Windows Application Whitelisting
Application whitelisting events should be collected to look for applications that have been blocked from execution. Any blocked applications could be malware or users trying to run unapproved software. Software Restriction Policies (SRP) is supported on Windows XP and above. The AppLocker feature is available for Windows 7 and above Enterprise and Ultimate editions only. Application Whitelisting events can be collected if SRP or AppLocker are actively being used on the network.
Related Solution
AIS Managed SIEM
SIEM Events
Application Ran
Modern app run Event Source - Microsoft-Windows-AppLocker - Event Log - Microsoft-Windows-AppLocker/Packaged app-Execution
Application Installed
Modern app install Event Source - Microsoft-Windows-AppLocker - Event Log - Microsoft-Windows-AppLocker/Packaged app-Deployment
SRP Block
Event Source - Microsoft-Windows-SoftwareRestrictionPolicies - Event Log - Application
Last modified
September 14, 2021