AppLocker Dashboard Issue - No Policy Review Data

Question

AppLocker Dashboard Issue - No Policy Review Data

matchstickboy opened this issue 9 months ago · 2 comments

Describe the bug

Dashboard is mostly working as expected, seeing Audit Events and Event Code Analysis data. but no data displayed in Policy Review

###**Screen Shot

Expected behavior

Expect to see logged events in the Policy Review section, but only seeing "no search results returned"

App Version:

DA-ESS-ContentUpdate: 4.33.0

Additional context

Have a single windows server collecting forwarded Applocker events from multiple endpoints and writing them to the "Forwarded Events" log on the server acting as the Windows Event Collector.

Splunk UF on the server has the following inputs.conf:

[WinEventLog://ForwardedEvents]
disabled =0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = applocker
renderXml = 1

The applocker SearchMacro has definition has been set to:
index=applocker

Answer 1 · 2024-10-17T22:19:36.000Z

@matchstickboy - Are you able to run the searches from the dashboard manually ? I wonder if you dont have any events specific to show in your environment. Is this a live splunk environment or a splunk lab with applocker data? The dashboard works fine in our test environment!

Answer 2 · 2024-12-10T18:29:15.000Z

Closing this issue due to inactivity! @matchstickboy Feel free to open this issue if this issue persists! Thank you