Modify configuration rules using Event Viewer

The Event Viewer runs in a separate window to the Application Control console. This enables users to drag (or copy and paste) items from Event Viewer to the console and immediately modify or create the rules required.

Events listed can be dragged and dropped or copied and pasted to create File Path, File Name, Folder or File Hash Rule Items for the following:

  • Rule Collections

  • Rule Sets > Executable Control > Allowed/Denied

  • Rule Sets > Privilege Management > Applications/Self-Elevation

Using query results to modify configuration rules

  1. Run a query in Event Viewer.

  2. Open the Application Control console.

  3. In the Configuration navigation pane, expand Rules and select the configuration rule required.

  4. In the Event Viewer dialog, select the event required and either copy or drag the item to the configuration dialog.

    You can select and add multiple events.

  5. Select the required rule type from the Select Rule Item Type dialog.

    • File Path: Copies the full path of the file from the event ID. Applies to file rules.

    • File name: Copies the file name from the event ID. Applies to file rules.

    • Folder: Copies the folder name and path from the event ID. Applies to folder rules.

    • File Hash: Copies the file hash from the event ID. Applies to signature rules.

  6. The rule item is added to the configuration immediately.

If the item added is a file or folder you can view and edit its properties and metadata to ensure integrity. Double-click the newly added item to open the Edit dialog, or right-click the item and select Edit.

By default, metadata is not enabled for items added via Event Viewer. Select the Metadata tab in the Edit dialog and select the checkbox(es) for the data required. The relevant data is displayed immediately. For further information, refer to Metadata.

Add an allowed item

Using Event Viewer, you identify a recurring event of a file that has been allowed by many users and you want to make it available to all users:

  1. Open the Application Control console, and in the Configuration navigation pane, select Everyone > Allowed Items.

  2. In the Event Viewer dialog, select the event required. Either copy or drag the item to the Configuration dialog.

  3. For this example, choose File Path in the Select Rule Item Type dialog.

The rule item is added.

Add application-specific user privilege

You run an Event Viewer query using the Privilege Discovery view, and returned results show a high number of Application started elevated event (ID 9062) for a specific Microsoft application. You decide to change user privileges accordingly.

  1. Open the Application Control console. In the Configuration navigation pane, select Everyone > User Privileges, and select the Applications tab.

  2. In the Event Viewer dialog, select the required event. Either copy or drag the item to the Applications tab of the configuration.

  3. For this example, choose File Name - or Folder Name to specify a file at a particular location in the Select Rule Item Type dialog. The rule item is added.

  4. Double-click the item. In the Edit dialog, select the Metadata tab.

  5. Select the checkboxes next to Product Name and Vendor to display their values immediately.

  6. With the Product Name and Vendor fields enabled, only an application with matching metadata values will run. Any other, similarly named file will be blocked.

Related topics

 Auditing

Management Center Help