Dashboards & Visualizations

Applocker logs through WEC, sid translation for renderXml

rvaningh_bics
New Member

My clients are sending their applocker logs in cf:Events format to a windows event collector which runs an UF.

When running with renderXml=0 I only get the message %11 was allowed to run instead of the binary that ran.
This seems to be a WEC quirk and not Splunk related.
In this mode I get a proper sid resolution for the User field (setting evt_resolve_ad_obj = 0 results in NOT_RESOLVED)

When I turn the logs to XML mode by setting renderXml=1 I get the correct information in the logs and I can parse it out using xmlkv.

However no sid translation is done and I'm stuck with the numeric SID.

  • Is the %11 issue a generic Applocker-through-WEC issue ?
  • How did you work around it ... using renderXml ?
  • On which fields is the SID translation supposed to work ?
  • Any other workarounds than dumping the whole AD and using a lookup?

Thanks

Ronny

0 Karma

abpe
Path Finder

For the %11 issue, change your regional settings to English (United States).
I personally use renderXml but couldn't find anything regarding SID translation. I guess the SID matching is hardcoded in the application and it's not able to match in the applocker logs due to the difference in how the SID is presented there.

0 Karma

rvaningh_bics
New Member

I had already tried changing the system local on both the clients and the WEC server... no luck

0 Karma