From 5f26d35c1e4863bfab57c196c6be03170fa85ecc Mon Sep 17 00:00:00 2001
From: Bella Brahm <isbrahm@microsoft.com>
Date: Tue, 17 Mar 2020 11:33:50 -0700
Subject: [PATCH] Add Event IDs docs page

WDAC event descriptions are not documented currently
---
 .../event-id-explanations.md                  | 80 +++++++++++++++++++
 1 file changed, 80 insertions(+)
 create mode 100644 windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md

diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
new file mode 100644
index 0000000000..182c28dedc
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -0,0 +1,80 @@
+---
+title: Understanding Application Control events (Windows 10)
+description: Learn what different Windows Defender Application Control events signify.
+keywords: whitelisting, security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: isbrahm
+ms.author: dansimp
+manager: dansimp
+ms.date: 3/17/2020
+---
+
+# Understanding Application Control events
+
+A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
+
+1. Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational
+2. Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script
+
+## Microsoft Windows CodeIntegrity Operational log event IDs
+
+| Event ID | Explanation |
+|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 3076 | Audit executable/dll file |
+| 3077 | Block executable/dll file |
+| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.<br>Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the “System” portion of the event data under “Correlation ActivityID”. |
+| 3099 | Indicates that a policy has been loaded |
+
+## Microsoft Windows Applocker MSI and Script log event IDs
+
+| Event ID | Explanation |
+|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. |
+| 8029 | Block script/MSI file |
+| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the “System” portion of the event data under “Correlation ActivityID”. | |
+
+## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events
+
+If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information. 
+
+| Event ID | Explanation |
+|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 3090 | Allow executable/dll file |
+| 3091 | Audit executable/dll file |
+| 3092 | Block executable/dll file |
+
+3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template which appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated.
+
+### SmartLocker template
+
+Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates.
+
+| Name | Explanation |
+|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. |
+| ManagedInstallerEnabled | Policy trusts a MI |
+| PassesManagedInstaller | File originated from a trusted MI |
+| SmartlockerEnabled | Policy trusts the ISG |
+| PassesSmartlocker | File had positive reputation |
+| AuditEnabled | True if the policy is in audit mode, otherwise it is in enforce mode |
+
+### Enabling ISG and MI diagnostic events
+
+In order to enable 3091 audit events and 3092 block events, you must create a TestFlags regkey with a value of 0x100. You can do so using the following PowerShell command:
+
+    ```powershell
+    reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100
+    ```
+In order to enable 3090 allow events, you must create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command:
+
+    ```powershell
+    reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
+    ```