LPM Custom SecureRun message - add variables for Cert details

Products Endpoint Policy Manager Ideas
,
1

What is a one sentence summary of your feature request?

Add Cert Publisher/Subject variable for custom message

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

Include the Cert Publisher/Subject in the variable for the custom SecureRun message. This information is available in both the Event Viewer and the Operational.log. But I’ve been unable to find a variable that matches for the custom SecureRun message. This adds considerable time to resolving simple problems for executables that have already been cleared but have had a cert change in the interim. It would also speed up new clearance requests since nearly all of our LPM clearances are based on Cert Subject.

How do you currently solve the challenges you have by not having this feature?

One of the following:

  1. I download the file and check the cert
  2. Help Desk gets the file from the user so I can check the cert
  3. I wait until the Event from the user gets forwarded to our Event Viewer collector

All of these are either intrusive or time-wasters. Adding a variable in the SecureRun message would streamline our operations, reduce user frustration, and add value to PolicyPak.

Upload any supporting images that you think should be considered in this idea.

PolicyPak Enhancement Request.png
PolicyPak Enhancement Request.png1339×1780 184 KB

2

Holly.. Have you tried this setting?

image
image1565×992 96.6 KB

1 Like
3

Yes. Here’s the snippet from my custom message:

  • Publisher and Product: %PROCESS_EXECUTABLE_PUBLISHER% / %PROCESS_EXECUTABLE_DISPLAY_NAME%

And in my example (TurboTax), that returns this:

  • Publisher and Product: INTUIT INC. / Windows_PC_TurboTax_Download.exe

But Event Viewer shows this (emphasis added):

Process Path: C:\Users\hnewman\Downloads\Windows_PC_TurboTax_Download.exe
Command Line: “C:\Users\hnewman\Downloads\Windows_PC_TurboTax_Download.exe”
Process Id: 47428, Parent Id: 16296
Executable Path: C:\Users\hnewman\Downloads\Windows_PC_TurboTax_Download.exe
Executable Hash (SHA256): A9D49971ECDCA7957D2E9655704E66E0F769C8A78CF5318F57CEA429C7AC9FD2
Executable Original Name: N/A, Executable Version: N/A
Product Name: N/A, Product Version: N/A
Publisher: CN=INTUIT INC.,O=INTUIT INC.,L=San Diego,S=California,C=US
Owner SID: S-1-5-21-2399015877-3550091796-1075212780-3412, Owner Name: JFE-AD\HNEWMAN
User Name: JFE-AD\HNEWMAN

4

Holly — thanks for pointing this out. It looks like you’re right. The variable displayed in DN format is not currently included in the list (which we should address and fix). However, it is supported by the CSE and can be added manually.

If DN is what you’re looking for, you can manually use %PROCESS_EXECUTABLE_CERTIFICATE_SUBJECT%. It should behave as expected. See the example below:

image
image676×372 34.9 KB

image
image1562×998 100 KB

1 Like
5

Thanks! Here is my new Custom Message based on your feedback:

  • File and Version: %PROCESS_EXECUTABLE_PATH% / %PROCESS_EXECUTABLE_VERSION%
  • Process/command line: %PROCESS_COMMAND_LINE%
  • Parent process/command line: %PARENT_COMMAND_LINE%
  • Publisher Cert: %PROCESS_EXECUTABLE_CERTIFICATE_SUBJECT%
  • User ID and Computer Name: %USERNAME% / %COMPUTERNAME%

And here is the result based on my sample:

  • File and Version: C:\Users\hnewman\Downloads\Windows_PC_TurboTax_Download.exe / (Unknown)
  • Process/command line: “C:\Users\hnewman\Downloads\Windows_PC_TurboTax_Download.exe”
  • Parent process/command line: C:\WINDOWS\Explorer.EXE
  • Publisher Cert: CN=INTUIT INC.,O=INTUIT INC.,L=San Diego,S=California,C=US
  • User ID and Computer Name: HNEWMAN / HNEWMAN-7450A

This is going to be a huge time-saver!