-
Notifications
You must be signed in to change notification settings - Fork 0
/
MDE-WDAC Events
15 lines (15 loc) · 1.41 KB
/
MDE-WDAC Events
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
// Reference to WDAC related ActionTypes https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/querying-application-control-events-centrally-using-advanced-hunting
//
DeviceEvents
| where ActionType == 'AppControlCodeIntegrityPolicyBlocked'
|summarize count() by DeviceName
//other fields that may be interesting
//DeviceId, // the device ID where the audit block happened
//Timestamp, // The event creation timestamp
//FileName, // The audit blocked app's filename
//FolderPath, // The audit blocked app's system path without the FileName
//InitiatingProcessFileName, // The file name of the parent process loading the executable
//InitiatingProcessVersionInfoOriginalFileName, // The original file name of the parent process loading the executable
//InitiatingProcessSHA256, // The SHA256 flat hash of the parent process loading the executable
//ReportId, // The report ID - randomly generated by MDE AH
//AdditionalFields // Additional fields contains FQBN for signed binaries. These contain the CN of the leaf certificate, product name, original filename and version of the audited binary