MicroSoft Applocker Parser Override IP Sub

Summary:

The document outlines an issue with HP Enterprise Security's Windows Unified Connector (WUC) not being able to collect AppLocker events from certain platforms such as Windows 2008 and Vista due to nested event logs. To overcome this limitation, Microsoft recommends using the native Windows Event Forwarding feature to forward all AppLocker events to a central server running Windows 2012 or 2008, which can then be collected by WUC through a connector. An AppLocker parser override has been developed to correctly parse these forwarded events, with specific event IDs and device class ID format "Microsoft-Windows-AppLocker:". The parser supports several fields mapped for parsing logs efficiently. Users can deploy this parser either via the Connector Appliance or manually copying files to connectors' home directories. The accompanying task involves organizing a categorization file named "er.csv" in a specific folder structure related to Microsoft applications, which should be placed at: ``` $Connector_Home/Current/user/agent/acp/categorizer/current/microsoft ``` This categorization file will help ensure that parsed AppLocker events are correctly categorized within Event Stream Management (ESM) or Logger systems after deployment. The "er.csv" file contains pre-defined categories for efficient event handling in the larger system infrastructure.

Details:

HP Enterprise Security Products, including ArcSight and Global Services, offers various security products to protect enterprise networks. One of these products is AppLocker, which restricts which programs can be run on Windows systems. However, there's an issue with the current HP Enterprise Security product lineup where the Windows Unified Connector (WUC) cannot collect AppLocker events from platforms like Windows 2008 and Vista due to nested event logs not being interrogable by WUC connector. To resolve this limitation, Microsoft recommends using the native Windows Event Forwarding feature to forward all AppLocker events to a central server running Windows 2012 or 2008. Once configured, you can collect these events through a WUC connector. To facilitate collection and parsing of these events from such a centralized setup, an AppLocker parser override has been developed. This parser is designed to correctly parse all AppLocker events collected via Windows Event Forwarding (WEF). The parser supports specific event IDs related to AppLocker functionalities. All AppLocker events forwarded through WEF have a device event class ID set in the format "Microsoft-Windows-AppLocker:". The parser override includes several fields, which are mapped and detailed for use in parsing these logs. To deploy this parser override, users can either upload it via the Connector Appliance to the WUC connectors container or manually copy the files to specific folders within the connector's home directory: $Connector_Home/Current/user/agent/fcp for Windows 2008 and $Connector_Home/Current/user/agent/fcp for Windows 2012. This customization allows organizations to enhance their security posture by better monitoring application execution through AppLocker restrictions. The task involves organizing a categorization file named "er.csv" in a specific folder structure related to an application called Microsoft, likely part of a larger system architecture involving connectors and event management systems like Event Stream Management (ESM) or Loggers. Here's the breakdown of the task and its requirements: 1. **Folder Structure**: The file "er.csv" should be placed in the following directory: ``` $Connector_Home/Current/user/agent/acp/categorizer/current/microsoft ``` This path indicates that it's a configuration or categorization file specific to the Microsoft application within a larger software architecture. 2. **Post-Deployment Responsibilities**: After successfully deploying an application, which is assumed to be related to AppLocker and event management (as suggested by "AppLocker events"), you are expected to:

• Ensure that the parsed events from this specific system are correctly categorized within the ESM or Logger systems.

3. **Potential Systems Involved**: The deployment might involve setting up connectors, parsers, or other components related to monitoring and managing security events through tools like ESM or Loggers, which would categorize or classify these AppLocker-related events as per configuration in the provided "er.csv" file. 4. **Purpose of Categorization File**: The "er.csv" file likely contains pre-defined categories or classifications for different types of events that might be generated by the Microsoft application or related services, which helps in efficient and accurate event handling within the larger system infrastructure. This task essentially revolves around setting up and configuring a specific categorization scheme for a type of event (AppLocker events) that will help in organizing and managing these events effectively post-deployment through integrated systems like ESM and Loggers.