Skip to content

[windows] Add Windows AppLocker Data Stream (Packaged app-Execution) #7446

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
efd6 merged 8 commits into from
Aug 20, 2023
Merged

[windows] Add Windows AppLocker Data Stream (Packaged app-Execution) #7446

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
c1de290
Add Windows AppLocker Packaged app-Execution data stream
nicpenning Aug 17, 2023
38a5b92
Update CODEOWNERS
nicpenning Aug 17, 2023
e73ef53
Merge branch 'elastic:main' into applocker-packaged-app-execution
nicpenning Aug 17, 2023
7699444
Update changelog.yml
nicpenning Aug 17, 2023
d1adb21
Update manifest.yml
nicpenning Aug 17, 2023
b89b298
Update default.yml
nicpenning Aug 17, 2023
8e9ba3f
Add new data stream to README.md
nicpenning Aug 18, 2023
b633095
Update config.yml
nicpenning Aug 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/CODEOWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,7 @@
/packages/windows/data_stream/applocker_exe_and_dll @elastic/security-external-integrations
/packages/windows/data_stream/applocker_msi_and_script @elastic/security-external-integrations
/packages/windows/data_stream/applocker_packaged_app_deployment @elastic/security-external-integrations
/packages/windows/data_stream/applocker_packaged_app_execution @elastic/security-external-integrations
/packages/windows/data_stream/forwarded @elastic/security-external-integrations
/packages/windows/data_stream/perfmon @elastic/elastic-agent-data-plane
/packages/windows/data_stream/powershell @elastic/security-external-integrations
Expand Down
9 changes: 9 additions & 0 deletions packages/windows/_dev/build/docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,15 @@ The Windows `applocker_packaged_app_deployment` data stream provides events from

{{fields "applocker_packaged_app_deployment"}}

### AppLocker/Packaged app-Execution

The Windows `applocker_packaged_app_execution` data stream provides events from the Windows
`Microsoft-Windows-AppLocker/Packaged app-Execution` event log.

{{event "applocker_packaged_app_execution"}}

{{fields "applocker_packaged_app_execution"}}

### Forwarded

The Windows `forwarded` data stream provides events from the Windows
Expand Down
44 changes: 44 additions & 0 deletions packages/windows/_dev/deploy/docker/files/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -307,3 +307,47 @@ rules:
"splunk_server": "69819b6ce1bd"
}
}
- path: /services/search/jobs/export
user: test
password: test
methods:
- post
query_params:
index_earliest: "{index_earliest:[0-9]+}"
index_latest: "{index_latest:[0-9]+}"
output_mode: json
search: 'search sourcetype="XmlWinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution" | streamstats max(_indextime) AS max_indextime'
request_headers:
Content-Type:
- "application/x-www-form-urlencoded"
responses:
- status_code: 200
headers:
Content-Type:
- "application/json"
body: |-
{
"preview": false,
"offset": 194,
"lastrow": true,
"result": {
"_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38",
"_cd": "0:315",
"_indextime": "1622471463",
"_raw": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-AppLocker' Guid='{cbda4dbf-8d5d-4f69-9578-be14aa540d22}'/><EventID>8020</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x2000000000000000</Keywords><TimeCreated SystemTime='2023-08-13T13:53:33.7067781Z'/><EventRecordID>2986</EventRecordID><Correlation/><Execution ProcessID='1672' ThreadID='8384'/><Channel>Microsoft-Windows-AppLocker/Packaged app-Execution</Channel><Computer>el33t-b00k-1</Computer><Security UserID='S-1-5-21-2707992022-4034939591-3454028951-1001'/></System><UserData><RuleAndFileData xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0'><PolicyNameLength>4</PolicyNameLength><PolicyName>APPX</PolicyName><RuleId>{a9e18c21-ff8f-43cf-b9fc-db40eed693ba}</RuleId><RuleNameLength>39</RuleNameLength><RuleName>(Default Rule) All signed packaged apps</RuleName><RuleSddlLength>81</RuleSddlLength><RuleSddl>D:(XA;;FX;;;S-1-1-0;((Exists APPID://FQBN) &amp;&amp; ((APPID://FQBN) &gt;= ({\\\"*\\\\*\\\\*\\\",0}))))</RuleSddl><TargetUser>S-1-5-21-2707992022-4034939591-3454028951-1001</TargetUser><TargetProcessId>41864</TargetProcessId><PackageLength>15</PackageLength><Package>MICROSOFT.TODOS</Package><FqbnLength>116</FqbnLength><Fqbn>CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\\\MICROSOFT.TODOS\\\\APPX\\\\2.100.61791.00</Fqbn></RuleAndFileData></UserData></Event>",
"_serial": "194",
"_si": [
"69819b6ce1bd",
"main"
],
"_sourcetype": "XmlWinEventLog:Security",
"_time": "2021-05-25 13:11:45.000 UTC",
"host": "VAGRANT",
"index": "main",
"linecount": "1",
"max_indextime": "1622471606",
"source": "WinEventLog:Security",
"sourcetype": "XmlWinEventLog:Security",
"splunk_server": "69819b6ce1bd"
}
}
5 changes: 5 additions & 0 deletions packages/windows/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.32.0"
changes:
- description: Add Windows AppLocker Packaged app-Execution data stream
type: enhancement
link: https://github.com/elastic/integrations/pull/7446
- version: "1.31.0"
changes:
- description: Add Windows AppLocker Packaged app-Deployment data stream
Expand Down
57 changes: 57 additions & 0 deletions ...on/_dev/test/pipeline/test-events-microsoft-windows-applocker-packaged-app-execution.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
{
"events": [
{
"@timestamp": "2023-08-13T13:53:33.7067781Z",
"event": {
"code": "8020",
"kind": "event",
"provider": "Microsoft-Windows-AppLocker"
},
"host": {
"name": "el33t-b00k-1"
},
"log": {
"level": "Information"
},
"message": "MICROSOFT.TODOS was allowed to run.",
"winlog": {
"activity_id": "",
"channel": "Microsoft-Windows-AppLocker/Packaged app-Execution",
"computer_name": "el33t-b00k-1",
"user_data": {
"PolicyNameLength": "4",
"PolicyName": "APPX",
"RuleId": "{a9e18c21-ff8f-43cf-b9fc-db40eed693ba}",
"RuleNameLength": "39",
"RuleName": "(Default Rule) All signed packaged apps",
"RuleSddlLength": "81",
"RuleSddl": "D:(XA;;FX;;;S-1-1-0;((Exists APPID://FQBN) && ((APPID://FQBN) >= ({\"*\\*\\*\",0}))))",
"TargetUser": "S-1-5-21-2707992022-4034939591-3454028951-1001",
"TargetProcessId": "41864",
"PackageLength": "15",
"Package": "MICROSOFT.TODOS",
"FqbnLength": "116",
"Fqbn": "CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\MICROSOFT.TODOS\\APPX\\2.100.61791.00"
},
"event_id": "8020",
"level": "Information",
"opcode": "Info",
"process": {
"pid": 1672,
"thread": {
"id": 8384
}
},
"provider_guid": "cbda4dbf-8d5d-4f69-9578-be14aa540d22",
"provider_name": "Microsoft-Windows-AppLocker",
"record_id": "2986",
"time_created": "2023-08-13T13:53:33.7067781Z",
"user": {
"identifier": "S-1-5-21-2707992022-4034939591-3454028951-1001",
"name": "Topsy"
},
"version": 0
}
}
]
}
81 changes: 81 additions & 0 deletions ...ipeline/test-events-microsoft-windows-applocker-packaged-app-execution.json-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
{
"expected": [
{
"@timestamp": "2023-08-13T13:53:33.706Z",
"ecs": {
"version": "8.9.0"
},
"event": {
"category": "process",
"code": "8020",
"kind": "event",
"provider": "Microsoft-Windows-AppLocker",
"type": "start"
},
"file": {
"pe": {
"file_version": "2.100.61791.00",
"original_file_name": "APPX",
"product": "MICROSOFT.TODOS"
},
"x509": {
"subject": {
"common_name": "MICROSOFT CORPORATION",
"country": "US",
"locality": "REDMOND",
"organization": "MICROSOFT CORPORATION",
"state_or_province": "WASHINGTON"
}
}
},
"host": {
"name": "el33t-b00k-1"
},
"log": {
"level": "Information"
},
"message": "MICROSOFT.TODOS was allowed to run.",
"user": {
"id": "S-1-5-21-2707992022-4034939591-3454028951-1001",
"name": "Topsy"
},
"winlog": {
"activity_id": "",
"channel": "Microsoft-Windows-AppLocker/Packaged app-Execution",
"computer_name": "el33t-b00k-1",
"event_id": "8020",
"level": "Information",
"opcode": "Info",
"process": {
"pid": 1672,
"thread": {
"id": 8384
}
},
"provider_guid": "cbda4dbf-8d5d-4f69-9578-be14aa540d22",
"provider_name": "Microsoft-Windows-AppLocker",
"record_id": "2986",
"time_created": "2023-08-13T13:53:33.7067781Z",
"user": {
"identifier": "S-1-5-21-2707992022-4034939591-3454028951-1001"
},
"user_data": {
"Fqbn": "CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\MICROSOFT.TODOS\\APPX\\2.100.61791.00",
"FqbnLength": 116,
"Package": "MICROSOFT.TODOS",
"PackageLength": "15",
"PolicyName": "APPX",
"PolicyNameLength": 4,
"RuleId": "{a9e18c21-ff8f-43cf-b9fc-db40eed693ba}",
"RuleName": "(Default Rule) All signed packaged apps",
"RuleNameLength": 39,
"RuleSddl": "D:(XA;;FX;;;S-1-1-0;((Exists APPID://FQBN) \u0026\u0026 ((APPID://FQBN) \u003e= ({\"*\\*\\*\",0}))))",
"RuleSddlLength": 81,
"TargetProcessId": 41864,
"TargetUser": "S-1-5-21-2707992022-4034939591-3454028951-1001"
},
"version": 0
}
}
]
}
10 changes: 10 additions & 0 deletions ...ows/data_stream/applocker_packaged_app_execution/_dev/test/system/test-default-config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
input: httpjson
service: splunk-mock
vars:
url: http://{{Hostname}}:{{Port}}
username: test
password: test
enable_request_tracer: true
data_stream:
vars:
preserve_original_event: true
104 changes: 104 additions & 0 deletions packages/windows/data_stream/applocker_packaged_app_execution/agent/stream/httpjson.yml.hbs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
config_version: "2"
interval: {{interval}}
{{#if enable_request_tracer}}
request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson"
{{/if}}
{{#unless token}}
{{#if username}}
{{#if password}}
auth.basic.user: {{username}}
auth.basic.password: {{password}}
{{/if}}
{{/if}}
{{/unless}}
cursor:
index_earliest:
value: '[[.last_event.result.max_indextime]]'
request.url: {{url}}/services/search/jobs/export
{{#if ssl}}
request.ssl: {{ssl}}
{{/if}}
request.method: POST
request.transforms:
- set:
target: url.params.search
value: |-
{{search}} | streamstats max(_indextime) AS max_indextime
- set:
target: url.params.output_mode
value: "json"
- set:
target: url.params.index_earliest
value: '[[ .cursor.index_earliest ]]'
default: '[[(now (parseDuration "-{{interval}}")).Unix]]'
- set:
target: url.params.index_latest
value: '[[(now).Unix]]'
- set:
target: header.Content-Type
value: application/x-www-form-urlencoded
{{#unless username}}
{{#unless password}}
{{#if token}}
- set:
target: header.Authorization
value: {{token}}
{{/if}}
{{/unless}}
{{/unless}}
response.decode_as: application/x-ndjson
{{#if tags.length}}
tags:
{{else if preserve_original_event}}
tags:
{{/if}}
{{#each tags as |tag|}}
- {{tag}}
{{/each}}
{{#if preserve_original_event}}
- preserve_original_event
{{/if}}
{{#contains "forwarded" tags}}
publisher_pipeline.disable_host: true
{{/contains}}
processors:
- decode_json_fields:
fields: message
target: json
add_error_key: true
- drop_event:
when:
not:
has_fields: ['json.result']
- fingerprint:
fields:
- json.result._cd
- json.result._indextime
- json.result._raw
- json.result._time
- json.result.host
- json.result.source
target_field: "@metadata._id"
- drop_fields:
fields: message
- rename:
fields:
- from: json.result._raw
to: event.original
- from: json.result.host
to: host.name
- from: json.result.source
to: event.provider
ignore_missing: true
fail_on_error: false
- drop_fields:
fields: json
- decode_xml_wineventlog:
field: event.original
target_field: winlog
ignore_missing: true
ignore_failure: true
map_ecs_fields: true
{{#if processors.length}}
{{processors}}
{{/if}}
31 changes: 31 additions & 0 deletions packages/windows/data_stream/applocker_packaged_app_execution/agent/stream/winlog.yml.hbs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
name: Microsoft-Windows-AppLocker/Packaged app-Execution
condition: ${host.platform} == 'windows'
{{#if event_id}}
event_id: {{event_id}}
{{/if}}
{{#if ignore_older}}
ignore_older: {{ignore_older}}
{{/if}}
{{#if language}}
language: {{language}}
{{/if}}
{{#if tags.length}}
tags:
{{#each tags as |tag|}}
- {{tag}}
{{/each}}
{{/if}}
{{#if preserve_original_event}}
include_xml: true
{{/if}}
processors:
- translate_sid:
field: winlog.event_data.MemberSid
account_name_target: winlog.event_data._MemberUserName
domain_target: winlog.event_data._MemberDomain
account_type_target: winlog.event_data._MemberAccountType
ignore_missing: true
ignore_failure: true
{{#if processors.length}}
{{processors}}
{{/if}}
Loading