Thread Info
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application control - how to identify specific client with Controlled Application?

NTSys

We've enabled Application Control in "Detect but allow to run" mode for pretty much everything to get a feel for what is out there - this has created a lot of events. Reporting "Alerts and events by item name" shows some applications that we want to investigate, but how can we drill down to see which client has raised a particular application event?

I had hoped I could create an SQL query but the database doesn't seem to have any Application Control tables...

:10965


This thread was automatically locked due to age.
  • 0

    the database doesn't seem to have any Application Control tables

    The events are in the Events table, a quick glance suggests that EventType=3 indicates Application Control. You probably know how to correlate them to the client but just in case, ComputerID refers to ID in ComputersAndDeletedComputers which contains the client's Name.

    Christian

    :10973
    • 0

      Hi,

      You should be able to use the Application Event Viewer to filter on this data to some degree but it is only "application type".  
      It is worth noting that you can use the * wild card in the "User" and "Computer" fields.
      Otherwise the Reporting Interface might be worth a look:
      /search?q= 8285
      to get at this sort of info from the database directly.  E.g the view: "vEventsApplicationControlData" joined on the "vComputerHostData" view.  I included a basic HTA in the above post which might be useful once you've installed the Reporting Interface into the database.

      Regards,
      Jak
      :11001
      • 0

        I use:

        SELECT tb2.EventTime, tb1.Name AS Computer, tb2.UserName, tb2.Name As Application

        FROM ComputersAndDeletedComputers AS tb1, Events As tb2

        WHERE tb2.EventType = 3

        AND tb2.ComputerID = tb1.ID

        AND tb2.EventTime >= GetUTCDate() - 31

        ORDER BY tb2.EventTime DESC

        Also see:

        /search?q= 4050

        And:

        /search?q= 4978

        :11031
        • 0

          Hi,

          The information you require can be found in the event viewer and you're not the first person to be unaware of its existance. It can be found in the "View" menu within SEC.

          BTW we are introducing a dedicated "Events" menu in ESC 10 to make it much easier to locate the various event viewers.

          Best regards,

          John (Product Manager)

          :11033
          • 0

            The information you require can be found in the event viewer and you're not the first person to be unaware of its existance

            I must admit that I have (temporarily) been :smileymad: - should have checked. Got carried away by the other question about selective deletion/acknowledgement ...

            Christian

            :11041
            • 0

              Thank you all for the replies - I'll go with the easy View option to start with!

              @Placebo - thanks for the links to your posts - I'd seen them before but forgotten.

              @John - any chance Placebos SQL queries could form a sticky or KB article?

              :11049
              Unfiltered HTML