Hello everyone!
A very rudimentary question I think, but haven't been able to find clarification myself. I am still very much getting to grips with the platform, and logging itself, so apologies if it is a really obvious question.
We currently have a small amount of pilot machines with Elastic Agent installed and managed via Fleet, these are currently collecting Windows Event logs via the System integration - This is working fine.
I have been asked to now configure this policy so the following are picked up:
Applications and Services > Microsoft > Windows > AppLocker > EXE and DLL
Applications and Services > Microsoft > Windows > AppLocker > MSI and Script
I assume this would be done via the Custom Windows Event Logs integration, we aren't currently logging anything AppLocker related so I've installed the Integration and done some testing/ tinkering with:
Microsoft-Windows-PowerShell/Operational
First thing I've noticed is that it doesn't work unless I choose the specific channel i.e. Microsoft-Windows-PowerShell
doesn't work but Microsoft-Windows-PowerShell/Operational
does.
Is there a way to include multiple channels within the one integration? Or would the practice be to have one integration for Microsoft-Windows-AppLocker/EXE and DLL
and one for Microsoft-Windows-AppLocker/MSI and Script
Secondly, Event IDs have to specified. We want to collect everything logged so I did test doing a "*"
but this didn't work. Including the specific Event IDs did work but this is not an ideal solution, I did use what felt like a fairly inelegant solution of 1-100000
which looks to work in capturing all the events logged. What is the best practice here?