Making Airlock Easier
We recently switched from using Microsoft's built-in application AllowListing technology Applocker to a 3rd party product named Airlock. The reason for switching was due to a change Microsoft made in Intune that limited the amount of XML which could be posted for the policy config. We couldn't get around it and didn't want to switch back to using Group Policy to manage Applocker so we made the switch. We've been very pleased with the switch for several reasons which include ease of management and speed of applying policy changes. We didn't like having to monitor the GUI for blocked executables and wanted to be able to quickly allow a blocked executable from our phones without having to log into the Airlock console. We ended up creating a nice solution using a combination of the following: Airlock Restful API Syslog Collector Azure Sentinel SIEM Azure Sentinel Syslog Connector Azure Sentinel Playbook/Logic App Airlock Server is configured to export Syslog events to