security_content icon indicating copy to clipboard operation
security_content copied to clipboard

Published 20 hours ago verified publisher icon splunk

AppLocker Dashboard Issue - No Policy Review Data

Open matchstickboy opened this issue 1 year ago • 1 comments

Describe the bug

Dashboard is mostly working as expected, seeing Audit Events and Event Code Analysis data. but no data displayed in Policy Review

###**Screen Shot Capture

Expected behavior

Expect to see logged events in the Policy Review section, but only seeing "no search results returned"

App Version:

  • DA-ESS-ContentUpdate: 4.33.0

Additional context

Have a single windows server collecting forwarded Applocker events from multiple endpoints and writing them to the "Forwarded Events" log on the server acting as the Windows Event Collector.

Splunk UF on the server has the following inputs.conf:

[WinEventLog://ForwardedEvents] disabled =0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 index = applocker renderXml = 1

The applocker SearchMacro has definition has been set to: index=applocker

matchstickboy avatar Jun 22 '24 18:06 matchstickboy

@matchstickboy - Are you able to run the searches from the dashboard manually ? I wonder if you dont have any events specific to show in your environment. Is this a live splunk environment or a splunk lab with applocker data? The dashboard works fine in our test environment!

patel-bhavin avatar Oct 17 '24 22:10 patel-bhavin

Closing this issue due to inactivity! @matchstickboy Feel free to open this issue if this issue persists! Thank you

patel-bhavin avatar Dec 10 '24 18:12 patel-bhavin