Microsoft Defender for Endpoint and WDAC audit logs not include kernel audit/blocks

Hi Warren212,

This is indeed a known limitation/behavior by design in how MDE collects WDAC telemetry.

Kernel Mode WDAC events are not forwarded to MDE Advanced Hunting. The MDE sensor collects WDAC-related events primarily from user-mode Code Integrity operations. Kernel-mode events (such as Event ID 3076 generated by the kernel Code Integrity component) are not ingested into the DeviceEvents or DeviceImageLoadEvents tables in Advanced Hunting at this time.

Here are some workarounds you can use:

1. Use Windows Event Forwarding (WEF): Configure WEF to forward Microsoft-Windows-CodeIntegrity/Operational events from the local machine to a central Windows Event Collector, then ingest them into Microsoft Sentinel via the Windows Security Events connector.

2. Microsoft Sentinel + Azure Monitor Agent (AMA): With AMA and the proper DCR (Data Collection Rule), you can capture CodeIntegrity events (Event ID 3076, 3077, 3033, etc.) and query them via Sentinel custom tables.

3. Intune + WDAC Reporting: If devices are enrolled in Intune and you are using WDAC policies deployed via Intune, you can leverage the built-in WDAC reporting in Endpoint Manager for policy compliance data.

Microsoft has been gradually improving WDAC telemetry in MDE. It is worth submitting feedback via the Microsoft Feedback Portal so the product team can track demand for full kernel-mode WDAC event ingestion.

Hope this helps clarify the behavior and gives you a path forward!