This document covers some of the additional auditing capabilities of Application Manager 10.1.
Extended Fields Audited
For some event types, auditing has been extended in Application Manager 10.1 to include additional fields that are useful to build a configuration. In previous versions of Application Manager it may have been necessary to use the Rules Analyzer tool, Application Manager logging or view details about the file on the endpoint directly.
AM 10.1 auditing now includes the fields:
- NTFS File Owner, added to events:
- 9000 (Denied)
- 9001 (Allowed) and 9015 (Running)
- Parent Process
- Connecting Device and Session ID
- Deciding Rule, added to events:
- 9000 (Denied)
- 9004 (Application Limit Denial)
- 9005 (Time Limit Denial)
- 9006 (Self-Authorization)
- 9007 (Self-Authorization Allow)
- 9013 (Network item denied)
- 9014 (Network Item Allowed)
- 9018 (Application User Privileges Changed URM)
- 9019 (Web Installation Allowed)
- 9020 (Web Installation Restricted)
- 9022 (Web Installation Failed to Complete)
- 9023 (Self Elevation Allowed)
An example AM 8.9 Event ID 9000 entry:
AppSense Application Manager denied execution of 'c:\example\notepad.exe [Hash:7eb0139d2175739b3ccb0d1110067820be6abd29 Size:193536 bytes] [ProductVersion: 6.1.7600.16385] [FileVersion: 6.1.7600.16385] [Product Name: Microsoft Windows Operating System] [Company Name: Microsoft Corporation] [Vendor: ] [File Description: Notepad]' on '<Connecting Device Hostname>'.
An example AM 10.1 Event ID 9000 entry:
AppSense Application Manager denied execution of 'c:\example\notepad.exe [Hash:a7bbc4b4f781e04214ecebe69a766c76681aa7eb Size:193536 bytes] [ProductVersion: 6.1.7601.18917] [FileVersion: 6.1.7601.18917] [Product Name: Microsoft Windows Operating System] [Company Name: Microsoft Corporation] [Vendor: ] [File Description: Notepad] [Parent Process: C:\Windows\Explorer.EXE]' on '<Connecting Device Hostname>' in 'Session ID: 3'. Deciding Rule: 'Trusted Ownership'. File owner: 'TB\Engineer1'.
Service Start/Stop Audit Events
AM 10.1 adds a new event to log when a service is stopped or started. This is audited under Event ID 9055 (Service start/stop) and is disabled by default.
Example Service Stop:
A user on '<Connecting Device>' in 'Session ID: 3' has stopped service 'AppSense Watchdog Service' on '<Endpoint>'
Example Service Start:
A user on '<Connecting Device>' in 'Session ID: 3' has started service 'AppSense Watchdog Service' on '<Endpoint>'
User Rights Management (URM) in Audit-Only Mode
In AM 10.0 and earlier URM was applied regardless of the AM Rule "Restricted" security slider. The Custom Setting UrmSecPolicy could be used to ensure that when Audit Only mode was enabled, 9018 events were raised but elevation did not occur. As of AM 10.1, this now becomes the standard behavior for Audit Only mode, all other modes apply URM unless URMSecPolicy is set to 1.