Dashboard issues with "[Windows AppLocker] Audited and Blocked Applications" dashboard as provided by "Windows" integration 1.44.1

[eriroley]

there appears to be an insufficient filter on the "Top File names by Application Execution Count" (especially since I only have a single host that is reporting AppLocker events right now)

When I examine the data in Discover, I see that it is looking in logs-* for "File.name":*

I suggest adding the filter for "event.provider:Microsoft-Windows-Applocker" (which I had to edit in Lens)

A similar filter probably needs to be added to file publishers based on FQBN by application execution count, and honestly, probably all of the panels

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[jamiehynds]

@nicpenning is this something you've seen with the AppDocker dashboards you created awhile back?

[eriroley]

@jamiehynds yesterday on Slack @nicpenning provided a quick workaround, but indicated that it should be an easy fix

Including the workaround here for documentation, and in case anybody else runs into this:
"As a work around - You can add that dataset as a filter in the dashboard for search (temporarily) since you can't save the dashboard." (referencing "event.provider : Microsoft-Windows-Applocker")

[nicpenning]

@jamiehynds No I didnt see this awhile back, but this was a good catch. I can try and find the time to correct this and send out the PR.

[nicpenning]

@eriroley - new package for this should be available. Please let us know if the issue persists!