Hello, I was curious if anyone has gotten the applocker event logs to show up in the SIEM? I've already downloaded the Windows Content Pack, which is supposed to include everything. I do see the new views and whatnot, and on my test server I do see the applocker events being written to the event log, but those events never come across to our receiver. Also when I select "Get Logs" on my data source, it doesn't list AppLocker as on of the selectable events to pull. It's obviously supported, am I missing something? Checked w/ McAfee support and the tech is looking into it as well, but in his test environment it did the same thing.
Solved! Go to Solution.
I ended up using the SIEM collector, thanks all.
Yes, I got applocker events into SIEM by using SIEM collector to tail the events on the Windows server and forward to event.
Check this KB to get the event logs via WMI.
https://kc.mcafee.com/corporate/index?page=content&id=KB56436
I ended up using the SIEM collector, thanks all.
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center
Corporate Headquarters
2821 Mission College Blvd.
Santa Clara, CA 95054 USA