You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
definition: (source="WinEventLog:Microsoft-Windows-AppLocker/*" OR source="XmlWinEventLog:Microsoft-Windows-AppLocker/*")
description: This macro is designed to simplify the search for AppLocker events by providing a predefined search query. AppLocker, a feature in Windows, helps administrators control which executables, scripts, and libraries can run on their systems. By using this macro, analysts can quickly query AppLocker logs to monitor application control policies and investigate potential unauthorized software executions or policy violations. To modify this macro for a customer environment, you may need to adjust the source field to match the specific log source or index where AppLocker events are stored. Additionally, if the organization uses custom naming conventions or has AppLocker logs aggregated with other data, further refinement of the search query might be necessary to accurately filter for relevant events.