Update querying-application-control-events-centrally-using-advanced-hunting.md

windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md

@@ -20,25 +20,39 @@ ms.technology: windows-sec
 
 # Querying Application Control events centrally using Advanced hunting  
 
-A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. 
+A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode.
-While Event Viewer helps to see the impact on a single system, IT Pros want to gauge the impact across many systems. 
+While Event Viewer helps to see the impact on a single system, IT Pros want to gauge the impact across many systems.
 
-In November 2018, we added functionality in Microsoft Defender for Endpoint that makes it easy to view WDAC events centrally from all systems that are connected to Defender for Endpoint. 
+In November 2018, we added functionality in Microsoft Defender for Endpoint that makes it easy to view WDAC events centrally from all systems that are connected to Defender for Endpoint.
 
-Advanced hunting in Microsoft Defender for Endpoint allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”. 
+Advanced hunting in Microsoft Defender for Endpoint allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”.
 This capability is supported beginning with Windows version 1607.
 
 ## Action Types
 
-| ActionType Name | Description |
+| ActionType Name | ETW Source Event ID | Description |
-| - | - |
+| - | - | - |
-| AppControlPolicyApplied | WDAC policy successfully deployed event |
+| AppControlCodeIntegrityDriverRevoked | 3023 | The driver file under validation did not meet the requirements to pass the application control policy. |
-| AppControlExecutableAudited | WDAC policy user mode binary audited |
+| AppControlCodeIntegrityImageRevoked | 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. |
-| AppControlCodeIntegritySigningInformation | WDAC policy user mode binary audit event associated signing information |
+| AppControlCodeIntegrityPolicyAudited | 3076 | This event is the main WDAC block event for audit mode policies. It indicates that the file would have been blocked if the WDAC policy was enforced. |
-| AppControlCodeIntegrityPolicyAudited |  |
+| AppControlCodeIntegrityPolicyBlocked | 3077 | This event is the main WDAC block event for enforced policies. It indicates that the file did not pass your WDAC policy and was blocked. |
-| AppControlCodeIntegrityOriginAudited | The user mode binary would have been blocked because of managed installer or the reputation returned by ISG. Since the policy is in audit mode, the app was allowed to run |
+| AppControlExecutableAudited | 8003 | Applied only when the Audit only enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the Enforce rules enforcement mode were enabled. |
-| AppControlCodeIntegrityOriginAllowed | The user mode binary was allowed because of managed installer or the reputation returned by ISG |
+| AppControlExecutableBlocked | 8004 | The .exe or .dll file cannot run. |
-| AppControlCIScriptAudited | The script would have been blocked by WDAC. Since the policy is in audit mode, the app was allowed to run |
+| AppControlPackagedAppAudited | 8021 | Applied only when the Audit only enforcement mode is enabled. Specifies that the packaged app would be blocked if the Enforce rules enforcement mode were enabled. |
+| AppControlPackagedAppBlocked | 8022 | The packaged app was blocked by the policy. |
+| AppControlScriptAudited | 8006 | Applied only when the Audit only enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the Enforce rules enforcement mode were enabled. |
+| AppControlScriptBlocked | 8007 | Access to <file name> is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run. |
+| AppControlCIScriptAudited | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. |
+| AppControlCIScriptBlocked | 8029 | Block script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. |
+| AppControlCodeIntegrityOriginAllowed | 3090 | File was allowed due to good reputation (ISG) or installation source (managed installer). |
+| AppControlCodeIntegrityOriginAudited | 3091 | Reputation (ISG) and installation source (managed installer) information for an audited file. |
+| AppControlCodeIntegrityOriginBlocked | 3092 | Reputation (ISG) and installation source (managed installer) information for a blocked file. |
+| AppControlCodeIntegrityPolicyLoaded | 3099 | Indicates that a policy has been successfully loaded. |
+| AppControlCodeIntegritySigningInformation | 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. |
+| AppControlPolicyApplied | 8001 | Indicates that the AppLocker policy was successfully applied to the computer. |
+
+Learn more about the [Understanding Application Control event IDs (Windows)](event-id-explanations)
+
 
 Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Microsoft Defender for Endpoint:
 
@@ -52,13 +66,14 @@ ActionType startswith "AppControl"
 
 The query results can be used for several important functions related to managing WDAC including:
 
-- Assessing the impact of deploying policies in audit mode 
+- Assessing the impact of deploying policies in audit mode
   Since applications still run in audit mode, it is an ideal way to see the impact and correctness of the rules included in the policy. Integrating the generated events with Advanced hunting makes it much easier to have broad deployments of audit mode policies and see how the included rules would impact those systems in real world usage. This audit mode data will help streamline the transition to using policies in enforced mode.
 - Monitoring blocks from policies in enforced mode
-  Policies deployed in enforced mode may block executables or scripts that fail to meet any of the included allow rules. Legitimate new applications and updates or potentially unwanted or malicious software could be blocked. In either case, the Advanced hunting queries report the blocks for further investigation. 
+  Policies deployed in enforced mode may block executables or scripts that fail to meet any of the included allow rules. Legitimate new applications and updates or potentially unwanted or malicious software could be blocked. In either case, the Advanced hunting queries report the blocks for further investigation.
+
+## Example Advanced Hunting Application Control Queries ##
+Query Example 1: Query the application control action types summarized by type for past 7 days
 
-Query Example 1:
-Context: Query the application control action types summarized by type for past 7 days
 ```
 DeviceEvents
 | where Timestamp > ago(7d)
@@ -67,24 +82,23 @@ DeviceEvents
 | order by Count desc
 ```
 
-Query Example #2:
+Query Example #2: Query to determine audit blocks in the past 7 days
 
-Context: Query to determine audit blocks in the past 7 days
 ```
 DeviceEvents 
 | where ActionType startswith "AppControlExecutableAudited"
 | where Timestamp > ago(7d)
-|project DeviceId, // the device ID where the audit block happened
+|project DeviceId,                               // the device ID where the audit block happened
-FileName, // The audit blocked app's filename
+FileName,                                        // The audit blocked app's filename
-FolderPath, // The audit blocked app's device path
+FolderPath,                                      // The audit blocked app's device path
-InitiatingProcessFileName, // The file name of the parent process loading the executable
+InitiatingProcessFileName,                       // The file name of the parent process loading the executable
-InitiatingProcessVersionInfoCompanyName, // The company name of the parent process loading the executable
+InitiatingProcessVersionInfoCompanyName,         // The company name of the parent process loading the executable
-InitiatingProcessVersionInfoOriginalFileName, // The original file name of the parent process loading the executable
+InitiatingProcessVersionInfoOriginalFileName,    // The original file name of the parent process loading the executable
-InitiatingProcessVersionInfoProductName, // The product name of the parent process loading the executable
+InitiatingProcessVersionInfoProductName,         // The product name of the parent process loading the executable
-InitiatingProcessSHA256, // The SHA256 of the parent process loading the executable
+InitiatingProcessSHA256,                         // The SHA256 of the parent process loading the executable
-Timestamp, // The timestamp
+Timestamp,                                       // The timestamp
-ReportId, // The report ID
+ReportId,                                        // The report ID
-InitiatingProcessVersionInfoProductVersion, // The product version of the parent process loading the executable
+InitiatingProcessVersionInfoProductVersion,      // The product version of the parent process loading the executable
-InitiatingProcessVersionInfoFileDescription, // The file description of the parent process loading the executable
+InitiatingProcessVersionInfoFileDescription,     // The file description of the parent process loading the executable
 AdditionalFields
-```
+```