Introduced in Windows 7 Enterprise Edition, AppLocker provides a mechanism within Windows to whitelist / blacklist known applications, publishers or file hashes via Group Policy. AppLocker provides Administrators the ability to restrict the execution of these resources in Enforce rules mode or to generate audit logs in Audit only mode.
Regularly monitoring these events will allow you to quickly detect and respond to any attempts to bypass these restrictions, identify unauthorized software installation and ensure compliance with organizational policies. Additionally, monitoring these logs can help in auditing and forensics, providing insights into user behavior and application usage across the domain.
Microsoft's guide to Administering AppLock via Group Policy in your environment
• Open the EventSentry Management Console
• Expand Packages -> Event Logs -> Database Consolidation
• Select Consolidate Non-Security Events
• Click Custom Event Logs tab
• Use the + button on the right side to include all Microsoft-Windows-AppLocker event logs
• Save & Push Configuration
• Open the EventSentry Web Reports
• Navigate to Features -> Event Log
• Search for source:Microsoft-Windows-AppLocker
• Click Detailed tab
In the EventSentry Management Console create an include filter to match the following:
Custom Event Logs: Microsoft-Windows-AppLocker/EXE and DLL
Event Severity: Error
Event ID: 8004
Enforce rules
Event ID | Type | Message | Context |
---|---|---|---|
8004 | Error | {File name} was not allowed to run. | The .exe or .dll file cannot run and has been blocked |
8007 | Error | {File name} was not allowed to run. | The script or .msi file cannot run and has been blocked. |