Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How To Collect Logs for Active Directory Policy Mapping Troubleshooting

App Control: How To Collect Logs for Active Directory Policy Mapping Troubleshooting

Environment

  • App Control: 7.x - 8.x
  • Microsoft Windows Server: All Supported Versions

Objective

To collect logs for Active Directory policy mapping troubleshooting.

Resolution

  1. Login to the Cb Protection console.
  2. Navigate to Rules > Policies > Mappings tab.
  3. Take a screenshot of this page.
  4. Navigate to C:\Program Files\Bit9\Parity Server\scripts\ and edit ScriptEvents.vbs (line 111) (NOTE: This step does NOT apply to 8.1 P2 and higher)
    Comment out that line like: 
    'debugLevel = Args.ScriptDebugLevel 
    and add a new line: 
    debugLevel = 6 
  5. Go to shepherd_config.php page, set "DebugConsoleCommunication" to true and "Debug Level" and "Script Debug Level" to 7.
  6. Browse to https://CbProtectionServerName/support.php.
  7. Under "Diagnostics tab - Server Logging" Set the Logging Duration to 30 minutes.
  8. Click Start Logging.
  9. Browse to https://CbProtectionServerName/testrules.php.
  10. Enter the test user name or test machine name.
  11. Click "Run Test".
  12. Take a screenshot of the result.
  13. Login to the Cb Protection Server (as the service account).
  14. Open an administrative command prompt (Use Run as > Service account)
  15. Run command:
    cscript /U /nologo "C:\Program Files (x86)\Bit9\Parity Server\scripts\TestRules.vbs" -d 6 EnterTestUserNameOrComputerNameHere >> c:\temp\output.txt
  16. Browse to https://CbProtectionServerName/support.php
  17. Click "Stop Logging"
  18. In the right hand pane click "Available Log Files"
  19. Download a copy of the new serverlog{datetime}.bt9.
  20. Navigate to C:\Program Files (x86)\Bit9\Parity Server\scripts.
  21. Collect a copy of adrules.xml.
  22. Navigate to C:\Program Files\Bit9\Parity Server\scripts\ and edit ScriptEvents.vbs (line 111)  (NOTE: This step does NOT apply to 8.1 P2 and higher)
    Uncomment out that line like: 
    'debugLevel = Args.ScriptDebugLevel 
    And comment the following line: 
    debugLevel = 6 
  23. Go to shepherd_config.php page, set "DebugConsoleCommunication" to false and "Debug Level" and "Script Debug Level" to 0.
  24. If the AD mapping is based on user’s AD membership:
    1. On a test machine, open an admin command prompt
    2. Run command:
      net user EnterTestUsernameHere /domain
    3. Screenshot the result
  25. If the AD mapping is based on machine’s OU:
    1. In the Cb Protection console, browse to Assets > Computers > select the test computer
    2. Click on AD Details tab and take a screenshot of the result.
  26. Files to send to Carbon Black:
    • Screenshots (step 3, 12, 22 or 23)
    • Output.txt file (step 15)
    • serverlog{datetime}.bt9 (step 19)
    • adrules.xml (step 21)

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-18-2018
Views:
1936