Security Controls

Event Viewer

In this section:

View Queries

Included Event Types

Filters

Search

Results

Watch a related video (10:12)

To launch the Events dialog navigate to the View menu and select Application Control Events. Alternatively, you can select View Events from the Application Control Configuration Editor.

Event data will be gathered when the machines check in at intervals specified in the Agent Policy General Settings, if you want to retrieve the data before this check in has happened go to View > Machines > highlight the machines and right-click, select Application Control > Retrieve Events and that runs the job immediately.

The View Events dialog displays all the Application Control Events as set up in Application Control Configuration Editor > Events > Selection/Filtering.

Use this view to run queries on specific raised auditing events for Application Control.

View Queries

You can query on the following predefined events or create custom queries:

All event types

Denied Executables

Allowed Executables

Self Authorization

Privilege Management

Privilege Discovery

Self Elevation

Browser Control

Run Query - Select to run the query. If the View, Filters or Included Event Types are changed you must re-run the query to update the results.

Once you have run the query you can tailor the view to group, filter or sort the events and the results can be exported in CSV format.

There are several ways to customize the view:

Apply filters to search for events.

Use the Search to display only those events that match your search criteria.

Reorder the columns by clicking and dragging the column headers to new locations.

Click within a column header to sort the column in ascending or descending order.

Apply more advanced filters to one or more column headers. Hover over a column header and then click the filter icon located in the upper-right corner.

Save - Select to save any changes you have made to a custom query.

Save As - You must first have selected Run Query to activate the Save As option. Select to save the results as a new custom query, enter a name for the query and this will then appear in the View drop down list.

Manage - Select to display the list of all custom queries, where you can select to rename or delete a query.

Included Event Types

The available Event Types depend upon which View is selected.

A full list of events for Application Control can be found here: Available Events.

If you select a custom view you can select which events are included, select Change to display the selection dialog.

Remember if you have changed which event types are included you need to Run Query again.

Filters

You can modify the query using the following:

Time Range - select from a preset time range: 10 Minutes, Hour, 6 Hours, 24 Hours, Week or Month. You also have the option to create a custom time period.

User - display only events raised for the specified user.

Machine - display only events raised from the specified machine name or client name.

Summary Only - only applicable for the Denied Executables and Allowed Executables Views. If selected, the results are grouped on file path and event id.

Remember to Run Query again if you update any of the Filters.

Search

To initiate a search type the text you want to find and then click Find. Only those events matching the search criteria display; all other events are hidden.

If the Search field is not visible, right-click on a column header in the Results view and select Show Find Panel from the context menu.

Results

The query results display in the bottom panel when you select Run Query.

Events listed can be dragged and dropped or copied and pasted to create File Path, File Name, Folder or File Hash Rule Items for the following:

Rule Collections > Executable Control/Privilege Management

Rule Sets > Executable Control > Allowed/Denied

Rule Sets > Privilege Management > Applications/Self-Elevation

Export Data- Select to export the current view in CSV format, you can select to export with only the current selected columns, or with all columns.

Show Filter Editor- Select to add filters to the query results.

Choose Columns- Select to customize which columns display in the query results.

Results Context Menu

Right-click within a column header to display the context menu where you can select to perform a number of additional actions.

Related Topics

Application Control Events

Database Maintenance


Was this article useful?