Merged PR 13170: added new topic

added new topic

windows/security/threat-protection/windows-defender-application-control/TOC.md

@@ -22,6 +22,7 @@
 ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
 ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
 ### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md)
+### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md)
 ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)
 #### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md)
 #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md)

windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting .md

@@ -0,0 +1,39 @@
+---
+title: Querying Application Control events centrally using Advanced hunting   (Windows 10)
+description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: mdsakibMSFT
+ms.author: justinha
+ms.date: 12/06/2018
+---
+
+# Querying Application Control events centrally using Advanced hunting  
+
+A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. 
+While Event Viewer helps to see the impact on a single system, IT Pros want to gauge the impact across many systems. 
+
+In November 2018, we added functionality in Windows Defender Advanced Threat Protection (Windows Defender ATP) that makes it easy to view WDAC events centrally from all systems that are connected to Windows Defender ATP. 
+
+Advanced hunting in Windows Defender ATP allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”. 
+This capability is supported beginning with Windows version 1607.
+
+Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Windows Defender ATP:
+
+```
+MiscEvents
+| where EventTime > ago(7d) and
+ActionType startswith "AppControl"
+| summarize Machines=dcount(ComputerName) by ActionType
+| order by Machines desc
+```
+
+The query results can be used for several important functions related to managing WDAC including:
+
+- Assessing the impact of deploying policies in audit mode 
+  Since applications still run in audit mode, it is an ideal way to see the impact and correctness of the rules included in the policy. Integrating the generated events with Advanced hunting makes it much easier to have broad deployments of audit mode policies and see how the included rules would impact those systems in real world usage. This audit mode data will help streamline the transition to using policies in enforced mode.
+- Monitoring blocks from policies in enforced mode
+  Policies deployed in enforced mode may block executables or scripts that fail to meet any of the included allow rules. Legitimate new applications and updates or potentially unwanted or malicious software could be blocked. In either case, the Advanced hunting queries report the blocks for further investigation. 

windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md

@@ -0,0 +1,39 @@
+---
+title: Querying Application Control events centrally using Advanced hunting   (Windows 10)
+description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: mdsakibMSFT
+ms.author: justinha
+ms.date: 12/06/2018
+---
+
+# Querying Application Control events centrally using Advanced hunting  
+
+A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. 
+While Event Viewer helps to see the impact on a single system, IT Pros want to gauge the impact across many systems. 
+
+In November 2018, we added functionality in Windows Defender Advanced Threat Protection (Windows Defender ATP) that makes it easy to view WDAC events centrally from all systems that are connected to Windows Defender ATP. 
+
+Advanced hunting in Windows Defender ATP allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”. 
+This capability is supported beginning with Windows version 1607.
+
+Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Windows Defender ATP:
+
+```
+MiscEvents
+| where EventTime > ago(7d) and
+ActionType startswith "AppControl"
+| summarize Machines=dcount(ComputerName) by ActionType
+| order by Machines desc
+```
+
+The query results can be used for several important functions related to managing WDAC including:
+
+- Assessing the impact of deploying policies in audit mode 
+  Since applications still run in audit mode, it is an ideal way to see the impact and correctness of the rules included in the policy. Integrating the generated events with Advanced hunting makes it much easier to have broad deployments of audit mode policies and see how the included rules would impact those systems in real world usage. This audit mode data will help streamline the transition to using policies in enforced mode.
+- Monitoring blocks from policies in enforced mode
+  Policies deployed in enforced mode may block executables or scripts that fail to meet any of the included allow rules. Legitimate new applications and updates or potentially unwanted or malicious software could be blocked. In either case, the Advanced hunting queries report the blocks for further investigation.