As I setup AppLocker via WEM for clients, I have been looking to find a good way to parse all of the audited events so that I can add wanted items to the AppLocker rules before switching the rules over to blocking.
With the help of Copilot AI, as I don’t write code well, I was able to create the following PowerShell script. With it you can take the report.csv from the WEM Web Console, and from it gather EXE, DLL, or PS1 hits for easier review.
I did some output tweaking to get better pathing from the report, and also to exclude the PowerShell AppLocker testing entries to make it easier to read.
Like always, please let me know if there are any modifications you think could make this better.