FEATURE REQUEST - AppLocker Connector - CaseID: 792665

I have a Windows RDS Farm with AppLocker enabled and wish to know if anyone attempts to run software not listed in the AppLocker policy.

The following Applications and Services Logs are used to collect this information

Microsoft-Windows-AppLocker/EXE and DLL

Microsoft-Windows-AppLocker/MSI and Script

- Device/Application Manufacturer: Microsoft

- Device/Application URL: Windows AppLocker
- Device/Application Version : Microsoft Windows Server 2008 R2 SP1.
- Device/Application Description: Blocks applications from running using a White List in a Group Policy and records entries to the Applications and Services Logs which can be viewed via Windows Event Log
- Device/Application Use Case: I wish to be notified when a user has attempted to run a non-standard application so we can look to resolve the issue before it becomes a wider problem.
- How does the Device/Application log?: Windows Event Log.
- How often do the logs rotate?: The log has a maximum file size of 1028KB and will overwrite events as needed
- Format of the filename of the logs?: evtx and doesn't change
- What is the path of the log?:

%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-AppLocker%4MSI and Script.evtx

%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx

If it helps, below is a screenshot and XML from each log which details a specific application and script that caused the errors...

Microsoft-Windows-AppLocker/EXE and DLL

EXE and DLL.png

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>

<Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel>

<Computer>server1.domain.local</Computer>

</System>

- <UserData>

- <RuleAndFileData xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0">

<FilePath>\\server0\share\PROGRAM.EXE</FilePath>

<Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT

WINDOWS

OPERATING SYSTEM\WEXTRACT.EXE\6.0.2800.1106</Fqbn>

</RuleAndFileData>

</UserData>

</Event>

MSI and Script

MSI and Script.png

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>

<Channel>Microsoft-Windows-AppLocker/MSI and Script</Channel>

<Computer>server1.domain.local</Computer>

</System>

- <UserData>

- <RuleAndFileData xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0">

<PolicyName>SCRIPT</PolicyName>

<FilePath>\\server0\share\SCRIPT.VBS</FilePath>

</RuleAndFileData>

</UserData>

</Event>

Find more posts tagged with

microsoft applications and services logs

microsoft_application_monitoring

Status: None

Comments

FormerMember

I don't see that anyone has commented on this but there is a connector for the EXE and DLL event log side of this - it's in the standard connectors package: SolarWinds Knowledge Base :: Applying a LEM Connector Update Package but you'll also have to perform a couple extra steps to rename the spaces out of the event log due to a current limitation in LEM.

jhynds

There are two AppLocker connectors which be found within the 'Application' category within LEM connectors, these connectors collect AppLocker logs from Microsoft-Windows-AppLocker/EXEandDLL and Microsoft-Windows-AppLocker/MSIandScript.

Please see this KB article for steps on collecting AppLocker events in LEM.