Sep 25 2023 09:27 AM
Hi All,
Could we have good method for Defender Application control reporting.
Sep 26 2023 04:27 AM
Hi @Woshada,
here are 3 different solutions for generating WDAC reports that you can use/try:
1. Use the Windows Defender Application Control (WDAC) PowerShell Module
As mentioned in my previous answer, the WDAC PowerShell Module provides a comprehensive set of reports, including:
You can use these cmdlets to generate custom reports that meet your specific needs. For example, you could generate a report that shows all applications that were blocked by WDAC in the last 24 hours, or a report that shows all applications that were allowed to run by WDAC in a specific department.
To generate a report using the WDAC PowerShell Module, you can use the following steps:
Import-Module Wdac
Get-WdacEvent -Filter "EventType eq 'Blocked'" | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-24) }
Out-GridView -InputObject $report | Export-Csv -Path <path to report file>
2. Use a third-party tool
There are also a number of third-party tools that can be used to generate WDAC reports. These tools typically provide more features and functionality than the built-in reporting tools.
Some popular third-party WDAC reporting tools include:
3. Use Windows Defender Application Control (WDAC) auditing
WDAC auditing allows you to log all WDAC events to a central location. You can then use this log to generate reports.
To enable WDAC auditing, you will need to modify the WDAC policy. To do this, you can use the WDAC MMC Snapin or the WDAC PowerShell Module.
Once WDAC auditing is enabled, WDAC events will be logged to the Windows Event Log. You can then use the Windows Event Viewer to view and analyze these events.
To generate a report using WDAC auditing, you can use the following steps:
The best solution for you will depend on your specific needs and requirements. If you only need to generate basic reports, then you can use the WDAC PowerShell Module or WDAC auditing. If you need to generate more comprehensive reports, then you should consider using a third-party tool.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Oct 30 2023 12:12 AM
Thank you for the details description.
Im currently deploy Applicaiton control via Defender for endpoint +Intune
Also, we have sent log to Advance hunting. Im looking to generate report about multiple device that reported to advance hunting,
KQL will help in data pullout. but looking to have some help on this