Windows Defender Application Control - Report

Copper Contributor

Hi All, 

 

Could we have good method for Defender Application control reporting.

2 Replies

Hi @Woshada,

here are 3 different solutions for generating WDAC reports that you can use/try:

1. Use the Windows Defender Application Control (WDAC) PowerShell Module

As mentioned in my previous answer, the WDAC PowerShell Module provides a comprehensive set of reports, including:

  • Get-WdacPolicy: This cmdlet gets information about the current WDAC policy.
  • Get-WdacEvent: This cmdlet gets information about WDAC events.
  • Get-WdacAuditRule: This cmdlet gets information about WDAC audit rules.
  • Get-WdacEnforcementRule: This cmdlet gets information about WDAC enforcement rules.

You can use these cmdlets to generate custom reports that meet your specific needs. For example, you could generate a report that shows all applications that were blocked by WDAC in the last 24 hours, or a report that shows all applications that were allowed to run by WDAC in a specific department.

To generate a report using the WDAC PowerShell Module, you can use the following steps:

  1. Open a PowerShell console.
  2. Import the WDAC PowerShell Module:

 

Import-Module Wdac​

 

 
  1. Run the cmdlet to generate the report that you want. For example, to generate a report that shows all applications that were blocked by WDAC in the last 24 hours, you would run the following cmdlet:
 
 

 

Get-WdacEvent -Filter "EventType eq 'Blocked'" | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-24) }

 

  1. The report will be displayed in the PowerShell console.
  2. To save the report, you can use the following cmdlet:
 

 

Out-GridView -InputObject $report | Export-Csv -Path <path to report file>​

 

2. Use a third-party tool

There are also a number of third-party tools that can be used to generate WDAC reports. These tools typically provide more features and functionality than the built-in reporting tools.

Some popular third-party WDAC reporting tools include:

  • Sysmon: Sysmon is a system monitor that can be used to collect a variety of system events, including WDAC events.
  • Splunk: Splunk is a security information and event management (SIEM) platform that can be used to collect and analyze WDAC events.
  • ArcSight Logger: ArcSight Logger is another SIEM platform that can be used to collect and analyze WDAC events.

 

3. Use Windows Defender Application Control (WDAC) auditing

WDAC auditing allows you to log all WDAC events to a central location. You can then use this log to generate reports.

To enable WDAC auditing, you will need to modify the WDAC policy. To do this, you can use the WDAC MMC Snapin or the WDAC PowerShell Module.

Once WDAC auditing is enabled, WDAC events will be logged to the Windows Event Log. You can then use the Windows Event Viewer to view and analyze these events.

To generate a report using WDAC auditing, you can use the following steps:

  1. Open the Windows Event Viewer.
  2. Expand the Applications and Services Logs node.
  3. Expand the Windows node.
  4. Expand the Windows Defender Application Control node.
  5. Right-click the Audit log and select View.
  6. The Audit log will be displayed in the right-hand pane.
  7. To filter the events, you can use the filter bar at the top of the window.
  8. To save the report, click the Save button.

The best solution for you will depend on your specific needs and requirements. If you only need to generate basic reports, then you can use the WDAC PowerShell Module or WDAC auditing. If you need to generate more comprehensive reports, then you should consider using a third-party tool.


Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

@LeonPavesic 

 

Thank you for the details description.

 

Im currently deploy Applicaiton control via Defender for endpoint +Intune 

 

Woshada_0-1698649786096.png

Also, we have sent log to Advance hunting. Im looking to generate report about multiple device that reported to advance hunting,

KQL will help in data pullout. but looking to have some help on this