Applocker is a very important tool that system administrators to protect against malware and unauthorized applications from running on systems. This is especially useful to protect against malware such as crytolocker. While Applocker is very easy to implement, it lacks some of the reporting and alerting that administrators need to successfully respond to false positives such as business critical applications. By itself applocker does not have the ability to produce the statistics that are critical to justify the extra security measures (showing the number of non-authorized exe’s blocked). SCOM fills in the gap by offering a very powerful tool that is designed to alert and report applocker blocks / warnings for systems.
Building out the monitoring:
- Click on Authoring -> Management Pack Objects -> Rules. Right click on the rules and click Create a new Rule.
- It is considered best practice to create a new management pack instead of adding to the default one. Click new management Pack.
- For the name enter ApplockerAlerts and enter in a description and click next.
- If desired a detailed knowledge based can be entered. Since this is mostly an administrative alert, we will not enter one and click create.
- Expand Event Based and select NT Event Log (Alert).
- For the name enter Applocker Alerts, and for the target either target a specific group or all Windows computers can be targeted.
- For the log name enter Microsoft-Windows-Applocker/EXE and DLL
- For the Event ID use 8003 for warnings or 8004 for exes that were not allowed to run more information on specific events can be found (http://technet.microsoft.com/en-us/library/ee844150.aspx )
- Use the default values and click create.
- Give SCOM a few minutes and this alert will be working.