Windows Applocker¶
About¶
AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
Product Details¶
Vendor URL: Windows Applocker Overview
Product Type: Application Whitelisting
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Syslog Integration - Cyderes Documentation
Log Guide: Using Event Viewer with AppLocker
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 90%
Data Label: WINDOWS_APPLOCKEr
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| AccountName | principal.user.userid |
| AccountType | principal.user.attribute.roles.name |
| Channel | security_result.about.resource.type |
| Domain | principal.administrative_domain |
| EventID | metadata.product_event_type |
| EventType | security_result.severity |
| Hostname | principal.hostname |
| Message | security_result.description |
| ProcessID | target.process.pid |
| ProviderGuid | target.resource.product_object_id |
| RecordNumber | observer.asset.product_object_id |
| RuleAndFileData.Fullfile_path | target.process.file.full_path |
| RuleAndFileData.PolicyName | security_result.summary |
| RuleAndFileData.RuleId | security_result.rule_id |
| RuleAndFileData.RuleName | security_result.rule_name |
| RuleAndFileData.RuleSddl | security_result.about.labels.value |
| RuleAndFileData.TargetProcessId | target.process.pid |
| SourceModuleName | metadata.description |
| SourceModuleType | observer.application |
| ThreadID | security_result.threat_id |
| UserID | target.user.userid |
Product Event Types¶
| EventID | UDM Event Classification |
|---|---|
| 8002 | PROCESS_OPEN |
| 8005 | PROCESS_OPEN |
| 8006 | PROCESS_OPEN |
| 8020 | PROCESS_OPEN |
| all others | GENERIC_EVENT |
Log Sample¶
{"EventTime":"2022-11-08T14:47:59.387392-06:00","Hostname":"Hostname1","Keywords":aslwl,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":8002,"SourceName":"Microsoft-Windows-AppLocker","ProviderGuid":"{guid}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":record1,"ProcessID":18668,"ThreadID":2488,"Channel":"Microsoft-Windows-AppLocker/EXE and DLL","Domain":"domain","AccountName":"username","UserID":"sid","AccountType":"User","Message":"filepath was allowed to run.","Opcode":"Info","EventReceivedTime":"2022-11-08 14:48:30","SourceModuleName":"applocker","SourceModuleType":"im_msvistalog"}
Sample Parsing¶
metadata.event_type = "PROCESS_OPEN"
metadata.vendor_name = "Microsoft"
metadata.product_name = "Windows Applocker"
metadata.product_event_type = "8002"
metadata.description = "applocker"
principal.hostname = "Hostname1"
principal.user.userid = "username"
principal.user.attribute.roles.name = "User"
principal.administrative_domain = "domain"
principal.asset.hostname = "Hostname1"
target.user.userid = "sid"
target.process.pid = "18668"
target.process.file.full_path = "filepath"
target.resource.product_object_id = "guid"
observer.application = "im_msvistalog"
observer.asset.product_object_id = "record1"
security_result.about.resource.type = "Microsoft-Windows-AppLocker/EXE and DLL"
security_result.description = "filepath was allowed to run."
security_result.action = "ALLOW"
security_result.severity = "INFORMATIONAL"
security_result.threat_id = "2488"
Parser Alerting¶
This product currently does not have any Parser-based Alerting