deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 13:53:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update WDAC hunting query

Browse Source 
Existing query does not appear to work within WDATP Advanced hunting, this updates the query to return the expected result.
This commit is contained in:
Ben McGarry
2020-08-24 15:06:41 +01:00
committed by GitHub
parent bf27feee14
commit 8d5aefa6bf
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
View File

@ -30,10 +30,10 @@ This capability is supported beginning with Windows version 1607.
Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Microsoft Defender ATP:
```
MiscEvents
| where EventTime > ago(7d) and
DeviceEvents
| where Timestamp > ago(7d) and
ActionType startswith "AppControl"
| summarize Machines=dcount(ComputerName) by ActionType
| summarize Machines=dcount(DeviceName) by ActionType
| order by Machines desc
```