I've set up App Control for Business on a test machine, but I'm struggling to get a centralized view of logs like blocks and policy hits. Right now, I can only check events on the local machine using Event Viewer, which is not really effective. My devices are enrolled in Intune, there's no SIEM in place, and the endpoints are outside our corporate network, so traditional on-prem log collectors won't work. I've heard about running queries in Microsoft's security platform through Investigation & Response and Advanced Hunting, but I'm not entirely sure if this effectively captures the App Control for Business (WDAC) events. How do you manage to collect and centralize these logs in a cloud-centric setup?
1 Answer
I've been using KQL queries in advanced hunting, and it works pretty well for monitoring App Control events. Check out this documentation that explains how to query application control events centrally: [Query App Control events with Advanced Hunting](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/querying-application-control-events-centrally-using-advanced-hunting). Here's a sample query I use to export logs specific to the App Control Wizard app that helps me build policies.
```kusto
DeviceEvents
| where ActionType startswith 'AppControlCodeIntegrity'
| where (DeviceName startswith "insertdevicenamehere")
| extend IssuerName = parsejson(AdditionalFields).IssuerName
| extend IssuerTBSHash = parsejson(AdditionalFields).IssuerTBSHash
| extend PublisherName = parsejson(AdditionalFields).PublisherName
| extend PublisherTBSHash = parsejson(AdditionalFields).PublisherTBSHash
| extend AuthenticodeHash = parsejson(AdditionalFields).AuthenticodeHash
| extend PolicyId = parsejson(AdditionalFields).PolicyID
| extend PolicyName = parsejson(AdditionalFields).PolicyName
| project-keep Timestamp,DeviceId,DeviceName,ActionType,FileName,FolderPath,SHA1,SHA256,IssuerName,IssuerTBSHash,PublisherName,PublisherTBSHash,AuthenticodeHash,PolicyId,PolicyName
```
I've been tweaking my audit and enforced mode policies for about a year, and this method has really helped me get a better grasp on things.
I can see a lot of events when I run the query, but I specifically want to filter those down to just my policy ID. There are so many default AppLocker/WDAC events that don’t pertain to our policies. Is there a way to refine the results so only my Intune policy events show up?