Microsoft AppLocker Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Microsoft AppLocker is an optional security feature that helps organizations control which applications and files users can run, including executables, dynamic-link libraries (DLLs), scripts, installers, and packaged applications. This content pack processes App Control for Business (WDAC) events (8027-8040) that are logged in the AppLocker event channels.

Supported Version(s)

  • Windows 8 or later, though we recommended Windows 10 or 11 or Server 2022+

Hint: Microsoft AppLocker feature availability is highly dependent on the Windows edition and version in use. Please refer to the Microsoft documentation for detailed requirements.

Requirements

  • Graylog 6.0.1+ with a valid Enterprise license

  • Microsoft AppLocker policies must be enabled and rules created via Group Policy or Local Security Policy

Stream Configuration

This technology pack includes 1 stream:

  • Illuminate:Windows AppLocker Event Log Messages

Hint: If this stream does not exist prior to the activation of this pack then it is created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • Windows AppLocker Event Log Messages

Hint: If this index set is already defined, then nothing is changed. If this index set does not exist, then it is created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection

The following log delivery agents are supported:

  • Winlogbeat

  • NXLog Enterprise Edition

  • NXLog Community Edition (limited support)

Graylog Sidecar Example Configuration

Please refer to the official documentation to set up Graylog Sidecar.

  1. Create a Beats input for Winlogbeat or a GELF input for NXLog in Graylog. When sending to a Beats input, ensure that the option Do not add Beats type as prefix is disabled.

  2. Create an API access token and a custom configuration for your chosen log delivery agent.

  3. See the following example configuration for Winlogbeat:

    Copy
    # Needed for Graylog
                        fields_under_root: true
                        fields.collector_node_id: ${sidecar.nodeName}
                        fields.gl2_source_collector: ${sidecar.nodeId}

                        output.logstash:
                        hosts: ["${user.graylog_host}:5044"]
                        path:
                        data: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar\\cache\\winlogbeat"}\data
                        logs: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar"}\logs
                        tags:
                        - windows
                        winlogbeat:
                        event_logs:
                        - name: "Microsoft-Windows-AppLocker/EXE and DLL"
                        ignore_older: 24h
                        - name: "Microsoft-Windows-AppLocker/MSI and SCRIPT"
                        ignore_older: 24h
                        - name: "Microsoft-Windows-AppLocker/Packaged app-Deployment"
                        ignore_older: 24h
                        - name: "Microsoft-Windows-AppLocker/Packaged app-Execution"
                        ignore_older: 24h
  4. See the following example configuration for NXLog:

    Copy
    define ROOT C:\Program Files (x86)\nxlog

                        Moduledir %ROOT%\modules
                        CacheDir %ROOT%\data
                        Pidfile %ROOT%\data\nxlog.pid
                        SpoolDir %ROOT%\data
                        LogFile %ROOT%\data\nxlog.log
                        LogLevel INFO

                        <Extension logrotate>
                        Module xm_fileop
                        <Schedule>
                        When @daily
                        Exec file_cycle('%ROOT%\data\nxlog.log', 7);
                        </Schedule>
                        </Extension>

                        <Extension gelfExt>
                        Module xm_gelf
                        # Avoid truncation of the short_message field to 64 characters.
                        ShortMessageLength 65536
                        </Extension>

                        <Input eventlog>
                        Module im_msvistalog
                        PollInterval 1
                        SavePos True
                        ReadFromLast True

                        <QueryXML>
                        <QueryList>
                        <Query Id='1'>
                        <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*</Select>
                        <Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select>
                        <Select Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">*</Select>
                        <Select Path="Microsoft-Windows-AppLocker/Packaged app-Execution">*</Select>
                        </Query>
                        </QueryList>
                        </QueryXML>
                        </Input>

                        <Output gelf>
                        Module om_tcp
                        Host ${user.graylog_host}
                        Port 12201
                        OutputType GELF_TCP
                        <Exec>
                        # These fields are needed for Graylog
                        $gl2_source_collector = '${sidecar.nodeId}';
                        $collector_node_id = '${sidecar.nodeName}';
                        </Exec>
                        </Output>

                        <Route route-1>
                        Path eventlog => gelf
                        </Route>
  5. Install Graylog Sidecar on the client host.

  6. Edit the Graylog Sidecar client configuration with your Graylog server API URL and API access token.

Hint: This configuration requires NXLog to be installed in C:\Program Files (x86) xlog and not in the default folder. Also note the NXLog Community Edition does not send the RuleAndFileData XML portion of the event. This suppressed event data contains key fields that are important for effective Microsoft AppLocker activity monitoring. Due to this limitation, we recommend you use NXLog Enterprise or Winlogbeat instead.

What Is Provided

  • Parsing rules to extract Microsoft AppLocker and App Control (WDAC) event logs into schema-compatible fields.

  • GIM detection categorization: hips_detection (301002) for blocked events, detection_message (309999) for audit-mode events.

  • Security Core compliance via stream category assignment and detection GIM codes.

  • Support for event IDs 8000-8025 (AppLocker) and 8027-8040 (App Control / WDAC).

  • Illuminate spotlight highlighting security events and statistics of interest.

Events Processed by This Technology Pack

The Microsoft AppLocker content pack supports the following event IDs. Generic processing is provided for event IDs not listed.

Event IDs

Parsed Fields

Microsoft AppLocker Content Pack

Microsoft AppLocker offers a dashboard with 6 tabs:

Overview

EXE

DLL

MSI

SCRIPT

APPX