We are trying to evaluate Microsoft Operations Management Suite together with Microsoft Applocker and Device Guard as a replacement for using 3rd party log tools to gather logs from mobile workstations (Device Guard covered in later post)
This is the first proof of concept tryint to monitor the data load pr source , before setting up automation to act on the alarms
The first baby steps is to create a OMS workspace
In OMS data settings we add the Windows Event Log used by Applocker
We download the OMS Agent
Hit the installer
And select connect to Microsoft Azure Operational Insight
Enter out workspace ID and Key to assiociate agent and workspace
a few seconds later we can see out clients added to the Microsoft Operations Management Suite
We then add our Applocker Policy
See that we arent allow to run a random exe file
We can then see in the eventlog that Applocker writes the usual 8004
We then go to Operations Insight , search for * EventID = 8004 , this can be limited more with adding the proper source , save the search
Add the Search to a shiny dashboard , we can now monitor
and drill down to see whats the app being blocked
