Catch-All Policy
A useful Learning Mode Policy to set up in Production environments is called a Catch-All Policy. This type of policy will gather information on any executables in your environment that are not satisfied by other Privilege Manager policies.
These types of Catch-all monitor policies SHOULD NOT BE used for the Windows or macOS Computer Groups. Those groups apply to ALL computers in the environment and unless a monitor policy like this is setup to work with really good allow policies in front a lot of events will be sent.
-
Under your Computer Group for which you want to monitor all activities select Application Policies and click Create Policy.
-
From the Policy Wizard select Monitoring and click Next Step.
-
Select Everything and click Next Step.
-
Enter a name, for example Catch-all Monitor Policy.
-
Click Create Policy.
-
Customize the policies Conditions, Actions, and Policy Enforcement, for example:
-
Under Applications Targeted, click Add Application Target and search for and add Interactive Users.
-
Under Exclusions, click Edit and add LocalSystem and Service applications to the exclusion list.
-
Under Show Advanced | Policy Enforcement set the switch for Stage 2 Processing to active an all others to inactive.
-
-
Click Save Changes
-
Set the Inactive switch to Active.