Introduction:
In the previous blog we looked at the AppLocker Rules, Rule Conditions and how to enforce them. In this blog we will look at AppLocker in audit mode.
By using the Audit only enforcement setting, you can ensure that the AppLocker rules are properly configured for your organization. When AppLocker policy enforcement is set to Audit only, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
Enable AppLocker Audit mode:
To enable AppLocker audit you will open Group Policy Manager, open your AppLocker GPO and navigate to Computer Configuration – Policies – Windows Settings – Security Settings – Application Control Policies – AppLocker click on Configure rule enforcement
On each of the rule sets you would like to audit make sure the Configured box is ticked and select Audit only from the drop-down list.
Ensure you have rules created in each rule set you enable for auditing.
AppLocker Event IDs
The following table contains information about the events that you can use to determine which apps are affected by AppLocker rules.
| Event ID | Level | Event message | Description |
| 8002 | Information | *<File name> * was allowed to run. | Specifies that the .exe or .dll file is allowed by an AppLocker rule. |
| 8003 | Warning | *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. | Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules ** enforcement mode were enabled. |
| 8005 | Information | *<File name> * was allowed to run. | Specifies that the script or .msi file is allowed by an AppLocker rule. |
| 8006 | Warning | *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. | Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules ** enforcement mode were enabled. |
| 8007 | Error | *<File name> * was not allowed to run. | Access to *<file name> * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run. |
| 8020 | Information | Packaged app allowed. | Added in Windows Server 2012 and Windows 8. |
| 8021 | Information | Packaged app audited. | Added in Windows Server 2012 and Windows 8. |
| 8022 | Information | Packaged app disabled. | Added in Windows Server 2012 and Windows 8. |
| 8023 | Information | Packaged app installation allowed. | Added in Windows Server 2012 and Windows 8. |
| 8024 | Information | Packaged app installation audited. | Added in Windows Server 2012 and Windows 8. |
| 8025 | Warning | Packaged app installation disabled. | Added in Windows Server 2012 and Windows 8. |
| 8027 | Warning | No Packaged app rule configured. | Added in Windows Server 2012 and Windows 8. |
Conclusion:
The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains detailed info about:
- Which file is affected and the path of that file
- Which packaged app is affected and the package identifier of the app
- Whether the file or packaged app is allowed or blocked
- The rule type (path, file hash, or publisher)
- The rule name
- The security identifier (SID) for the user or group identified in the rule
By enabling AppLocker audit mode, you are able to retreive vital information from Event ID information that could help you to build your AppLocker rules.
In the next blog we will look at how you can use the Event ID information to create rules.
You must log in to post a comment.