[windows] Add Initial AppLocker Data Stream (EXE and DLL) (#6977)

Author: nicpenning

packages/windows/_dev/build/docs/README.md

@@ -82,6 +82,15 @@ the events from Windows. The filter shown below is equivalent to
 
 ## Logs reference
 
+### AppLocker/EXE and DLL
+
+The Windows `applocker_exe_and_dll` data stream provides events from the Windows
+`Microsoft-Windows-AppLocker/EXE and DLL` event log.
+
+{{event "applocker_exe_and_dll"}}
+
+{{fields "applocker_exe_and_dll"}}
+
 ### Forwarded
 
 The Windows `forwarded` data stream provides events from the Windows

packages/windows/_dev/deploy/docker/files/config.yml

@@ -175,3 +175,47 @@ rules:
  "splunk_server": "69819b6ce1bd"
  }
  }
+ - path: /services/search/jobs/export
+ user: test
+ password: test
+ methods:
+ - post
+ query_params:
+ index_earliest: "{index_earliest:[0-9]+}"
+ index_latest: "{index_latest:[0-9]+}"
+ output_mode: json
+ search: 'search sourcetype="XmlWinEventLog:Microsoft-Windows-AppLocker/EXE and DLL" | streamstats max(_indextime) AS max_indextime'
+ request_headers:
+ Content-Type:
+ - "application/x-www-form-urlencoded"
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - "application/json"
+ body: |-
+ {
+ "preview": false,
+ "offset": 194,
+ "lastrow": true,
+ "result": {
+ "_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38",
+ "_cd": "0:315",
+ "_indextime": "1622471463",
+ "_raw": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-AppLocker' Guid='{cbda4dbf-8d5d-4f69-9578-be14aa540d22}' /><EventID>8003</EventID><Version>0</Version><Level>3</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-07-20T15:05:03.8826518Z' /><EventRecordID>154247</EventRecordID><Correlation /><Execution ProcessID='33848' ThreadID='12040' /><Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel><Computer>TOPSYLL.local</Computer><Security UserID='S-1-5-21-1133191089-1850170202-1535859923-200319' /></System><UserData><RuleAndFileData xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0'><PolicyNameLength>3</PolicyNameLength><PolicyName>EXE</PolicyName><RuleId>{00000000-0000-0000-0000-000000000000}</RuleId><RuleNameLength>1</RuleNameLength><RuleName>-</RuleName><RuleSddlLength>1</RuleSddlLength><RuleSddl>-</RuleSddl><TargetUser>S-1-5-21-1133191089-1850170202-1535859923-200319</TargetUser><TargetProcessId>27116</TargetProcessId><FilePathLength>101</FilePathLength><FilePath>%OSDRIVE%\\USERS\\TOPSY\\APPDATA\\LOCAL\\GITHUBDESKTOP\\APP-3.1.2\\RESOURCES\\APP\\GIT\\MINGW64\\BIN\\GIT.EXE</FilePath><FileHashLength>32</FileHashLength><FileHash>11D3940DE41D28E044CE45AB76A6D824E617D99B62C5FB44E37BE5CD7B0545F5</FileHash><FqbnLength>72</FqbnLength><Fqbn>O=JOHANNES SCHINDELIN, S=NORDRHEIN-WESTFALEN, C=DE\\GIT\\GIT.EXE\\2.35.5.01</Fqbn><TargetLogonId>0x14fcb7</TargetLogonId><FullFilePathLength>94</FullFilePathLength><FullFilePath>C:\\Users\\TOPSY\\AppData\\Local\\GitHubDesktop\\app-3.1.2\\resources\\app\\git\\mingw64\\bin\\git.exe</FullFilePath></RuleAndFileData></UserData></Event>",
+ "_serial": "194",
+ "_si": [
+ "69819b6ce1bd",
+ "main"
+ ],
+ "_sourcetype": "XmlWinEventLog:Security",
+ "_time": "2021-05-25 13:11:45.000 UTC",
+ "host": "VAGRANT",
+ "index": "main",
+ "linecount": "1",
+ "max_indextime": "1622471606",
+ "source": "WinEventLog:Security",
+ "sourcetype": "XmlWinEventLog:Security",
+ "splunk_server": "69819b6ce1bd"
+ }
+ }

packages/windows/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.27.0"
+ changes:
+ - description: Adding initial Windows AppLocker data stream [beta]
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/6977
 - version: "1.26.0"
  changes:
  - description: Set `event.action` to sysmon name in sysmon_operational.

packages/windows/data_stream/applocker_exe_and_dll/_dev/test/pipeline/test-events-applocker-exe-8003.json

@@ -0,0 +1,60 @@
+{
+ "events": [
+ {
+ "@timestamp": "2023-07-20T15:05:03.8826518Z",
+ "event": {
+ "code": 8003,
+ "kind": "event",
+ "provider": "Microsoft-Windows-AppLocker"
+ },
+ "host": {
+ "name": "TOPSYLL.local"
+ },
+ "log": {
+ "level": "Warning"
+ },
+ "message": "%OSDRIVE%\\USERS\\TOPSY\\APPDATA\\LOCAL\\GITHUBDESKTOP\\APP-3.1.2\\RESOURCES\\APP\\GIT\\MINGW64\\BIN\\GIT.EXE was allowed to run but would have been prevented from running if the AppLocker policy were enforced.",
+ "winlog": {
+ "channel": "Microsoft-Windows-AppLocker/EXE and DLL",
+ "computer_name": "TOPSYLL.local",
+ "user_data": {
+ "PolicyNameLength": 3,
+ "PolicyName": "EXE",
+ "RuleId": "00000000-0000-0000-0000-000000000000",
+ "RuleNameLength": 1,
+ "RuleName": "-",
+ "RuleSddlLength": 1,
+ "RuleSddl": "-",
+ "TargetUser": "S-1-5-21-1133191089-1850170202-1535859923-200319",
+ "TargetProcessId": 27116,
+ "FilePathLength": 101,
+ "FilePath": "%OSDRIVE%\\USERS\\TOPSY\\APPDATA\\LOCAL\\GITHUBDESKTOP\\APP-3.1.2\\RESOURCES\\APP\\GIT\\MINGW64\\BIN\\GIT.EXE",
+ "FileHashLength": 32,
+ "FileHash": "11D3940DE41D28E044CE45AB76A6D824E617D99B62C5FB44E37BE5CD7B0545F5",
+ "FqbnLength": 72,
+ "Fqbn": "O=JOHANNES SCHINDELIN, S=NORDRHEIN-WESTFALEN, C=DE\\GIT\\GIT.EXE\\2.35.5.01",
+ "TargetLogonId": "0x14FCB7",
+ "FullFilePathLength": 94,
+ "FullFilePath": "C:\\Users\\TOPSY\\AppData\\Local\\GitHubDesktop\\app-3.1.2\\resources\\app\\git\\mingw64\\bin\\git.exe"
+ },
+ "event_id": "8003",
+ "level": "Warning",
+ "opcode": "Info\u0000",
+ "process": {
+ "pid": 33848,
+ "thread": {
+ "id": 12040
+ }
+ },
+ "provider_guid": "cbda4dbf-8d5d-4f69-9578-be14aa540d22",
+ "provider_name": "Microsoft-Windows-AppLocker",
+ "record_id": 154247,
+ "time_created": "2023-07-20T15:05:03.8826518Z",
+ "user": {
+ "identifier": "S-1-5-21-1133191089-1850170202-1535859923-200319"
+ },
+ "version": 0
+ }
+ }
+ ]
+}

packages/windows/data_stream/applocker_exe_and_dll/_dev/test/pipeline/test-events-applocker-exe-8003.json-expected.json

@@ -0,0 +1,68 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2023-07-20T15:05:03.882Z",
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "event": {
+ "category": "process",
+ "code": "8003",
+ "kind": "event",
+ "provider": "Microsoft-Windows-AppLocker",
+ "type": "start"
+ },
+ "host": {
+ "name": "TOPSYLL.local"
+ },
+ "log": {
+ "level": "Warning"
+ },
+ "message": "%OSDRIVE%\\USERS\\TOPSY\\APPDATA\\LOCAL\\GITHUBDESKTOP\\APP-3.1.2\\RESOURCES\\APP\\GIT\\MINGW64\\BIN\\GIT.EXE was allowed to run but would have been prevented from running if the AppLocker policy were enforced.",
+ "user": {
+ "id": "S-1-5-21-1133191089-1850170202-1535859923-200319"
+ },
+ "winlog": {
+ "channel": "Microsoft-Windows-AppLocker/EXE and DLL",
+ "computer_name": "TOPSYLL.local",
+ "event_id": "8003",
+ "level": "Warning",
+ "opcode": "Info\u0000",
+ "process": {
+ "pid": 33848,
+ "thread": {
+ "id": 12040
+ }
+ },
+ "provider_guid": "cbda4dbf-8d5d-4f69-9578-be14aa540d22",
+ "provider_name": "Microsoft-Windows-AppLocker",
+ "record_id": "154247",
+ "time_created": "2023-07-20T15:05:03.8826518Z",
+ "user": {
+ "identifier": "S-1-5-21-1133191089-1850170202-1535859923-200319"
+ },
+ "user_data": {
+ "FileHash": "11D3940DE41D28E044CE45AB76A6D824E617D99B62C5FB44E37BE5CD7B0545F5",
+ "FileHashLength": 32,
+ "FilePath": "%OSDRIVE%\\USERS\\TOPSY\\APPDATA\\LOCAL\\GITHUBDESKTOP\\APP-3.1.2\\RESOURCES\\APP\\GIT\\MINGW64\\BIN\\GIT.EXE",
+ "FilePathLength": 101,
+ "Fqbn": "O=JOHANNES SCHINDELIN, S=NORDRHEIN-WESTFALEN, C=DE\\GIT\\GIT.EXE\\2.35.5.01",
+ "FqbnLength": 72,
+ "FullFilePath": "C:\\Users\\TOPSY\\AppData\\Local\\GitHubDesktop\\app-3.1.2\\resources\\app\\git\\mingw64\\bin\\git.exe",
+ "FullFilePathLength": 94,
+ "PolicyName": "EXE",
+ "PolicyNameLength": 3,
+ "RuleId": "00000000-0000-0000-0000-000000000000",
+ "RuleName": "-",
+ "RuleNameLength": 1,
+ "RuleSddl": "-",
+ "RuleSddlLength": 1,
+ "TargetLogonId": "0x14FCB7",
+ "TargetProcessId": 27116,
+ "TargetUser": "S-1-5-21-1133191089-1850170202-1535859923-200319"
+ },
+ "version": 0
+ }
+ }
+ ]
+}

packages/windows/data_stream/applocker_exe_and_dll/_dev/test/system/test-default-config.yml

@@ -0,0 +1,10 @@
+input: httpjson
+service: splunk-mock
+vars:
+ url: http://{{Hostname}}:{{Port}}
+ username: test
+ password: test
+ enable_request_tracer: true
+data_stream:
+ vars:
+ preserve_original_event: true

packages/windows/data_stream/applocker_exe_and_dll/agent/stream/httpjson.yml.hbs

@@ -0,0 +1,104 @@
+config_version: "2"
+interval: {{interval}}
+{{#if enable_request_tracer}}
+request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson"
+{{/if}}
+{{#unless token}}
+{{#if username}}
+{{#if password}}
+auth.basic.user: {{username}}
+auth.basic.password: {{password}}
+{{/if}}
+{{/if}}
+{{/unless}}
+cursor:
+ index_earliest:
+ value: '[[.last_event.result.max_indextime]]'
+request.url: {{url}}/services/search/jobs/export
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+request.method: POST
+request.transforms:
+ - set:
+ target: url.params.search
+ value: |-
+ {{search}} | streamstats max(_indextime) AS max_indextime
+ - set:
+ target: url.params.output_mode
+ value: "json"
+ - set:
+ target: url.params.index_earliest
+ value: '[[ .cursor.index_earliest ]]'
+ default: '[[(now (parseDuration "-{{interval}}")).Unix]]'
+ - set:
+ target: url.params.index_latest
+ value: '[[(now).Unix]]'
+ - set:
+ target: header.Content-Type
+ value: application/x-www-form-urlencoded
+{{#unless username}}
+{{#unless password}}
+{{#if token}}
+ - set:
+ target: header.Authorization
+ value: {{token}}
+{{/if}}
+{{/unless}}
+{{/unless}}
+response.decode_as: application/x-ndjson
+{{#if tags.length}}
+tags:
+{{else if preserve_original_event}}
+tags:
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- decode_json_fields:
+ fields: message
+ target: json
+ add_error_key: true
+- drop_event:
+ when:
+ not:
+ has_fields: ['json.result']
+- fingerprint:
+ fields:
+ - json.result._cd
+ - json.result._indextime
+ - json.result._raw
+ - json.result._time
+ - json.result.host
+ - json.result.source
+ target_field: "@metadata._id"
+- drop_fields:
+ fields: message
+- rename:
+ fields:
+ - from: json.result._raw
+ to: event.original
+ - from: json.result.host
+ to: host.name
+ - from: json.result.source
+ to: event.provider
+ ignore_missing: true
+ fail_on_error: false
+- drop_fields:
+ fields: json
+- decode_xml_wineventlog:
+ field: event.original
+ target_field: winlog
+ ignore_missing: true
+ ignore_failure: true
+ map_ecs_fields: true
+{{#if processors.length}}
+{{processors}}
+{{/if}}

packages/windows/data_stream/applocker_exe_and_dll/agent/stream/winlog.yml.hbs

@@ -0,0 +1,31 @@
+name: Microsoft-Windows-AppLocker/EXE and DLL
+condition: ${host.platform} == 'windows'
+{{#if event_id}}
+event_id: {{event_id}}
+{{/if}}
+{{#if ignore_older}}
+ignore_older: {{ignore_older}}
+{{/if}}
+{{#if language}}
+language: {{language}}
+{{/if}}
+{{#if tags.length}}
+tags:
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{/if}}
+{{#if preserve_original_event}}
+include_xml: true
+{{/if}}
+processors:
+- translate_sid:
+ field: winlog.event_data.MemberSid
+ account_name_target: winlog.event_data._MemberUserName
+ domain_target: winlog.event_data._MemberDomain
+ account_type_target: winlog.event_data._MemberAccountType
+ ignore_missing: true
+ ignore_failure: true
+{{#if processors.length}}
+{{processors}}
+{{/if}}