Event Viewer

In this section:

Watch a related video (10:12)

To launch the Events dialog navigate to the View menu and select Application Control Events. Alternatively, you can select View Events from the Application Control Configuration Editor.

Event data will be gathered when the machines check in at intervals specified in the Agent Policy General Settings, if you want to retrieve the data before this check in has happened go to View > Machines > highlight the machines and right-click, select Application Control > Retrieve Events and that runs the job immediately.

The View Events dialog displays all the Application Control Events as set up in Application Control Configuration Editor > Events > Selection/Filtering.

Use this view to run queries on specific raised auditing events for Application Control.

View Queries

You can query on the following predefined events or create custom queries:

  • All event types
  • Denied Executables
  • Allowed Executables
  • Self Authorization
  • Privilege Management
  • Privilege Discovery
  • Self Elevation
  • Browser Control

Run Query - Select to run the query. If the View, Filters or Included Event Types are changed you must re-run the query to update the results.

Once you have run the query you can tailor the view to group, filter or sort the events and the results can be exported in CSV format.

There are several ways to customize the view:

  • Apply filters to search for events.
  • Use the Search to display only those events that match your search criteria.
  • Reorder the columns by clicking and dragging the column headers to new locations.
  • Click within a column header to sort the column in ascending or descending order.
  • Apply more advanced filters to one or more column headers. Hover over a column header and then click the filter icon located in the upper-right corner.

Save - Select to save any changes you have made to a custom query.

Save As - You must first have selected Run Query to activate the Save As option. Select to save the results as a new custom query, enter a name for the query and this will then appear in the View drop down list.

Manage - Select to display the list of all custom queries, where you can select to rename or delete a query.

Included Event Types

The available Event Types depend upon which View is selected.

A full list of events for Application Control can be found here: Available Events.

If you select a custom view you can select which events are included, select Change to display the selection dialog.

Remember if you have changed which event types are included you need to Run Query again.

Filters

You can modify the query using the following:

  • Time Range - select from a preset time range: 10 Minutes, Hour, 6 Hours, 24 Hours, Week or Month. You also have the option to create a custom time period.
  • User - display only events raised for the specified user.
  • Machine - display only events raised from the specified machine name or client name.
  • Summary Only - only applicable for the Denied Executables and Allowed Executables Views. If selected, the results are grouped on file path and event id.

Remember to Run Query again if you update any of the Filters.

Search

To initiate a search type the text you want to find and then click Find. Only those events matching the search criteria display; all other events are hidden.

  • The Search tool works only on the information currently visible. You can right-click on the column headers to add or remove columns to be searched.
  • If a filter is applied, only updates matching both the search criteria and the filter criteria are displayed.
  • All partial matches are displayed.
  • The search is not case sensitive.
  • The use of wildcards is not allowed.
  • To clear the search criteria, click the icon located on the right side of the search box.

If the Search field is not visible, right-click on a column header in the Results view and select Show Find Panel from the context menu.

Results

The query results display in the bottom panel when you select Run Query.

Events listed can be dragged and dropped or copied and pasted to create File Path, File Name, Folder or File Hash Rule Items for the following:

  • Rule Collections
  • Rule Sets > Executable Control > Allowed/Denied
  • Rule Sets > Privilege Management > Applications/Self-Elevation
  1. Navigate to the location in the Application Control Configuration Editor where you want to create the rule item. For example, Rule Sets > Everyone > Executable Control > Allowed
  2. In the Event Viewer dialog, select the required event(s) and either copy or drag back to the Allowed dialog.
  3. Drop or paste to display the Select Rule Item Type dialog.
  4. Select the type of item(s) you want to create, file path, file name, folder or file hash.
  5. The rule item(s) is added.

Export Data- Select to export the current view in CSV format, you can select to export with only the current selected columns, or with all columns.

Show Filter Editor- Select to add filters to the query results.

Choose Columns- Select to customize which columns display in the query results.

Results Context Menu

Right-click within a column header to display the context menu where you can select to perform a number of additional actions.

  • Sort Ascending: Sorts the selected column in ascending order.
  • Sort Descending: Sorts the selected column in descending order.
  • Clear Sorting: Clears the ascending or descending sorting criteria currently set for a column.
  • Group By This Column: Groups the list using the data in the selected column. One expandable list will be created for each possible column value.

    • If you perform this action on any subsequent columns, that data will be presented as nested groups at increasingly lower levels within the expandable lists.

    If Show Group Panel is enabled, this will show the "Group By" boxes in the area immediately above the column headers.

    Tip: To turn off the Group By This Column feature and revert to the original view: Enable Show Group Panel, right-click each Group By box and select Ungroup, and then right-click in the column header and select Hide Group Panel.

  • Show Group Panel / Hide Group Panel: Displays or hides an area immediately above the column headers that contains "Group By" boxes. One "Group By" box will be displayed for each column header for which Group By This Column is currently enabled. You can also drag column headers to and from this area.

    • The table will be grouped according to the data in the box. If there are two or more boxes then the grouping will be nested, with the left-most box presented at the highest level, the second box presented at the second level, etc.

  • Show Column Chooser: Enables you to add and hide information within the grid. When you select Show Column Chooser, the Column Chooser dialog is displayed. This dialog is used to specify which of the available columns you want displayed within the grid. If you click and drag an entry in the list to a new position in the dialog, the columns in the grid will be reordered to match.
  • Best Fit: Resizes the width of the selected column so that the header text is displayed in the optimal amount of space.
  • Best Fit (all columns): Resizes the width of all columns in the table so that the header text is displayed in the optimal amount of space.
  • Filter Editor: The Filter Editor dialog will show any of the advanced filters that are currently active in the column headers. You can use the editor to modify the existing filter criteria and to build new criteria using the available filter conditions and logical operators.

Related Topics

Application Control Events

Database Maintenance