This is new in Deep Security 10.
By default, when you enable application control, it will log events such as when it detects software change. App control also logs when it blocks software from executing. Software change events will appear on the Actions and Events & Reports tabs. If configured, it will also trigger an alert.
You can configure some of which application control event logs are recorded, and which are forwarded to external SIEM systems, syslog servers, or SNMP managers.
To monitor for software changes on computers, the basic steps are:
- Go to Administration > System Settings > System Events.
- Scroll down to the application control events such as Event ID 7000 “Application Control Events Exported”.
If you want to record event logs for that type of event, enable Record.
When those events occur, they will appear on Events & Reports > Events > System Events. Logs will be kept until they meet maximum log age criteria, which varies by Deep Security Manager platform. For details, see Log and event storage best practices.Events that appear on Computers > Details > Application Control > Events are not configured here. They will always be logged.
- If you want to forward event logs to an SIEM, SNMP, or syslog server, enable Forward.
- If a specific computer should forward logs directly to your SIEM instead of relaying through Deep Security Manager, go to Computers, right-click the computer and select Details. In the pane on the left side, click Settings, and then go to the SIEM tab. Scroll down to the Application Control Event Forwarding section and configure the settings.
If you use an external SIEM, you may need to load the list of possible application control event logs, and indicate what action to take. For a list of application control events, see System events.
Location of application events varies by whether they are an:
- audit event (history of configuration changes or software updates): Events & Reports > Events > System Events
- security event (application control blocked or allowed unrecognized software, or blocked software in a block rule): Events & Reports > Events > Application Control Events > Security Events
Application Control logs the following security events:
- Execution of Unrecognized Software Allowed
- Execution of Unrecognized Software Blocked
- Execution of Software Blocked by Rule
For a list of application control system events, see System events.
If an event shows that application control is blocking software, but it should not, you can undo the rule.
To configure which application control events or severity levels cause an alert, go to the Alerts tab, click the Configure Alerts button, and then select an event and click Properties. For details, see Configure email notifications for alerts.
When alerts are enabled for application control events, any software change that the application control engine detects and any software that it blocks from executing will appear in the Alerts tab. If you have enabled the Alert Status widget, application control alerts will also appear on your dashboard.
To monitor which computers are in maintenance mode, you can also click Add/Remove Widgets and enable the Application Control Maintenance Mode widget, which will display a list of the computers and their scheduled maintenance windows.
Alerts (and counts of their associated events) are kept until your configured maximum age of alerts.