Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How Can I Audit for Rules Usage in App Control?

App Control: How Can I Audit for Rules Usage in App Control?

Environment

  • App Control: All Supported Versions
  • Microsoft SQL: All Supported Versions

Question

  • Is there a SQL script that can be run against the DAS database that will show what rules are being triggered most frequently to those that are not?

Answer

There is a SQL script that can be run against the DAS database that will show those rules that are most frequently used vice those are that less frequently used or not at all. Additionally, it will show a count of computers that triggered the rule. This is a good script to run when conducting rule audits, etc.
  1. Run the below SQL query against the DAS database in SQL Management Studio:
Use das;
GO

select
       E.Rule_Name,
       count( E.Event_Id ) as 'Number_Times_Triggered',
       count( distinct E.Computer_Id ) as 'Count_Of_Computers_That_Triggered'
from
       bit9_public.ExEvents E
where
       E.Rule_Name is not null and
       E. Updater_Name is null and
       E.Indicator_Name is null
group by
       E.Rule_Name

order by
          'Number_Times_Triggered' DESC 
;
        2. It is best to set this query when complete, to export to csv format. This is accomplished within SQL Management Studio by selecting "Results to Grid".
        

Additional Notes

  • Please keep in mind this will ONLY work for rules that report back into the console. A list of rule types that DO NOT report back into the console are listed below:
    1. Trusted Path Rules (these fall under execution allow rules)
    2. File Creation Control Rules
    3. Performance Optimization Rules
    4. Execution Control > Allow Rules

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎04-05-2019
Views:
375
Contributors