Solved

Logpoint Agent X Applocker Dashboard

  • 26 October 2023
  • 3 replies
  • 97 views

Hi.

We have implemented Agent X into our systems, and we are observing Applocker Events with Agent X.
Now our customer would like a dashboard for these Event.
And I was not sure how to go about creating these Dashboards.
How can I make a dashboard specifically for the Eventviewer logs.

Cheers Mike

icon

Best answer by Nils Krumey 27 October 2023, 08:28

View original

3 replies

Userlevel 4
Badge +7

It will all start with a search. I don’t quite know what Applocker events show up as in the logs, but if you do a full text search for “applocker” against your AgentX logs, hopefully there is something that you can identify - either certain labels, or perhaps the event-source field. You can limit your search to AgentX log by using norm_id=AgentX, or of course by just selecting the correct repository.

And then it is a question as to what you actually want to visualise - usually it’d be something like

norm_id=AgentX event_source=Microsoft-Windows-AppLocker |chart count() by message

or action, or account, or whatever fields you see in your AppLocker logs.

Once you have the right query, you can add it do a new dashboard widgets from the dropdown in the top right of the Search interface.

It will all start with a search. I don’t quite know what Applocker events show up as in the logs, but if you do a full text search for “applocker” against your AgentX logs, hopefully there is something that you can identify - either certain labels, or perhaps the event-source field. You can limit your search to AgentX log by using norm_id=AgentX, or of course by just selecting the correct repository.

And then it is a question as to what you actually want to visualise - usually it’d be something like

norm_id=AgentX event_source=Microsoft-Windows-AppLocker |chart count() by message

or action, or account, or whatever fields you see in your AppLocker logs.

Once you have the right query, you can add it do a new dashboard widgets from the dropdown in the top right of the Search interface.

First of all thank you so much for the help.

Oddly the event_source Windows applocker doesnt pop up at all.
So I told Agent X to report on certain windows event like

Event ID Level Event message Description
8000 Error AppID policy conversion failed. Status * <%1> * Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.
8001 Information The AppLocker policy was applied successfully to this computer. Indicates that the AppLocker policy was successfully applied to the computer.
8002 Information *<File name> * was allowed to run. Specifies that the .exe or .dll file is allowed by an AppLocker rule.
8003 Warning *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. Applied only when the Audit only enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the Enforce rules enforcement mode were enabled.
8004 Error *<File name> * was prevented from running. Access to <file name> is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.
8005 Information *<File name> * was allowed to run. Specifies that the script or .msi file is allowed by an AppLocker rule.
8006 Warning *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. Applied only when the Audit only enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the Enforce rules enforcement mode were enabled.
8007 Error *<File name> * was prevented from running. Access to <file name> is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.
8008 Warning *<File name> *: AppLocker component not available on this SKU. Added in Windows Server 2012 and Windows 8.
8020 Information *<File name> * was allowed to run. Added in Windows Server 2012 and Windows 8.
8021 Warning *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. Added in Windows Server 2012 and Windows 8.
8022 Error *<File name> * was prevented from running. Added in Windows Server 2012 and Windows 8.
8023 Information *<File name> * was allowed to be installed. Added in Windows Server 2012 and Windows 8.
8024 Warning *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. Added in Windows Server 2012 and Windows 8.
8025 Error *<File name> * was prevented from running. Added in Windows Server 2012 and Windows 8.
8027 Error No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured. Added in Windows Server 2012 and Windows 8.
8028 Warning *<File name> * was allowed to run but would have been prevented if the Config CI policy were enforced. Added in Windows Server 2016 and Windows 10.
8029 Error *<File name> * was prevented from running due to Config CI policy. Added in Windows Server 2016 and Windows 10.
8030 Information ManagedInstaller check SUCCEEDED during Appid verification of * Added in Windows Server 2016 and Windows 10.
8031 Information SmartlockerFilter detected file * being written by process * Added in Windows Server 2016 and Windows 10.
8032 Error ManagedInstaller check FAILED during Appid verification of * Added in Windows Server 2016 and Windows 10.
8033 Warning ManagedInstaller check FAILED during Appid verification of * . Allowed to run due to Audit AppLocker Policy. Added in Windows Server 2016 and Windows 10.
8034 Information ManagedInstaller Script check FAILED during Appid verification of * Added in Windows Server 2016 and Windows 10.
8035 Error ManagedInstaller Script check SUCCEEDED during Appid verification of * Added in Windows Server 2016 and Windows 10.
8036 Error * was prevented from running due to Config CI policy Added in Windows Server 2016 and Windows 10.
8037 Information * passed Config CI policy and was allowed to run. Added in Windows Server 2016 and Windows 10.
8038 Information Publisher info: Subject: * Issuer: * Signature index * (* total) Added in Windows Server 2016 and Windows 10.
8039 Warning Package family name * version * was allowed to install or update but would have been prevented if the Config CI policy Added in Windows Server 2016 and Windows 10.
8040 Error Package family name * version * was prevented from installing or updating due to Config CI policy

 

The ones in this list in the event ID list.
is there anything else that needs to be done that I missed for it to collect these logs?

Userlevel 4
Badge +7

As long as the log is coming from a Windows Event Log, there should be an event_source field. I took the example from our demo system, and there the event_source field was present for an Applocker event - but it’s possible something has changed/broken.

I would suggest opening a Support ticket, and supplying the raw log(s) and how it gets normalised - ideally, all of your events should be labelled too, so that you don’t need to map anything manually like you did. I suppose there weren’t any useful labels either?

Reply