App Control: How Can I Audit for Rules Usage in App Control?
App Control: All Supported Versions
Microsoft SQL: All Supported Versions
Is there a SQL script that can be run against the DAS database that will show what rules are being triggered most frequently to those that are not?
There is a SQL script that can be run against the DAS database that will show those rules that are most frequently used vice those are that less frequently used or not at all. Additionally, it will show a count of computers that triggered the rule. This is a good script to run when conducting rule audits, etc.
Run the below SQL query against the DAS database in SQL Management Studio:
count( E.Event_Id ) as 'Number_Times_Triggered',
count( distinct E.Computer_Id ) as 'Count_Of_Computers_That_Triggered'
E.Rule_Name is not null and
E. Updater_Name is null and
E.Indicator_Name is null
2. It is best to set this query when complete, to export to csv format. This is accomplished within SQL Management Studio by selecting "Results to Grid".
Please keep in mind this will ONLY work for rules that report back into the console. A list of rule types that DO NOT report back into the console are listed below:
Trusted Path Rules (these fall under execution allow rules)