forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathapplocker.yml
3 lines (3 loc) · 953 Bytes
/
applocker.yml
1
2
3
definition: (source="WinEventLog:Microsoft-Windows-AppLocker/*" OR source="XmlWinEventLog:Microsoft-Windows-AppLocker/*")
description: This macro is designed to simplify the search for AppLocker events by providing a predefined search query. AppLocker, a feature in Windows, helps administrators control which executables, scripts, and libraries can run on their systems. By using this macro, analysts can quickly query AppLocker logs to monitor application control policies and investigate potential unauthorized software executions or policy violations. To modify this macro for a customer environment, you may need to adjust the source field to match the specific log source or index where AppLocker events are stored. Additionally, if the organization uses custom naming conventions or has AppLocker logs aggregated with other data, further refinement of the search query might be necessary to accurately filter for relevant events.
name: applocker