Acara
19 Nov, 23 - 21 Nov, 23
Dapatkan tepi kompetitif yang Anda butuhkan dengan solusi AI dan Cloud yang kuat dengan menghadiri Microsoft Ignite secara online.
Daftar sekarangBrowser ini sudah tidak didukung.
Mutakhirkan ke Microsoft Edge untuk memanfaatkan fitur, pembaruan keamanan, dan dukungan teknis terkini.
An App Control for Business policy logs events locally in Windows Event Viewer in either enforced or audit mode. While Event Viewer helps to see the impact on a single system, IT Pros want to gauge it across many systems.
In November 2018, we added functionality in Microsoft Defender for Endpoint that makes it easy to view App Control events centrally from all connected systems.
Advanced hunting in Microsoft Defender for Endpoint allows customers to query data using a rich set of capabilities. App Control events can be queried with using an ActionType that starts with "AppControl". This capability is supported beginning with Windows version 1607.
ActionType Name | ETW Source Event ID | Description |
---|---|---|
AppControlCodeIntegrityDriverRevoked | 3023 | The driver file under validation didn't meet the requirements to pass the App Control policy. |
AppControlCodeIntegrityImageRevoked | 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. |
AppControlCodeIntegrityPolicyAudited | 3076 | This event is the main App Control for Business block event for audit mode policies. It indicates the file would have been blocked if the App Control policy was enforced. |
AppControlCodeIntegrityPolicyBlocked | 3077 | This event is the main App Control for Business block event for enforced policies. It indicates the file didn't pass your App Control policy and was blocked. |
AppControlExecutableAudited | 8003 | Applied only when the Audit only enforcement mode is enabled. Specifies the .exe or .dll file would be blocked if the Enforce rules enforcement mode were enabled. |
AppControlExecutableBlocked | 8004 | The .exe or .dll file can't run. |
AppControlPackagedAppAudited | 8021 | Applied only when the Audit only enforcement mode is enabled. Specifies the packaged app would be blocked if the Enforce rules enforcement mode were enabled. |
AppControlPackagedAppBlocked | 8022 | The packaged app was blocked by the policy. |
AppControlScriptAudited | 8006 | Applied only when the Audit only enforcement mode is enabled. Specifies the script or .msi file would be blocked if the Enforce rules enforcement mode were enabled. |
AppControlScriptBlocked | 8007 | Access to file name is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run. |
AppControlCIScriptAudited | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. |
AppControlCIScriptBlocked | 8029 | Block script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. |
AppControlCodeIntegrityOriginAllowed | 3090 | File was allowed due to good reputation (ISG) or installation source (managed installer). |
AppControlCodeIntegrityOriginAudited | 3091 | Reputation (ISG) and installation source (managed installer) information for an audited file. |
AppControlCodeIntegrityOriginBlocked | 3092 | Reputation (ISG) and installation source (managed installer) information for a blocked file. |
AppControlCodeIntegrityPolicyLoaded | 3099 | Indicates a policy has been successfully loaded. |
AppControlCodeIntegritySigningInformation | 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. |
AppControlPolicyApplied | 8001 | Indicates the AppLocker policy was successfully applied to the computer. |
Learn more about the Understanding App Control event IDs (Windows)
Query Example 1: Query the App Control action types summarized by type for past seven days
Here's a simple example query that shows all the App Control for Business events generated in the last seven days from machines being monitored by Microsoft Defender for Endpoint:
DeviceEvents
| where Timestamp > ago(7d) and
ActionType startswith "AppControl"
| summarize Machines=dcount(DeviceName) by ActionType
| order by Machines desc
The query results can be used for several important functions related to managing App Control for Business including:
Query Example #2: Query to determine audit blocks in the past seven days
DeviceEvents
| where ActionType startswith "AppControlExecutableAudited"
| where Timestamp > ago(7d)
|project DeviceId, // the device ID where the audit block happened
FileName, // The audit blocked app's filename
FolderPath, // The audit blocked app's system path without the FileName
InitiatingProcessFileName, // The file name of the parent process loading the executable
InitiatingProcessVersionInfoCompanyName, // The company name of the parent process loading the executable
InitiatingProcessVersionInfoOriginalFileName, // The original file name of the parent process loading the executable
InitiatingProcessVersionInfoProductName, // The product name of the parent process loading the executable
InitiatingProcessSHA256, // The SHA256 flat hash of the parent process loading the executable
Timestamp, // The event creation timestamp
ReportId, // The report ID - randomly generated by MDE AH
InitiatingProcessVersionInfoProductVersion, // The product version of the parent process loading the executable
InitiatingProcessVersionInfoFileDescription, // The file description of the parent process loading the executable
AdditionalFields // Additional fields contains FQBN for signed binaries. These contain the CN of the leaf certificate, product name, original filename and version of the audited binary
Acara
19 Nov, 23 - 21 Nov, 23
Dapatkan tepi kompetitif yang Anda butuhkan dengan solusi AI dan Cloud yang kuat dengan menghadiri Microsoft Ignite secara online.
Daftar sekarang