Re: How do I parse AppLocker Windows Event Log? re...

mdsbmgf · ‎05-16-2016

I've been able to get the data from the AppLocker log into Splunk. A search with the data source piped into | xmlkv results in the expected result. I am trying to get the data into separate fields so | xmlkv does not have to be used. I've entered KV_mode=xml in props.conf for the datasource, which does not work. I've also tried writing regex and transforms, but have not been successful with either. The end result I am going for is to have Splunk parse out the different fields. Plz....haaalp....I'm very new to Splunk and have been trying over the last few days to solve this.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
    <System>
        <Provider Name='Microsoft-Windows-AppLocker' Guid='{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}'/>
        <EventID>8002</EventID>
        <Version>0</Version>
        <Level>4</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime='2016-05-16T18:31:15.732349300Z'/>
        <EventRecordID>441</EventRecordID>
        <Correlation/>
        <Execution ProcessID='4164' ThreadID='5772'/>
        <Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel>
        <Computer>xxxxxxxxxxxxxxxxxxx</Computer>
        <Security UserID='S-0-0-00-0000000000-0000000000-00000000-000000'/>
    </System>
    <UserData>
        <RuleAndFileData xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0'>
            <PolicyName>EXE</PolicyName>
            <RuleId>{A61C8B2C-A319-4CD0-9690-D2177CAD7B51}</RuleId>
            <RuleName>(Default Rule) All files located in the Windows folder</RuleName>
            <RuleSddl>D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains "%WINDIR%\*"))</RuleSddl>
            <TargetUser>S-0-0-00-0000000000-0000000000-00000000-000000</TargetUser>
            <TargetProcessId>4904</TargetProcessId>
            <FilePath>%SYSTEM32%\NOTEPAD.EXE</FilePath>
            <FileHash>0000000000000000000000000000000000000000000000000000000000000000</FileHash>
            <Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\NOTEPAD.EXE\6.3.9600.17930</Fqbn>
        </RuleAndFileData>
    </UserData>

mikaelbje · ‎01-12-2017

Do you have the Splunk Add-on for Microsoft Windows ( https://splunkbase.splunk.com/app/742 ) installed on your Search Head?

It defines the following sourcetype stanza in props.conf which I believe should auto extract this for you (given that your sourcetype is "XmlWinEventLog:*"):

[(?::){0}XmlWinEventLog:*]

If this doesn't work out of the box with the add-on, could you try adding the following to Splunk_TA_windows?

local/transforms.conf:

[userdata_props_xml_kv]
# Extracts anything in the form of <tag>value</tag> as tag::value
SOURCE_KEY = UserData_Xml
REGEX = (?ms)<(\w*)>([^<]*)<\/\1>
FORMAT = $1::$2
MV_ADD = 1

local/props.conf:

[(?::){0}XmlWinEventLog:*]
REPORT-1xml_kv_extract = userdata_props_xml_kv

This is untested in Splunk but I tested the regex in an online regex tool and I could see the fields extracted

thambisetty_bal · ‎10-15-2016

Hi,
Add below parameter in inputs.conf to render events in xml,
[stanza]
index=index_name
renderXml=true # this parameter will do trick.

jpolcari · ‎09-12-2016

I'm having the same exact issue. Were you able to solve this?

How do I parse AppLocker Windows Event Log? renderXml works, KV_mode = xml does not [Applocker]

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...