Application Control (Zero Trust)
in progress
Chris Bisnett
Many security and compliance frameworks require organizations to enable and enforce some form of Application Control and to maintain a list of organization-approved applications that can be installed and run.
In the many conversations we've had with our partners and prospects, we've found that managing Application Control and maintaining a list of approved applications is a significant burden even for larger teams and nearly impossible for small teams. The journey of starting in audit mode and building a list of approved applications and eventually getting to enforced mode is one that many folks never finish.
Our intention is to build a fully managed Application Control capability into the Huntress portal that will allow the Huntress SOC to manage and maintain lists of legitimate applications and will enable our partners to add those applications to approved lists, while maintaining a short feedback loop for end users so they don't get stuck waiting days for security approval.
This feature request will act as an umbrella for this functionality. If you are interested in helping us build this out by joining a Private Beta group, please upvote this feature request and we will email members of this group as we open up more spots in the beta.
Chris Bisnett
Merged in a post:
AppLocker and Windows Defender Application Control (WDAC) event reporting.
B
Brent Shore
Having the ability to monitor AppLocker and WDAC events in Huntress EDR would be extremely useful.
AppLocker
WDAC
Chris Bisnett
If the machine is setup to log these events, then they will show up in the SIEM, but only if there is an active policy (audit or enforce). By default, nothing will be logged because there are no active policies except for malicious drivers depending on your OS version and patch level. With SIEM we subscribe to these event logs.
Chris Bisnett
in progress
D
David Lawrence
I think this would fall under the new SIEM. And likely one more reason for this request: https://feedback.huntress.com/siem/p/custom-alerts
B
Brent Shore
David Lawrence
I definitely see how this fits into the SIEM request, but I still think App Control alerts and logs should sit under EDR. You shouldn’t need an SIEM to have a centralized view of App Control alerts and logs.