What's New

Microsoft Defender for Endpoint - Advanced Hunting

You can now use the WDACConfig module to convert the Microsoft Defender for Endpoint (MDE) Advanced Hunting query results directly to Application Control policy (WDAC) policy in a matter of seconds with high precision and performance.

Demo Video

The systematic approach to converting the query results to WDAC policy is as follows:

• If a file is unsigned then a hash rule will be created for it.
• If a file is signed then there are multiple possibilities:
  • If the file is signed and the MDE AH results contain the file's version as well as at least one of the following file attributes (Original Name, Internal Name, Description, Product Name), then a File Publisher rule will be created for it.
  • If the file is signed but the file attributes are not present in the results, Publisher level rule will be created for it.

These levels are selected based on their security. You can read more about the levels security comparison in this article.

Simple Yet Comprehensive

What WDACConfig requires for MDE Advanced Hunting

DeviceEvents
| where ActionType startswith "AppControlCodeIntegrity"
    or ActionType startswith "AppControlCIScriptBlocked"
    or ActionType startswith "AppControlCIScriptAudited"

As you can see, the WDACConfig module encapsulates all requisite logic, enabling the employment of heightened security levels for files, notably the FilePublisher. It assimilates comprehensive data, utilizing the maximum extent of available information to formulate the most precise and tailored rule for each individual file.

Comparison

Other Changes

• Significantly Improved the performance when parsing the Code Integrity related event logs.
• In addition to the Code Integrity logs, now AppLocker logs are also processed by the WDACConfig module. This allows it to capture and create rules for blocked/audited MSI files as well.
• Bumped the required PowerShell version from 7.4.1 to 7.4.2 because it has WDAC related improvements.
• Fixed this issue: #225

PR: #218