Hi.
We have implemented Agent X into our systems, and we are observing Applocker Events with Agent X.
Now our customer would like a dashboard for these Event.
And I was not sure how to go about creating these Dashboards.
How can I make a dashboard specifically for the Eventviewer logs.
Cheers Mike
Best answer by Nils Krumey
View original
+7
It will all start with a search. I don’t quite know what Applocker events show up as in the logs, but if you do a full text search for “applocker” against your AgentX logs, hopefully there is something that you can identify - either certain labels, or perhaps the event-source field. You can limit your search to AgentX log by using norm_id=AgentX, or of course by just selecting the correct repository.
And then it is a question as to what you actually want to visualise - usually it’d be something like
norm_id=AgentX event_source=Microsoft-Windows-AppLocker |chart count() by message
or action, or account, or whatever fields you see in your AppLocker logs.
Once you have the right query, you can add it do a new dashboard widgets from the dropdown in the top right of the Search interface.
It will all start with a search. I don’t quite know what Applocker events show up as in the logs, but if you do a full text search for “applocker” against your AgentX logs, hopefully there is something that you can identify - either certain labels, or perhaps the event-source field. You can limit your search to AgentX log by using norm_id=AgentX, or of course by just selecting the correct repository.
And then it is a question as to what you actually want to visualise - usually it’d be something like
norm_id=AgentX event_source=Microsoft-Windows-AppLocker |chart count() by message
or action, or account, or whatever fields you see in your AppLocker logs.
Once you have the right query, you can add it do a new dashboard widgets from the dropdown in the top right of the Search interface.
First of all thank you so much for the help.
Oddly the event_source Windows applocker doesnt pop up at all.
So I told Agent X to report on certain windows event like
| Event ID | Level | Event message | Description |
|---|---|---|---|
| 8000 | Error | AppID policy conversion failed. Status * <%1> * | Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes. |
| 8001 | Information | The AppLocker policy was applied successfully to this computer. | Indicates that the AppLocker policy was successfully applied to the computer. |
| 8002 | Information | *<File name> * was allowed to run. | Specifies that the .exe or .dll file is allowed by an AppLocker rule. |
| 8003 | Warning | *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. | Applied only when the Audit only enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the Enforce rules enforcement mode were enabled. |
| 8004 | Error | *<File name> * was prevented from running. | Access to <file name> is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run. |
| 8005 | Information | *<File name> * was allowed to run. | Specifies that the script or .msi file is allowed by an AppLocker rule. |
| 8006 | Warning | *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. | Applied only when the Audit only enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the Enforce rules enforcement mode were enabled. |
| 8007 | Error | *<File name> * was prevented from running. | Access to <file name> is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run. |
| 8008 | Warning | *<File name> *: AppLocker component not available on this SKU. | Added in Windows Server 2012 and Windows 8. |
| 8020 | Information | *<File name> * was allowed to run. | Added in Windows Server 2012 and Windows 8. |
| 8021 | Warning | *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. | Added in Windows Server 2012 and Windows 8. |
| 8022 | Error | *<File name> * was prevented from running. | Added in Windows Server 2012 and Windows 8. |
| 8023 | Information | *<File name> * was allowed to be installed. | Added in Windows Server 2012 and Windows 8. |
| 8024 | Warning | *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. | Added in Windows Server 2012 and Windows 8. |
| 8025 | Error | *<File name> * was prevented from running. | Added in Windows Server 2012 and Windows 8. |
| 8027 | Error | No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured. | Added in Windows Server 2012 and Windows 8. |
| 8028 | Warning | *<File name> * was allowed to run but would have been prevented if the Config CI policy were enforced. | Added in Windows Server 2016 and Windows 10. |
| 8029 | Error | *<File name> * was prevented from running due to Config CI policy. | Added in Windows Server 2016 and Windows 10. |
| 8030 | Information | ManagedInstaller check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10. |
| 8031 | Information | SmartlockerFilter detected file * being written by process * | Added in Windows Server 2016 and Windows 10. |
| 8032 | Error | ManagedInstaller check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10. |
| 8033 | Warning | ManagedInstaller check FAILED during Appid verification of * . Allowed to run due to Audit AppLocker Policy. | Added in Windows Server 2016 and Windows 10. |
| 8034 | Information | ManagedInstaller Script check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10. |
| 8035 | Error | ManagedInstaller Script check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10. |
| 8036 | Error | * was prevented from running due to Config CI policy | Added in Windows Server 2016 and Windows 10. |
| 8037 | Information | * passed Config CI policy and was allowed to run. | Added in Windows Server 2016 and Windows 10. |
| 8038 | Information | Publisher info: Subject: * Issuer: * Signature index * (* total) | Added in Windows Server 2016 and Windows 10. |
| 8039 | Warning | Package family name * version * was allowed to install or update but would have been prevented if the Config CI policy | Added in Windows Server 2016 and Windows 10. |
| 8040 | Error | Package family name * version * was prevented from installing or updating due to Config CI policy |
The ones in this list in the event ID list.
is there anything else that needs to be done that I missed for it to collect these logs?
+7
As long as the log is coming from a Windows Event Log, there should be an event_source field. I took the example from our demo system, and there the event_source field was present for an Applocker event - but it’s possible something has changed/broken.
I would suggest opening a Support ticket, and supplying the raw log(s) and how it gets normalised - ideally, all of your events should be labelled too, so that you don’t need to map anything manually like you did. I suppose there weren’t any useful labels either?
Already have an account? Login
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
