From 82eb5fd8291776cc8f55b12945ef971fa1738ce2 Mon Sep 17 00:00:00 2001
From: valemieux <98555474+valemieux@users.noreply.github.com>
Date: Fri, 11 Feb 2022 17:37:33 -0800
Subject: [PATCH] Added action types table and queries 1 & 2

---
 ...events-centrally-using-advanced-hunting.md | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
index f5f01d8caa..c64a55680f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
+++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
@@ -28,6 +28,18 @@ In November 2018, we added functionality in Microsoft Defender for Endpoint that
 Advanced hunting in Microsoft Defender for Endpoint allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”. 
 This capability is supported beginning with Windows version 1607.
 
+## Action Types
+
+| ActionType Name | Description |
+| - | - |
+| AppControlPolicyApplied | WDAC policy successfully deployed event |
+| AppControlExecutableAudited | WDAC policy user mode binary audited |
+| AppControlCodeIntegritySigningInformation | WDAC policy user mode binary audit event associated signing information |
+| AppControlCodeIntegrityPolicyAudited |  |
+| AppControlCodeIntegrityOriginAudited | The user mode binary would have been blocked because of managed installer or the reputation returned by ISG. Since the policy is in audit mode, the app was allowed to run |
+| AppControlCodeIntegrityOriginAllowed | The user mode binary was allowed because of managed installer or the reputation returned by ISG |
+| AppControlCIScriptAudited | The script would have been blocked by WDAC. Since the policy is in audit mode, the app was allowed to run |
+
 Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Microsoft Defender for Endpoint:
 
 ```
@@ -44,3 +56,35 @@ The query results can be used for several important functions related to managin
   Since applications still run in audit mode, it is an ideal way to see the impact and correctness of the rules included in the policy. Integrating the generated events with Advanced hunting makes it much easier to have broad deployments of audit mode policies and see how the included rules would impact those systems in real world usage. This audit mode data will help streamline the transition to using policies in enforced mode.
 - Monitoring blocks from policies in enforced mode
   Policies deployed in enforced mode may block executables or scripts that fail to meet any of the included allow rules. Legitimate new applications and updates or potentially unwanted or malicious software could be blocked. In either case, the Advanced hunting queries report the blocks for further investigation. 
+
+Query Example 1:
+Context: Query the application control action types summarized by type for past 7 days
+```
+DeviceEvents
+| where Timestamp > ago(7d)
+| where ActionType startswith "AppControl"
+| summarize Count = count() by ActionType
+| order by Count desc
+```
+
+Query Example #2:
+
+Context: Query to determine audit blocks in the past 7 days
+```
+DeviceEvents 
+| where ActionType startswith "AppControlExecutableAudited"
+| where Timestamp > ago(7d)
+|project DeviceId, // the device ID where the audit block happened
+FileName, // The audit blocked app's filename
+FolderPath, // The audit blocked app's device path
+InitiatingProcessFileName, // The file name of the parent process loading the executable
+InitiatingProcessVersionInfoCompanyName, // The company name of the parent process loading the executable
+InitiatingProcessVersionInfoOriginalFileName, // The original file name of the parent process loading the executable
+InitiatingProcessVersionInfoProductName, // The product name of the parent process loading the executable
+InitiatingProcessSHA256, // The SHA256 of the parent process loading the executable
+Timestamp, // The timestamp
+ReportId, // The report ID
+InitiatingProcessVersionInfoProductVersion, // The product version of the parent process loading the executable
+InitiatingProcessVersionInfoFileDescription, // The file description of the parent process loading the executable
+AdditionalFields
+```
\ No newline at end of file