AppLocker Event Logs with OSSEC 2.8, (Fri, Aug 15th)

In a previous post, Monitoring Windows Networks Using Syslog, I discussed using syslog to send the event logs to a SIEM.  This post covers another technique for collecting event log data for analysis.

A new version of OSSEC (2.8) has been released that includes the ability on Windows to access event channels that were introduced in Vista. To get this  to work correctly, I had to have the agent and server on 2.8. This new ability allows admins to send some of the more interesting event logs to OSSEC in a very easy way.

 

Client Config

Setting up the config for the subscription is quite easy.  If you want to do it on an per install basis, you edit the C:Program Filesossec-agentossec.conf.  Add a new tag for local file, then under location put the XPATH channel name and the log_format as eventchannel.

 

 Microsoft-Windows-AppLocker/EXE and DLL

 eventchannel

 

If you want this config to be pushed out to all your Windows OS centrally, you should add the config below to the /var/ossec/etc/shared/agent.conf. This file has a added XML field for matching which system should apply the config.

 

   

       Microsoft-Windows-AppLocker/EXE and DLL

       eventchannel

   

 

Creating Rules

Once you get the logs, you need to create rules to get the alerts.  When creating the rules, you need to know what event level (e.g. Info, Error ect..) the alerts are created for the event.  To get a detailed list of the events, follow this link (hxxp://technet.microsoft.com/en-us/library/ee844150(v=ws.10).aspx)

 

When creating your own rules, you should always add them to the Local_rules.xml file to make sure they do not get overwritten with updates.  These rules should start with 100000 rule ID.

 

18103

^8004

Applocker blocked program

 

I’ve posted all my AppLocker rules to my github(hxxps://github.com/tcw3bb/ISC_Posts/blob/master/OSSEC_AppLocker_Local_Rule.xml), and I’ve also submitted them to the OSSEC group to be added in the next version.  When using the local rules, you may need to change rule ID for your environment.           

 

RAW Log

Once you have the rules in place your alerts like the ones below should be created.

 

** Alert 1404571480.3095: mail  – win,

2014 Jul 05 07:44:40 (10.10.10.1) 10.10.10.1>WinEvtLog

Rule: 100021 (level 12) -> ‘Applocker blocked program.’

User: tw7

2014 Jul 05 10:44:40 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL: Error(8004): no source: tw7: WIN-V78V3: WIN-V78V3: %OSDRIVE%TEMPCA_SETUP.EXE was prevented from running.

 

Quick report

To get a report for the current day of who had blocked apps, you can run the following:

>zcat /var/ossec/log/alerts/alerts.log |/var/ossec/bin/ossec-reportd -f rule 100021 -s

 

Report completed. ==

————————————————

->Processed alerts: 449

->Post-filtering alerts: 1

->First alert: 2014 Jul 04 01:18:39

->Last alert: 2014 Jul 04 01:18:39

 

 

Top entries for ‘Username’:

————————————————

tw7                                                                           |1       |

 

 

Top entries for ‘Level’:

————————————————

Severity 12                                                                   |1       |

 

 

Top entries for ‘Group’:

————————————————

win                                                                           |1       |

 

 

Top entries for ‘Location’:

————————————————

(win7pub) 191.238.9.177->WinEvtLog                           |1       |

 

 

Top entries for ‘Rule’:

————————————————

100021 – Applocker blocked program.                             |1       |

 

 

Log dump:

————————————————

2014 Jul 04 01:18:39 (win7pub) 10.10.10.1->WinEvtLog

Rule: 100021 (level 12) -> ‘Applocker blocked program.’

2014 Jul 04 01:18:39 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL: Error(8004): no source: tw7: WIN7: win7: %OSDRIVE%TEMPPUTTY.EXE was prevented from running.

I also have a nxlog and an eventsys client config on my github (hxxps://github.com/tcw3bb/ISC_Posts)for additional client config.  To use these with OSSEC, you will need to have a different parser and rules.  

—

Tom Webb

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.