Microsoft Defender Endpoint Advanced Hunting Logs appear only when policy is in Audit mode #396
Unanswered
zygmuntszpak
asked this question in
Q&A
Replies: 1 comment
-
|
Hi, Maybe try this simper query: DeviceEvents
| where ActionType startswith "AppControlCodeIntegrity"
or ActionType startswith "AppControlCIScriptBlocked"
or ActionType startswith "AppControlCIScriptAudited"List of AppLocker related events for Advanced Hunting: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/querying-application-control-events-centrally-using-advanced-hunting |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
If I start with a
AllowMicrosoft.xmlpolicy and add the Audit ruleI am able to collect logs using the Microsoft Defender Endpoint Advanced Hunting Logs with a Microsoft Defender for Endpoint Plan 2 license. For instance, the following query works:
and returns results.
However, when I place the
AllowMicrosoft.xmlpolicy in Enforce mode (by removing the Audit rule), the query doesn't return any results even when I deliberately run a program that is blocked (and verify that the blocked application appears in the local event log). I've even explicitly synced that PC with Intune but the logs still do not appear.Is this expected behaviour? Am I supposed to deploy both an enforced and audit version of the policy? If so, does that imply that I will now have to have a duplicated of every supplemental policy (one which points at the enforced base policy, and one that points at the audit base policy)?
Beta Was this translation helpful? Give feedback.
All reactions