- Introduction
- Deployment
- Configuration
- OS Support
- Integration
- 42. Amazon Web Services (AWS)
- 43. Apache HTTP Server
- 44. Apache Tomcat
- 45. APC Automatic Transfer Switch
- 46. Apple macOS kernel
- 47. ArcSight Common Event Format (CEF)
- 48. Box
- 49. Brocade Switches
- 50. Browser History Logs
- 51. Check Point
- 52. Cisco ACS
- 53. Cisco ASA
- 54. Cisco FireSIGHT
- 55. Cisco IPS
- 56. Cloud Instance Metadata
- 57. Common Event Expression (CEE)
- 58. Dell EqualLogic
- 59. Dell iDRAC
- 60. Dell PowerVault MD Series
- 61. Devo
- 62. DHCP logs
- 63. DNS Monitoring
- 64. Docker
- 65. Elasticsearch and Kibana
- 66. F5 BIG-IP
- 67. File Integrity Monitoring
- 68. FreeRADIUS
- 69. Graylog
- 70. HP ProCurve
- 71. IBM QRadar SIEM
- 72. Industrial Control Systems
- 73. Linux Audit System
- 74. Linux system logs
- 75. Log Event Extended Format (LEEF)
- 76. McAfee Enterprise Security Manager (ESM)
- 77. McAfee ePolicy Orchestrator
- 78. Microsoft Active Directory Domain Controller
- 79. Microsoft Azure
- 80. Microsoft Azure Event Hubs
- 81. Microsoft Azure Sentinel
- 82. Microsoft Exchange
- 83. Microsoft IIS
- 84. Microsoft SharePoint
- 85. Microsoft SQL Server
- 86. Microsoft System Center Endpoint Protection
- 87. Microsoft System Center Configuration Manager
- 88. Microsoft System Center Operations Manager
- 89. MongoDB
- 90. Nagios Log Server
- 91. Nessus Vulnerability Scanner
- 92. NetApp
- 93. .NET application logs
- 94. Nginx
- 95. Okta
- 96. Osquery
- 97. Postfix
- 98. Promise
- 99. Rapid7 InsightIDR SIEM
- 100. RSA NetWitness
- 101. SafeNet KeySecure
- 102. Salesforce
- 103. Snare
- 104. Snort
- 105. Solarwinds Loggly
- 106. Splunk
- 107. Sumo Logic
- 108. Symantec Endpoint Protection
- 109. Synology DiskStation
- 110. Syslog
- 111. Sysmon
- 112. Ubiquiti UniFi
- 113. VMware vCenter
- 114. Windows AppLocker
- 115. Windows Command Line Auditing
- 116. Windows Event Log
- 117. Windows Firewall
- 118. Windows Group Policy
- 119. Windows Management Instrumentation (WMI)
- 120. Windows PowerShell
- 121. Microsoft Windows Update
- 122. Windows USB auditing
- 123. Zeek (formerly Bro) Network Security Monitor
- Troubleshooting
- Enterprise Edition Reference Manual
- NXLog Manager
- NXLog Add-Ons
114. Windows AppLocker
Windows AppLocker allows administrators to create rules restricting which executables, scripts, and other files users are allowed to run. For more information, see What Is AppLocker? on Microsoft Docs.
AppLocker logs events to the Windows Event Log. There are four logs available, shown in the Event Viewer under Applications and Services Logs > Microsoft > Windows > Applocker:
-
EXE and DLL
-
MSI and Script
-
Packaged app-Deployment
-
Packaged app-Execution
NXLog can collect these events with the im_msvistalog module or other Windows Event Log modules.
The following configuration uses the im_msvistalog module to collect AppLocker events from the four Windows Event Log channel sources listed above. The xm_xml parse_xml() procedure is used to further parse the UserData XML portion of the event.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<Extension _xml>
Module xm_xml
</Extension>
<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-AppLocker/MSI and Script">
*</Select>
<Select Path="Microsoft-Windows-AppLocker/EXE and DLL">
*</Select>
<Select Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">
*</Select>
<Select Path="Microsoft-Windows-AppLocker/Packaged app-Execution">
*</Select>
</Query>
</QueryList>
</QueryXML>
Exec if $UserData parse_xml($UserData);
</Input>
{
"EventTime": "2019-01-09T22:34:44.164099+01:00",
"Hostname": "Host.DOMAIN.local",
"Keywords": "9223372036854775808",
"EventType": "ERROR",
"SeverityValue": 4,
"Severity": "ERROR",
"EventID": 8004,
"SourceName": "Microsoft-Windows-AppLocker",
"ProviderGuid": "{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}",
"Version": 0,
"TaskValue": 0,
"OpcodeValue": 0,
"RecordNumber": 40,
"ExecutionProcessID": 5612,
"ExecutionThreadID": 5220,
"Channel": "Microsoft-Windows-AppLocker/EXE and DLL",
"Domain": "DOMAIN",
"AccountName": "admin",
"UserID": "S-1-5-21-314323950-2314161084-4234690932-1002",
"AccountType": "User",
"Message": "%PROGRAMFILES%\\WINDOWS NT\\ACCESSORIES\\WORDPAD.EXE was prevented from running.",
"Opcode": "Info",
"UserData": "<RuleAndFileData xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0'><PolicyNameLength>3</PolicyNameLength><PolicyName>EXE</PolicyName><RuleId>{4C8E638D-3DE8-4DCB-B0E4-B0597074D06B}</RuleId><RuleNameLength>113</RuleNameLength><RuleName>WORDPAD.EXE, in MICROSOFT® WINDOWS® OPERATING SYSTEM, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</RuleName><RuleSddlLength>179</RuleSddlLength><RuleSddl>D:(XD;;FX;;;S-1-1-0;((Exists APPID://FQBN) && ((APPID://FQBN) >= ({\"O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\MICROSOFT® WINDOWS® OPERATING SYSTEM\\WORDPAD.EXE\",0}))))</RuleSddl><TargetUser>S-1-5-21-314323950-2314161084-4234690932-1002</TargetUser><TargetProcessId>7964</TargetProcessId><FilePathLength>49</FilePathLength><FilePath>%PROGRAMFILES%\\WINDOWS NT\\ACCESSORIES\\WORDPAD.EXE</FilePath><FileHashLength>0</FileHashLength><FileHash></FileHash><FqbnLength>118</FqbnLength><Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\MICROSOFT® WINDOWS® OPERATING SYSTEM\\WORDPAD.EXE\\6.3.9600.19060</Fqbn></RuleAndFileData>",
"EventReceivedTime": "2019-01-09T22:34:45.773240+01:00",
"SourceModuleName": "in",
"SourceModuleType": "im_msvistalog",
"RuleAndFileData.PolicyNameLength": "3",
"RuleAndFileData.PolicyName": "EXE",
"RuleAndFileData.RuleId": "{4C8E638D-3DE8-4DCB-B0E4-B0597074D06B}",
"RuleAndFileData.RuleNameLength": "113",
"RuleAndFileData.RuleName": "WORDPAD.EXE, in MICROSOFT® WINDOWS® OPERATING SYSTEM, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US",
"RuleAndFileData.RuleSddlLength": "179",
"RuleAndFileData.RuleSddl": "D:(XD;;FX;;;S-1-1-0;((Exists APPID://FQBN) && ((APPID://FQBN) >= ({\"O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\MICROSOFT® WINDOWS® OPERATING SYSTEM\\WORDPAD.EXE\",0}))))",
"RuleAndFileData.TargetUser": "S-1-5-21-314323950-2314161084-4234690932-1002",
"RuleAndFileData.TargetProcessId": "7964",
"RuleAndFileData.FilePathLength": "49",
"RuleAndFileData.FilePath": "%PROGRAMFILES%\\WINDOWS NT\\ACCESSORIES\\WORDPAD.EXE",
"RuleAndFileData.FileHashLength": "0",
"RuleAndFileData.FqbnLength": "118",
"RuleAndFileData.Fqbn": "O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\MICROSOFT® WINDOWS® OPERATING SYSTEM\\WORDPAD.EXE\\6.3.9600.19060"
}