← Back to Explore
kqlHunting
DeviceEvents - AppLocker Events
or ActionType startswith "AppControl" //for WDAC
Detection Query
DeviceEvents
| where TimeGenerated > ago(30d)
| where ActionType startswith "AppLocker" //or ActionType startswith "AppControl" //for WDAC
//See all the events using the inbuilt portal schema reference: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-schema-tables#get-schema-information-in-the-security-center
//Action Types include AppLockerBlockExecutable, AppLockerBlockPackagedApp, AppLockerBlockPackagedAppInstallation, AppLockerBlockScript
// You may also want to exclude AppControlExecutableBlocked which is WDAC.Data Sources
DeviceEvents
Platforms
windowsmicrosoft-defender
Tags
defenderhunting
Raw Content
DeviceEvents
| where TimeGenerated > ago(30d)
| where ActionType startswith "AppLocker" //or ActionType startswith "AppControl" //for WDAC
//See all the events using the inbuilt portal schema reference: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-schema-tables#get-schema-information-in-the-security-center
//Action Types include AppLockerBlockExecutable, AppLockerBlockPackagedApp, AppLockerBlockPackagedAppInstallation, AppLockerBlockScript
// You may also want to exclude AppControlExecutableBlocked which is WDAC.