I've set up App Control for Business on a test machine and I'm looking to gather logs centrally for visibility on blocks, policy hits, and other events. Currently, I'm only able to see these events locally through Event Viewer, which isn't really practical for my needs. My devices are enrolled in Intune, and I'm not using a SIEM, plus the endpoints are outside of the corporate network. I know I can run queries in the Advanced Hunting section of the Microsoft Security portal, but I'm not entirely sure if this will cover App Control for Business events adequately. How do you all handle collecting and centralizing these logs in a cloud-only environment?
1 Answer
I've found that using KQL queries in Advanced Hunting for monitoring App Control events works pretty well. It allows me to export logs conveniently. You might want to check out this documentation: [Query App Control events with Advanced Hunting | Microsoft Learn](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/querying-application-control-events-centrally-using-advanced-hunting). Here's an example of the query I’ve been using: "DeviceEvents | where ActionType startswith 'AppControlCodeIntegrity' | project-keep Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, SHA1, SHA256, PolicyId, PolicyName..." Tweak it to fit your needs. I've been using it for about a year to adjust my policies.
That’s cool, but I’m seeing lots of events that aren’t related to my specific policy ID. Is there a way to just filter those out to see only what pertains to my Intune policy?