Why use Events?
Issue 1: A company is using restricted mode and a support call comes in from a user informing them that an application is blocked that shouldn’t be. After validating that the app shouldn’t be blocked the IT admin looks at the events from the user over the time period when they reported the issue. After finding the event (or maybe even related events e.g. dlls) they then want to update their configuration to make the application allowed, save it and push it out.
Issue 2: A company starts using AC and pushes out a configuration (in audit only mode) to a cross section of company endpoints to capture events. A week or so later the IT admin looks at the events to see what apps would have been blocked. They examine the one that affects most users first and decide that it shouldn’t be blocked. They then update their configuration to make that happen. They then look at the next applications that affects the 2nd highest number of users and repeat. At some point they save the updated configuration and push this out to gather more data. Then they repeat the process until they are happy that all applications in the cross section are correctly blocked. They then repeat this process with progressively larger sets of company endpoints until all the company is covered and can think about moving to self authorized or restricted mode.
Solution:
- Launch the Event Viewer.
- Set query criteria and Run Query.
- Filter and Sort the results.
- Open the configuration.
- Navigate to Rule Sets.
- Create a new rule item in Allowed items populated with data from a particular event.
- Edit Rule as required.
- Optionally repeat 2,3,5,6,7 multiple times (only for Issue 2).
- Save and deploy the configuration.