Application Metering – Returning User and Computer Information and Emailing Results

Application Metering Solution provides several functions: one to monitor application usage and another to block applications from running. Even though there are many reports available out of the box there are several gaps and this article will hopefully fill in some of those gaps.

I will be focusing solely on reporting and emailing denial events of applications. One of the standard reports available is the "Denial Events by Application". This can be found under the "Start-Stop-Denial Events" folder for the reporting section under Application Metering Solution. This report displays the application and the number of times it has been denied. A common request that I get is to display the computer that the event occurred on and the user that was trying to access the application. I have created a report based on the "Denial Events by Application" to allow a drill down which displays the computer, the domain, IP, the user, and the date/time the event occurred. This report is included in the files attached to this article (called "Denial Events by Application - with drill down"). Simply upload the xml file into your report folder.

Here are a couple screen shots to illustrate:

Click to view.

Click to view.

Another common request that I get for denial events is to be able to email event to an administrator which contains the details of the computer and user that the denial occurred on. To accomplish this we will use Notification Policies. Notification Policies allow you to run one or more events, on a scheduled basis, against a query or report result. One event that I will focus on is the email event. Included in the files attached to this article I have created a Notification Policy that emails the denial details to an administrator. The file is called "Denial Events by Application - Notification Policy.xml". Here is the screen shot:

Click to view.

This Notification Policy is based on another report that I created that lists out the details of the denial event. This report can be found in the files attached in this article called "Denial Events - Details.xml"

If you drill down into the email event you will see the following:

Click to view.

If you look at the body of the email you will notice that I have placed a %Results% token. The %Results% token is useful for including the entire data set (all of the columns and rows, including the column headers) generated by the Notification Policy source. When the Notification Policy source returns a large data set, %Results% will only include the first 100,000 Bytes in the e-mail body.

Portions of the data set can be included using a data set token (%DS:<column name>%). For example, in our case we have several column available to us namely ProductName, DateTime, Name, Domain, IP Address, User. The available data set tokens would then be: %DS:ProductName%, %DS:IP Address%, and %DS:Name%, etc. Please note that if the result set contains multiple rows of data, but the E-mail Automated Action is configured to execute only once, the %DS:<column name>% token will only provide information for the first row, not the entire column.

Finally, I would test the Notification Policy to verify that it works by pressing the "Test Notification Policy" button at the bottom of the screen. The resulting email should look something like this:

Click to view.