Skip to content

[Windows] Prevent pipeline failure in Windows AppLocker/EXE and DLL logs when signed by common name. #17188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
VihasMakwana merged 10 commits into from
Feb 11, 2026
Merged

[Windows] Prevent pipeline failure in Windows AppLocker/EXE and DLL logs when signed by common name. #17188

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
1512db7
Resolve defect where grok failure occurs because applocker event is s…
BrendanNurmi Feb 2, 2026
79108ea
Changelog entry, updating manifest with new version and add file.x509…
BrendanNurmi Feb 4, 2026
9df5d63
Update changelog.yml
BrendanNurmi Feb 9, 2026
9c542d7
ignore_emtpy_values to prevent empty fields.
BrendanNurmi Feb 9, 2026
cf7a276
Adding exported field reference.
BrendanNurmi Feb 10, 2026
82029cc
Merge branch 'main' into main
VihasMakwana Feb 11, 2026
d37ae06
Removing the ignore_empty_values as it doesn't function pre v9, and t…
BrendanNurmi Feb 11, 2026
7022f22
Merge branch 'main' of github.com:BrendanNurmi/integrations
BrendanNurmi Feb 11, 2026
7c4fb22
Update changelog to remove the part that no longer exists.
BrendanNurmi Feb 11, 2026
38f4960
Merge branch 'main' into main
BrendanNurmi Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions packages/windows/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,11 @@
# newer versions go on top

- version: "3.4.1"
changes:
- description: |
Prevent grok failure when pipeline attempts to parse an fqbn signed by a common name only.
type: bugfix
link: https://github.com/elastic/integrations/pull/17188
- version: "3.4.0"
changes:
- description: |
Expand Down
185 changes: 185 additions & 0 deletions .../applocker_exe_and_dll/_dev/test/pipeline/test-events-applocker-exe-8003-common-name.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,185 @@
{
"events": [
{
"@timestamp": "2026-02-01T21:14:05.1298236Z",
"event": {
"code": 8003,
"kind": "event",
"provider": "Microsoft-Windows-AppLocker"
},
"host": {
"name": "hostname"
},
"log": {
"level": "Warning"
},
"message": "%PROGRAMFILES%\\WINDOWSAPPS\\DOLBYLABORATORIES.DOLBYACCESSOEM_3.27.6700.0_X64__RZ1TEBTTYB220\\DAXRPCCLIENT.DLL was allowed to run but would have been prevented from running if the AppLocker policy were enforced.",
"winlog": {
"channel": "Microsoft-Windows-AppLocker/EXE and DLL",
"computer_name": "hostname",
"user_data": {
"PolicyNameLength": 3,
"PolicyName": "DLL",
"RuleId": "00000000-0000-0000-0000-000000000000",
"RuleNameLength": 1,
"RuleName": "-",
"RuleSddlLength": 1,
"RuleSddl": "-",
"TargetUser": "S-0-00-0-0000000000-0000000000-0000000000-0000000000",
"TargetProcessId": 14596,
"FilePathLength": 107,
"FilePath": "%PROGRAMFILES%\\WINDOWSAPPS\\DOLBYLABORATORIES.DOLBYACCESSOEM_3.27.6700.0_X64__RZ1TEBTTYB220\\DAXRPCCLIENT.DLL",
"FileHashLength": 32,
"FileHash": "5A726C2818C02A58E423194F56CEF057819F3B4A80E4BE2B724E69AFA4E7A364",
"FqbnLength": 50,
"Fqbn": "CN=58D26209-1D57-482C-B403-B655571B5C7B\\\\\\0.0.0.00",
"TargetLogonId": "0x1a8cca",
"FullFilePathLength": 109,
"FullFilePath": "C:\\Program Files\\WindowsApps\\DolbyLaboratories.DolbyAccessOEM_3.27.6700.0_x64__rz1tebttyb220\\DAXRPCClient.dll"
},
"event_id": "8003",
"level": "Warning",
"opcode": "Info",
"process": {
"pid": 14596,
"thread": {
"id": 4824
}
},
"provider_guid": "cbda4dbf-8d5d-4f69-9578-be14aa540d22",
"provider_name": "Microsoft-Windows-AppLocker",
"record_id": 10621268,
"time_created": "2026-02-01T21:14:05.1298236Z",
"user": {
"domain": "DOMAIN",
"identifier": "S-0-00-0-0000000000-0000000000-0000000000-0000000000",
"type": "User",
"name": "username"
},
"version": 0
}
},
{
"@timestamp": "2026-02-01T21:14:05.1298236Z",
"event": {
"code": 8003,
"kind": "event",
"provider": "Microsoft-Windows-AppLocker"
},
"host": {
"name": "hostname"
},
"log": {
"level": "Warning"
},
"message": "%PROGRAMFILES%\\WINDOWSAPPS\\APPUP.INTELARCSOFTWARE_25.50.2012.0_X64__8J3EQ9EME6CTT\\VFS\\PROGRAMFILESX64\\INTEL\\INTEL GRAPHICS SOFTWARE\\INTELGRAPHICSSOFTWARE.SERVICE.API.DLL was allowed to run but would have been prevented from running if the AppLocker policy were enforced.",
"winlog": {
"channel": "Microsoft-Windows-AppLocker/EXE and DLL",
"computer_name": "hostname",
"user_data": {
"PolicyNameLength": 3,
"PolicyName": "DLL",
"RuleId": "00000000-0000-0000-0000-000000000000",
"RuleNameLength": 1,
"RuleName": "-",
"RuleSddlLength": 1,
"RuleSddl": "-",
"TargetUser": "S-0-00-0-0000000000-0000000000-0000000000-0000000000",
"TargetProcessId": 12004,
"FilePathLength": 169,
"FilePath": "%PROGRAMFILES%\\WINDOWSAPPS\\APPUP.INTELARCSOFTWARE_25.50.2012.0_X64__8J3EQ9EME6CTT\\VFS\\PROGRAMFILESX64\\INTEL\\INTEL GRAPHICS SOFTWARE\\INTELGRAPHICSSOFTWARE.SERVICE.API.DLL",
"FileHashLength": 32,
"FileHash": "95C4A3C0FF12FB14807398911D9481932D7F9B124FD4A4FA94E5FFDCC8CB70D9",
"FqbnLength": 50,
"Fqbn": "CN=EB51A5DA-0E72-4863-82E4-EA21C1F8DFE3\\INTEL GRAPHICS SOFTWARE\\INTELGRAPHICSSOFTWARE.SERVICE.API.DLL\\25.50.2012.05",
"TargetLogonId": "0x1a8cca",
"FullFilePathLength": 171,
"FullFilePath": "C:\\Program Files\\WindowsApps\\AppUp.IntelArcSoftware_25.50.2012.0_x64__8j3eq9eme6ctt\\VFS\\ProgramFilesX64\\Intel\\Intel Graphics Software\\IntelGraphicsSoftware.Service.API.dll"
},
"event_id": "8003",
"level": "Warning",
"opcode": "Info",
"process": {
"pid": 12004,
"thread": {
"id": 12000
}
},
"provider_guid": "cbda4dbf-8d5d-4f69-9578-be14aa540d22",
"provider_name": "Microsoft-Windows-AppLocker",
"record_id": 58191916,
"time_created": "2026-02-01T21:14:05.1298236Z",
"user": {
"domain": "DOMAIN",
"identifier": "S-0-00-0-0000000000-0000000000-0000000000-0000000000",
"type": "User",
"name": "username"
},
"version": 0
}
},
{
"@timestamp": "2026-02-01T21:14:05.1298236Z",
"event": {
"code": 8003,
"kind": "event",
"provider": "Microsoft-Windows-AppLocker"
},
"host": {
"name": "hostname"
},
"user": {
"name": "username",
"id": "S-0-00-0-0000000000-0000000000-0000000000-0000000000"
},
"log": {
"level": "Warning"
},
"message": "%PROGRAMFILES%\\WINDOWSAPPS\\DOLBYLABORATORIES.DOLBYACCESSOEM_3.27.6700.0_X64__RZ1TEBTTYB220\\DOLBYACCESSOEM.DLL was allowed to run but would have been prevented from running if the AppLocker policy were enforced.",
"winlog": {
"channel": "Microsoft-Windows-AppLocker/EXE and DLL",
"computer_name": "hostname",
"user_data": {
"FqbnLength": 82,
"FilePath": "%PROGRAMFILES%\\WINDOWSAPPS\\DOLBYLABORATORIES.DOLBYACCESSOEM_3.27.6700.0_X64__RZ1TEBTTYB220\\DOLBYACCESSOEM.DLL",
"FullFilePathLength": 111,
"FullFilePath": "C:\\Program Files\\WindowsApps\\DolbyLaboratories.DolbyAccessOEM_3.27.6700.0_x64__rz1tebttyb220\\DolbyAccessOEM.dll",
"RuleId": "{00000000-0000-0000-0000-000000000000}",
"PolicyNameLength": 16,
"RuleSddl": "-",
"TargetUser": "S-0-00-0-0000000000-0000000000-0000000000-0000000000",
"TargetLogonId": "0x125208",
"FilePathLength": 109,
"TargetProcessId": 6168,
"Fqbn": "CN=58D26209-1D57-482C-B403-B655571B5C7B\\DOLBYACCESSOEM\\DOLBYACCESSOEM.EXE\\1.0.0.00",
"RuleSddlLength": 1,
"FileHashLength": 32,
"FileHash": "1E32EBBE3C60C2AB81C87F00FBDEA45E7C7121BEBC482A95418BE2D655645D20",
"PolicyName": "MANAGEDINSTALLER",
"RuleNameLength": 1,
"RuleName": "-",
"xml_name": "RuleAndFileData"
},
"event_id": "8003",
"level": "Warning",
"opcode": "Info",
"process": {
"pid": 6168,
"thread": {
"id": 10152
}
},
"provider_guid": "cbda4dbf-8d5d-4f69-9578-be14aa540d22",
"provider_name": "Microsoft-Windows-AppLocker",
"record_id": 18250961,
"time_created": "2026-02-01T21:14:05.1298236Z",
"user": {
"identifier": "S-0-00-0-0000000000-0000000000-0000000000-0000000000",
"domain": "DOMAIN",
"type": "User"
},
"version": 0
}
}
]
}
Loading
Loading