search

MicrosoftDocs / WDAC-Toolkit

Documentation and tools to access Windows Defender Application Control (WDAC) technology.
Creative Commons Attribution 4.0 International
201 stars 43 forks source link

Update Advanced Hunting Query #420

Closed JackStuart closed 5 days ago

JackStuart commented 1 week ago

I have updated the Advanced Hunting query to be more specific and also detect events that aren't being collected by the current query.

Missed Events

As per https://github.com/MicrosoftDocs/WDAC-Toolkit/blob/fd87c779d1cc06d7207e5c0502a810f2c08d89cc/WDAC-Policy-Wizard/app/src/AdvancedHunting.cs#L16-17 there are events starting with "AppControlCIScript" which wouldn't be picked up as the current query specifies "startswith 'AppControlCodeIntegrity' "

Extra Events

As per the the below link, there are extra events being picked up which the WDAC wizard doesn't need

https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/querying-application-control-events-centrally-using-advanced-hunting#action-types

Misc Notes If this PR is accepted, the docs at MS should also be updated - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard-parsing-event-logs#mde-advanced-hunting-app-control-event-parsing

JackStuart commented 1 week ago

@microsoft-github-policy-service agree

JackStuart commented 1 week ago

Reordering the columns wasn't supposed to be in this commit

jgeurten commented 5 days ago

This looks great. Thanks for your help on this. I will update the MS Learn doc to reflect these changes