my personal blog about systemcenter

Using Microsoft Operations Management Suite and Applocker together

We are trying to evaluate Microsoft Operations Management Suite together with Microsoft Applocker and Device Guard as a replacement for using 3rd party log tools to gather logs from mobile workstations (Device Guard covered in later post)

This is the first proof of concept tryint to monitor the data load pr source , before setting up automation to act on the alarms

clip_image002

The first baby steps is to create a OMS workspace

clip_image004

In OMS data settings we add the Windows Event Log used by Applocker

clip_image005

We download the OMS Agent

clip_image006

Hit the installer

clip_image007

And select connect to Microsoft Azure Operational Insight

clip_image008

Enter out workspace ID and Key to assiociate agent and workspace

clip_image009

a few seconds later we can see out clients added to the Microsoft Operations Management Suite

We then add our Applocker Policy

clip_image011

See that we arent allow to run a random exe file

clip_image012

We can then see in the eventlog that Applocker writes the usual 8004

clip_image014

We then go to Operations Insight , search for * EventID = 8004 , this can be limited more with adding the proper source , save the search

clip_image016

Add the Search to a shiny dashboard , we can now monitor

clip_image018

and drill down to see whats the app being blocked