Applocker: Using System Center Operations Manager (SCOM) for alerting and reporting

Overview:

Applocker is a very important tool that system administrators to protect against malware and unauthorized applications from running on systems. This is especially useful to protect against malware such as crytolocker. While Applocker is very easy to implement, it lacks some of the reporting and alerting that administrators need to successfully respond to false positives such as business critical applications. By itself applocker does not have the ability to produce the statistics that are critical to justify the extra security measures (showing the number of non-authorized exe’s blocked). SCOM fills in the gap by offering a very powerful tool that is designed to alert and report applocker blocks / warnings for systems.

Building out the monitoring:

  1. Click on Authoring -> Management Pack Objects -> Rules. Right click on the rules and click Create a new Rule.
  2. scom-newrule
  3. It is considered best practice to create a new management pack instead of adding to the default one. Click new management Pack.
  4. scom-newmgtpack
  5. For the name enter ApplockerAlerts and enter in a description and click next.
  6. SCOM-APPLOCKERMP
  7. If desired a detailed knowledge based can be entered. Since this is mostly an administrative alert, we will not enter one and click create.
  8. SCOM-Knowledge
  9. Expand Event Based and select NT Event Log (Alert).
  10. SCOM-EVENTLOG
  11. For the name enter Applocker Alerts, and for the target either target a specific group or all Windows computers can be targeted.
  12. scom-target
  13. For the log name enter Microsoft-Windows-Applocker/EXE and DLL
  14. eventlogtype
  15. For the Event ID use 8003 for warnings or 8004 for  exes that were not allowed to run more information on specific events can be found (http://technet.microsoft.com/en-us/library/ee844150.aspx )
  16. ApplockereventID
  17. Use the default values and click create.
  18. scom-laststep
  19. Give SCOM a few minutes and this alert will be working.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s