From c80ce4b2ef37a90787510f7636a789303f2768ec Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 4 Dec 2018 15:57:54 -0800 Subject: [PATCH 1/5] added new topic --- .../TOC.md | 1 + ...ents-centrally-using-advanced-hunting .md | 39 +++++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting .md diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 123f439d6f..f64e8a8949 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -22,6 +22,7 @@ ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md) ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md) ### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md) +### [Query WDAC events with Advanved hunting](querying-application-control-events-centrally-using-advanced-hunting.md) ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) #### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting .md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting .md new file mode 100644 index 0000000000..b1018f5e79 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting .md @@ -0,0 +1,39 @@ +--- +title: Querying Application Control events centrally using Advanced hunting (Windows 10) +description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: mdsakibMSFT +ms.author: justinha +ms.date: 12/06/2018 +--- + +# Querying Application Control events centrally using Advanced hunting + +A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. +While Event Viewer helps to see the impact on a single system, IT Pros want to gauge the impact across many systems. + +In November 2018, we added functionality in Windows Defender Advanced Threat Protection (Windows Defender ATP) that makes it easy to view WDAC events centrally from all systems that are connected to Windows Defender ATP. + +Advanced hunting in Windows Defender ATP allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”. +This capability is supported beginning with Windows version 1607. + +Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Windows Defender ATP: + +``` +MiscEvents +| where EventTime > ago(7d) and +ActionType startswith "AppControl" +| summarize Machines=dcount(ComputerName) by ActionType +| order by Machines desc +``` + +The query results can be used for several important functions related to managing WDAC including: + +- Assessing the impact of deploying policies in audit mode + Since applications still run in audit mode, it is an ideal way to see the impact and correctness of the rules included in the policy. Integrating the generated events with Advanced hunting makes it much easier to have broad deployments of audit mode policies and see how the included rules would impact those systems in real world usage. This audit mode data will help streamline the transition to using policies in enforced mode. +- Monitoring blocks from policies in enforced mode + Policies deployed in enforced mode may block executables or scripts that fail to meet any of the included allow rules. Legitimate new applications and updates or potentially unwanted or malicious software could be blocked. In either case, the Advanced hunting queries report the blocks for further investigation. From 97054d06388ad3397131aca3d1f89c03aeb8a7c1 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 4 Dec 2018 17:00:21 -0800 Subject: [PATCH 2/5] fixed toc --- .../windows-defender-application-control/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index f64e8a8949..8b71416a15 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -22,7 +22,7 @@ ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md) ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md) ### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md) -### [Query WDAC events with Advanved hunting](querying-application-control-events-centrally-using-advanced-hunting.md) +### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) #### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) From 33ef33d86000ec2f4e882ae1c0f745e1770c0884 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 5 Dec 2018 09:57:15 -0800 Subject: [PATCH 3/5] renamed file --- ...pplication-control-events-centrally-using-advanced-hunting.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename windows/security/threat-protection/windows-defender-application-control/{querying-application-control-events-centrally-using-advanced-hunting .md => querying-application-control-events-centrally-using-advanced-hunting.md} (100%) diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting .md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md similarity index 100% rename from windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting .md rename to windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md From 5dfc04bc0e6769d5ecab690777fbe28319d72bad Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 5 Dec 2018 10:16:05 -0800 Subject: [PATCH 4/5] edit --- ...ents-centrally-using-advanced-hunting .md | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting .md diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting .md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting .md new file mode 100644 index 0000000000..b1018f5e79 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting .md @@ -0,0 +1,39 @@ +--- +title: Querying Application Control events centrally using Advanced hunting (Windows 10) +description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: mdsakibMSFT +ms.author: justinha +ms.date: 12/06/2018 +--- + +# Querying Application Control events centrally using Advanced hunting + +A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. +While Event Viewer helps to see the impact on a single system, IT Pros want to gauge the impact across many systems. + +In November 2018, we added functionality in Windows Defender Advanced Threat Protection (Windows Defender ATP) that makes it easy to view WDAC events centrally from all systems that are connected to Windows Defender ATP. + +Advanced hunting in Windows Defender ATP allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”. +This capability is supported beginning with Windows version 1607. + +Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Windows Defender ATP: + +``` +MiscEvents +| where EventTime > ago(7d) and +ActionType startswith "AppControl" +| summarize Machines=dcount(ComputerName) by ActionType +| order by Machines desc +``` + +The query results can be used for several important functions related to managing WDAC including: + +- Assessing the impact of deploying policies in audit mode + Since applications still run in audit mode, it is an ideal way to see the impact and correctness of the rules included in the policy. Integrating the generated events with Advanced hunting makes it much easier to have broad deployments of audit mode policies and see how the included rules would impact those systems in real world usage. This audit mode data will help streamline the transition to using policies in enforced mode. +- Monitoring blocks from policies in enforced mode + Policies deployed in enforced mode may block executables or scripts that fail to meet any of the included allow rules. Legitimate new applications and updates or potentially unwanted or malicious software could be blocked. In either case, the Advanced hunting queries report the blocks for further investigation. From 5db7f3191fd6476f7d6b082b8d53ce6d97200948 Mon Sep 17 00:00:00 2001 From: Junkui Chen Date: Wed, 5 Dec 2018 20:32:17 +0000 Subject: [PATCH 5/5] Merged PR 13093: Updated docfx.json to remove *.json. Updated docfx.json to remove *.json. 1. there is no json file need to publish 2. will cause op publish temporary files. --- education/docfx.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/docfx.json b/education/docfx.json index c01be28758..227546b56a 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ],