Overview:

Applocker is a very important tool that system administrators to protect against malware and unauthorized applications from running on systems. This is especially useful to protect against malware such as cryptolocker. While Applocker is very easy to implement, it lacks some of the reporting and alerting that administrators need to successfully respond to false positives such as business-critical applications. By itself, applocker does not have the ability to produce the statistics that are critical to justify the extra security measures (showing the number of non-authorized exe’s blocked). SCOM fills in the gap by offering a very powerful tool that is designed to alert and report applocker blocks / warnings for systems.

Building out the monitoring:

  1. Click on Authoring -> Management Pack Objects -> Rules. Right-click on the rules and click Create a new Rule.
  2. scom-newrule
  3. It is considered best practice to create a new management pack instead of adding to the default one. Click New Management Pack.
  4. scom-newmgtpack
  5. For the name enter ApplockerAlerts and enter a description and click Next.
  6. SCOM-APPLOCKERMP
  7. If desired a detailed knowledge based can be entered. Since this is mostly an administrative alert, we will not enter one and click Create.
  8. SCOM-Knowledge
  9. Expand Event Based and select NT Event Log (Alert).
  10. SCOM-EVENTLOG
  11. For the name, enter Applocker Alerts, and for the target either target, a specific group or all Windows computers can be targeted.
  12. scom-target
  13. For the log, name enter Microsoft-Windows-Applocker/EXE and DLL
  14. eventlogtype
  15. For the Event ID use 8003 for warnings or 8004 for exes that were not allowed to run more information on specific events can be found (http://technet.microsoft.com/en-us/library/ee844150.aspx ).
  16. ApplockereventID
  17. Use the default values and click Create.
  18. scom-laststep
  19. Give SCOM a few minutes and this alert will be working. You can verify this by launching an unauthorized exe and verifying that an event is created and that SCOM issues the alert.