Skip to content

Instantly share code, notes, and snippets.

@mgraeber-rc

mgraeber-rc/MDE_AppControl_KQL.txt

Created July 30, 2021 16:06
Show Gist options
  • Save mgraeber-rc/10913db3398b42d2c17c050483691dff to your computer and use it in GitHub Desktop.
Save mgraeber-rc/10913db3398b42d2c17c050483691dff to your computer and use it in GitHub Desktop.
Download ZIP
Example query to join AppControlCodeIntegrityPolicy MDE events with AppControlCodeIntegritySigningInformation events. The queries are semi-duplicative to address the way hashes are presented in an unintuitive fashion.
Raw
MDE_AppControl_KQL.txt
DeviceEvents
| where ActionType startswith "AppControlCodeIntegrityPolicy"
| extend Hash = SHA1
| join kind = inner (
DeviceEvents
| where ActionType == "AppControlCodeIntegritySigningInformation"
| extend VerificationError = extractjson("$.VerificationError", AdditionalFields, typeof(string))
| where VerificationError == "Explicitly denied by WDAC policy"
| extend PublisherName = extractjson("$.PublisherName", AdditionalFields, typeof(string))
| extend PublisherTBSHash = extractjson("$.PublisherTBSHash", AdditionalFields, typeof(string))
| extend NotValidBefore = extractjson("$.NotValidBefore", AdditionalFields, typeof(string))
| extend NotValidAfter = extractjson("$.NotValidAfter", AdditionalFields, typeof(string))
| extend Hash = SHA256
| project PublisherName, PublisherTBSHash, NotValidBefore, NotValidAfter, VerificationError, Hash
) on Hash
| extend PolicyName = extractjson("$.PolicyName", AdditionalFields, typeof(string))
| extend PolicyID = extractjson("$.PolicyID", AdditionalFields, typeof(string))
| project Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, SHA1, SHA256, PolicyName, PolicyID, PublisherName, PublisherTBSHash, NotValidBefore, NotValidAfter, VerificationError
DeviceEvents
| where ActionType startswith "AppControlCodeIntegrityPolicy"
| join kind = inner (
DeviceEvents
| where ActionType == "AppControlCodeIntegritySigningInformation"
| extend VerificationError = extractjson("$.VerificationError", AdditionalFields, typeof(string))
| where VerificationError == "Explicitly denied by WDAC policy"
| extend PublisherName = extractjson("$.PublisherName", AdditionalFields, typeof(string))
| extend PublisherTBSHash = extractjson("$.PublisherTBSHash", AdditionalFields, typeof(string))
| extend NotValidBefore = extractjson("$.NotValidBefore", AdditionalFields, typeof(string))
| extend NotValidAfter = extractjson("$.NotValidAfter", AdditionalFields, typeof(string))
| project PublisherName, PublisherTBSHash, NotValidBefore, NotValidAfter, VerificationError, SHA256
) on SHA256
| extend PolicyName = extractjson("$.PolicyName", AdditionalFields, typeof(string))
| extend PolicyID = extractjson("$.PolicyID", AdditionalFields, typeof(string))
| project Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, SHA1, SHA256, PolicyName, PolicyID, PublisherName, PublisherTBSHash, NotValidBefore, NotValidAfter, VerificationError
@kimoppalfens
Copy link

Looks like Defender for Endpoint now correctly stores SHA1 & SHA256 hashes in their respective columns.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment