From bfb4af670d84e0c814455114f45176c47eed26be Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Thu, 17 Feb 2022 14:57:45 -0800 Subject: [PATCH] Added ActionTypes table and example queries --- ...ication-control-events-centrally-using-advanced-hunting.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md index 0916cb3074..e51c7663ad 100644 --- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md +++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md @@ -41,7 +41,7 @@ This capability is supported beginning with Windows version 1607. | AppControlPackagedAppAudited | 8021 | Applied only when the Audit only enforcement mode is enabled. Specifies that the packaged app would be blocked if the Enforce rules enforcement mode were enabled. | | AppControlPackagedAppBlocked | 8022 | The packaged app was blocked by the policy. | | AppControlScriptAudited | 8006 | Applied only when the Audit only enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the Enforce rules enforcement mode were enabled. | -| AppControlScriptBlocked | 8007 | Access to is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run. | +| AppControlScriptBlocked | 8007 | Access to file name is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run. | | AppControlCIScriptAudited | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. | | AppControlCIScriptBlocked | 8029 | Block script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. | | AppControlCodeIntegrityOriginAllowed | 3090 | File was allowed due to good reputation (ISG) or installation source (managed installer). | @@ -51,7 +51,7 @@ This capability is supported beginning with Windows version 1607. | AppControlCodeIntegritySigningInformation | 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. | | AppControlPolicyApplied | 8001 | Indicates that the AppLocker policy was successfully applied to the computer. | -Learn more about the [Understanding Application Control event IDs (Windows)](event-id-explanations) +Learn more about the [Understanding Application Control event IDs (Windows)](event-id-explanations.md) Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Microsoft Defender for Endpoint: