Windows Application Whitelisting
Application whitelisting events should be collected to look for applications that have been blocked from execution. Any blocked applications could be malware or users trying to run unapproved software. Software Restriction Policies (SRP) is supported on Windows XP and above. The AppLocker feature is available for Windows 7 and above Enterprise and Ultimate editions only. Application Whitelisting events can be collected if SRP or AppLocker are actively being used on the network.
Modern app run Event Source - Microsoft-Windows-AppLocker - Event Log - Microsoft-Windows-AppLocker/Packaged app-Execution
Modern app install Event Source - Microsoft-Windows-AppLocker - Event Log - Microsoft-Windows-AppLocker/Packaged app-Deployment
Event Source - Microsoft-Windows-SoftwareRestrictionPolicies - Event Log - Application
September 14, 2021