deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 07:17:24 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update wdac-wizard-parsing-event-logs.md

Browse Source 
Formatting and indentation.
This commit is contained in:
Vinay Pamnani 2023-02-02 10:42:16 -05:00 committed by GitHub
parent f0ffab7361
commit f73f7ad290
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 58 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
windows/security/threat-protection/windows-defender-application-control/wdac-wizard-parsing-event-logs.md
View File

@ -31,7 +31,7 @@ ms.technology: itpro-security
As of [version 2.2.0.0](https://webapp-wdac-wizard.azurewebsites.net/archives.html), the WDAC Wizard supports creating WDAC policy rules from the following event log types: As of [version 2.2.0.0](https://webapp-wdac-wizard.azurewebsites.net/archives.html), the WDAC Wizard supports creating WDAC policy rules from the following event log types:
1. [The WDAC event log events on the system](#wdac-event-viewer-log-parsing) 1. [WDAC event log events on the system](#wdac-event-viewer-log-parsing)
2. [Exported .EVTX log files from any system](#wdac-event-log-file-parsing) 2. [Exported .EVTX log files from any system](#wdac-event-log-file-parsing)
3. [Exported WDAC events from MDE Advanced Hunting WDAC events](#mde-advanced-hunting-wdac-event-parsing) 3. [Exported WDAC events from MDE Advanced Hunting WDAC events](#mde-advanced-hunting-wdac-event-parsing)
@ -40,34 +40,34 @@ As of [version 2.2.0.0](https://webapp-wdac-wizard.azurewebsites.net/archives.ht
To create rules from the WDAC event logs on the system: To create rules from the WDAC event logs on the system:
1. Select **Policy Editor** from the WDAC Wizard main page 1. Select **Policy Editor** from the WDAC Wizard main page.
2. Select **Convert Event Log to a WDAC Policy** 2. Select **Convert Event Log to a WDAC Policy**.
3. Select the **Parse Event Logs** button under the Parse Event Logs from the "System Event Viewer to Policy" header 3. Select the **Parse Event Logs** button under the Parse Event Logs from the "System Event Viewer to Policy" header.
The Wizard will parse the relevant audit and block events from the CodeIntegrity (WDAC) Operational and AppLocker MSI and Script logs. You'll see a notification when the Wizard successfully finishes reading the events. The Wizard will parse the relevant audit and block events from the CodeIntegrity (WDAC) Operational and AppLocker MSI and Script logs. You'll see a notification when the Wizard successfully finishes reading the events.
> [!div class="mx-imgBorder"] > [!div class="mx-imgBorder"]
> ![Parse WDAC and AppLocker event log system events](images/wdac-wizard-event-log-system.png) > ![Parse WDAC and AppLocker event log system events](images/wdac-wizard-event-log-system.png)
4. Select the Next button to navigate to the table of software to view the audit and block events and create rules from 4. Select the Next button to navigate to the table of software to view the audit and block events and create rules from.
5. [Generate rules from the events](#creating-policy-rules-from-the-events) 5. [Generate rules from the events](#creating-policy-rules-from-the-events).
## WDAC Event Log File Parsing ## WDAC Event Log File Parsing
To create rules from the WDAC .EVTX event logs files on the system: To create rules from the WDAC .EVTX event logs files on the system:
1. Select **Policy Editor** from the WDAC Wizard main page 1. Select **Policy Editor** from the WDAC Wizard main page.
2. Select **Convert Event Log to a WDAC Policy** 2. Select **Convert Event Log to a WDAC Policy**.
3. Select the **Parse Log File(s)** button under the "Parse Event Log evtx Files to Policy" header 3. Select the **Parse Log File(s)** button under the "Parse Event Log evtx Files to Policy" header.
4. Select the .EVTX WDAC CodeIntegrity files from the disk to parse 4. Select the .EVTX WDAC CodeIntegrity files from the disk to parse.
The Wizard will parse the relevant audit and block events from the selected log files. You'll see a notification when the Wizard successfully finishes reading the events. The Wizard will parse the relevant audit and block events from the selected log files. You'll see a notification when the Wizard successfully finishes reading the events.
> [!div class="mx-imgBorder"] > [!div class="mx-imgBorder"]
> ![Parse evtx file WDAC events](images/wdac-wizard-event-log-files.png) > ![Parse evtx file WDAC events](images/wdac-wizard-event-log-files.png)
5. Select the Next button to navigate to the table of software to view the audit and block events and create rules from 5. Select the Next button to navigate to the table of software to view the audit and block events and create rules from.
6. [Generate rules from the events](#creating-policy-rules-from-the-events) 6. [Generate rules from the events](#creating-policy-rules-from-the-events).
## MDE Advanced Hunting WDAC Event Parsing ## MDE Advanced Hunting WDAC Event Parsing
@ -75,46 +75,46 @@ To create rules from the WDAC events in [MDE Advanced Hunting](querying-applicat
1. Navigate to the Advanced Hunting section within the MDE console and query the WDAC events. **The Wizard requires the following fields** in the Advanced Hunting csv file export: 1. Navigate to the Advanced Hunting section within the MDE console and query the WDAC events. **The Wizard requires the following fields** in the Advanced Hunting csv file export:
```KQL ```KQL
| project Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, SHA1, SHA256, IssuerName, IssuerTBSHash, PublisherName, PublisherTBSHash, AuthenticodeHash, PolicyId, PolicyName | project Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, SHA1, SHA256, IssuerName, IssuerTBSHash, PublisherName, PublisherTBSHash, AuthenticodeHash, PolicyId, PolicyName
``` ```
The following Advanced Hunting query is recommended: The following Advanced Hunting query is recommended:
```KQL ```KQL
DeviceEvents DeviceEvents
// Take only WDAC events // Take only WDAC events
| where ActionType startswith 'AppControlCodeIntegrity' | where ActionType startswith 'AppControlCodeIntegrity'
// SigningInfo Fields // SigningInfo Fields
| extend IssuerName = parsejson(AdditionalFields).IssuerName | extend IssuerName = parsejson(AdditionalFields).IssuerName
| extend IssuerTBSHash = parsejson(AdditionalFields).IssuerTBSHash | extend IssuerTBSHash = parsejson(AdditionalFields).IssuerTBSHash
| extend PublisherName = parsejson(AdditionalFields).PublisherName | extend PublisherName = parsejson(AdditionalFields).PublisherName
| extend PublisherTBSHash = parsejson(AdditionalFields).PublisherTBSHash | extend PublisherTBSHash = parsejson(AdditionalFields).PublisherTBSHash
// Audit/Block Fields // Audit/Block Fields
| extend AuthenticodeHash = parsejson(AdditionalFields).AuthenticodeHash | extend AuthenticodeHash = parsejson(AdditionalFields).AuthenticodeHash
| extend PolicyId = parsejson(AdditionalFields).PolicyID | extend PolicyId = parsejson(AdditionalFields).PolicyID
| extend PolicyName = parsejson(AdditionalFields).PolicyName | extend PolicyName = parsejson(AdditionalFields).PolicyName
// Keep only required fields for the WDAC Wizard // Keep only required fields for the WDAC Wizard
| project Timestamp,DeviceId,DeviceName,ActionType,FileName,FolderPath,SHA1,SHA256,IssuerName,IssuerTBSHash,PublisherName,PublisherTBSHash,AuthenticodeHash,PolicyId,PolicyName | project Timestamp,DeviceId,DeviceName,ActionType,FileName,FolderPath,SHA1,SHA256,IssuerName,IssuerTBSHash,PublisherName,PublisherTBSHash,AuthenticodeHash,PolicyId,PolicyName
``` ```
2. Export the WDAC event results by selecting the **Export** button in the results view 2. Export the WDAC event results by selecting the **Export** button in the results view.
> [!div class="mx-imgBorder"] > [!div class="mx-imgBorder"]
> ![Export the MDE Advanced Hunting results to CSV](images/wdac-wizard-event-log-mde-ah-export.png) > ![Export the MDE Advanced Hunting results to CSV](images/wdac-wizard-event-log-mde-ah-export.png)
3. Select **Policy Editor** from the WDAC Wizard main page 3. Select **Policy Editor** from the WDAC Wizard main page.
4. Select **Convert Event Log to a WDAC Policy** 4. Select **Convert Event Log to a WDAC Policy**.
5. Select the **Parse Log File(s)** button under the "Parse MDE Advanced Hunting Events to Policy" header 5. Select the **Parse Log File(s)** button under the "Parse MDE Advanced Hunting Events to Policy" header.
6. Select the .CSV WDAC MDE Advanced Hunting export files from the disk to parse 6. Select the .CSV WDAC MDE Advanced Hunting export files from the disk to parse.
The Wizard will parse the relevant audit and block events from the selected Advanced Hunting log files. You will see a notification when the Wizard successfully finishes reading the events. The Wizard will parse the relevant audit and block events from the selected Advanced Hunting log files. You will see a notification when the Wizard successfully finishes reading the events.
> [!div class="mx-imgBorder"] > [!div class="mx-imgBorder"]
> ![Parse the Advanced Hunting CSV WDAC event files](images/wdac-wizard-event-log-mde-ah-parsing.png) > ![Parse the Advanced Hunting CSV WDAC event files](images/wdac-wizard-event-log-mde-ah-parsing.png)
7. Select the Next button to navigate to the table of software to view the audit and block events and create rules from 7. Select the Next button to navigate to the table of software to view the audit and block events and create rules from.
8. [Generate rules from the events](#creating-policy-rules-from-the-events) 8. [Generate rules from the events](#creating-policy-rules-from-the-events).
## Creating Policy Rules from the Events ## Creating Policy Rules from the Events
@ -123,17 +123,17 @@ On the "Configure Event Log Rules" page, the unique WDAC log events will be show
To create a rule and add it to the WDAC policy: To create a rule and add it to the WDAC policy:
1. Select an audit or block event in the table by selecting the row of interest 1. Select an audit or block event in the table by selecting the row of interest.
2. Select a rule type from the dropdown. The Wizard supports creating Publisher, Path, File Attribute, Packaged App and Hash rules 2. Select a rule type from the dropdown. The Wizard supports creating Publisher, Path, File Attribute, Packaged App and Hash rules.
3. Select the attributes and fields that should be added to the policy rules using the checkboxes provider for the rule type 3. Select the attributes and fields that should be added to the policy rules using the checkboxes provider for the rule type.
4. Select the **Add Allow Rule** button to add the configured rule to the policy generated by the Wizard. The "Added to policy" label will be added to the selected row confirming that the rule will be generated 4. Select the **Add Allow Rule** button to add the configured rule to the policy generated by the Wizard. The "Added to policy" label will be added to the selected row confirming that the rule will be generated.
> [!div class="mx-imgBorder"] > [!div class="mx-imgBorder"]
> ![Adding a publisher rule to the WDAC policy](images/wdac-wizard-event-rule-creation.png) > ![Adding a publisher rule to the WDAC policy](images/wdac-wizard-event-rule-creation.png)
5. Select the **Next** button to output the policy. Once generated, the event log policy should be merged with your base or supplemental policies. It is not recommended to deploy the event log policy on its own, as it likely lacks rules to authorize Windows and may cause blue screens 5. Select the **Next** button to output the policy. Once generated, the event log policy should be merged with your base or supplemental policies. It is not recommended to deploy the event log policy on its own, as it likely lacks rules to authorize Windows and may cause blue screens.
## Up next ## Up next
- [Merging Windows Defender Application Control (WDAC) policies using the Wizard](wdac-wizard-merging-policies.md) - [Merging Windows Defender Application Control (WDAC) policies using the Wizard](wdac-wizard-merging-policies.md)