Microsoft today published an update advisory for Windows Defender Application Control (WDAC) Advanced Hunting changes that could have an impact if you have any hunting rules or dashboards in place. The changes are scheduled to be implemented in mid to late January 2024.
Policy Name and Policy ID attribute names
The first change relates to the naming of two key attributes in the WDAC related logging data, and the advisory states:
Microsoft will be renaming the PolicyNameBuffer and PolicyIdBuffer fields in MDE Advanced Hunting WDACevents. These fields will be renamed to PolicyName and PolicyID, respectively. We will continue to improve the experience and richness of WDAC event data in Advanced Hunting.
WDAC Advanced Hunting Retired ActionTypes and Fields (MC697431) · Published Dec 12, 2023
There currently is inconsistency within the Event Log data for WDAC events where some events use PolicyID and other use PolicyIdBuffer (and the equivalent for PolicyName). This means some KQL queries could have these legacy names hard coded and may not work as expected after the change occurs.
I’m personally very happy to see this change, as it has been a challenge in Sentinel Workbooks having to account for different event types with different attribute names! Having said that this will continue to be somewhat of a challenge until all the old event data is aged out of Sentinel.
What do I need to do?
Firstly check any Advanced Hunting Rules and Sentinel Workbooks you have in place to see if those attributes are being used in your queries. If you’re using them there are two main options:
- Change your KQL queries now to look for both fields in the queries. If you are using Sentinel Workbooks this may be your only option as old data prior to the change would continue to have the old data naming, where as event data post the change will have the new naming.
- Wait for the change to occur, and update your Advanced Hunting rules and Workbooks to utilise the new attributes.
Action Types will be retired from Advanced Hunting
Additioanlly Microsoft are retiring a number of action types (Event IDs) from being ingested into Advanced Hunting, which are:
- AppControlCodeIntegrityImageAudited (3035)
- AppControlCodeIntegrityPolicyAudited (3078)
- AppControlCodeIntegrityPolicyBlocked (3079)
- AppControlCodeIntegrityPolicyAudited (3080)
- AppControlCodeIntegrityPolicyBlocked (3081)
What do I need to do?
Check your Advanced Hunting Rules and Workbook queries to see if you’re specifically looking for those action types and determine if there is any impact for your organisation. In the WDAC implementations I’ve undertaken I can’t recall those event types being of specific interest, but you mileage may vary.