv.

However no sid translation is done and I'm stuck with the numeric SID.

  • Is the %11 issue a generic Applocker-through-WEC issue ?
  • How did you work around it ... using renderXml ?
  • On which fields is the SID translation supposed to work ?
  • Any other workarounds than dumping the whole AD and using a lookup?

Thanks

Ronny

0 Karma

abpe
Path Finder

For the %11 issue, change your regional settings to English (United States).
I personally use renderXml but couldn't find anything regarding SID translation. I guess the SID matching is hardcoded in the application and it's not able to match in the applocker logs due to the difference in how the SID is presented there.

0 Karma

rvaningh_bics
New Member

I had already tried changing the system local on both the clients and the WEC server... no luck

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...