AppLocker Events
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification | |
|---|---|---|---|---|
| AppLocker Events | Base Rule | Production | General Logging Information | Information |
| EVID 8001 : Policy Successfully Applied | Sub Rule | Production | Configuration Enabled : Application | Configuration |
| EVID 8002 : EXE Or DLL Allowed To Run | Sub Rule | Production | Process/Service Started | Startup and Shutdown |
| EVID 8003 : Process Allowed But Would Be Blocked | Sub Rule | Production | Process/Service Started | Startup and Shutdown |
| EVID 8004 : Process Not Allowed To Run | Sub Rule | Production | Process Failed | Error |
| EVID 8005 : Script Or MSI Allowed To Run | Sub Rule | Production | Process/Service Started | Startup and Shutdown |
| EVID 8006 : Process Allowed But Would Be Blocked | Sub Rule | Production | Process/Service Started | Startup and Shutdown |
| EVID 8007 : Process Not Allowed To Run | Sub Rule | Production | Process Failed | Error |
| EVID 8008 : AppLocker Disabled On The SKU | Sub Rule | Production | Feature Disabled | Information |
| EVID 8020 : Packaged App Allowed | Sub Rule | Production | General Application Information | Information |
| EVID 8021 : Packaged App Audited | Sub Rule | Production | General Audit Message | Other Audit |
| EVID 8022 : Packaged App Disabled | Sub Rule | Production | Disabled | Information |
| EVID 8023 : Packaged App Installation Allowed | Sub Rule | Production | General Application Information | Information |
| EVID 8024 : Packaged App Installation Audited | Sub Rule | Production | General Audit Message | Other Audit |
| EVID 8025 : Packaged App Installation Disabled | Sub Rule | Production | Disabled | Information |
| EVID 8027 : No Packaged App Rule Configured | Sub Rule | Production | Failed Configuration | Other Audit Failure |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type |
|---|---|---|
| <eventid> | <vmid> | Number |
| execution processid | <processid> | Number |
| <channel> | <tag1> | Text/String |
| <computer> | <sname> | Text/String |
| <security userid> | <domain> | Text/String |
| <security userid> | <login> | Text/String |
| <UserData> | <vendorinfo> | Text/String |
| <UserData> | <object> | Text/String |
| <UserData> | <objectname> | Text/String |
| was | <tag2> | Text/String |