Expected Behavior from MDE Advanced Hunting / When to Leave Audit Mode

[danielshonu]

Hey all,

I have a policy created from AppControl Manager for "Default Windows Policy" in Audit mode and I let that run for about a day or so and then created a Supplemental policy from the Event Logs on my local system. This has been in place again for another 24 hours but when I run the Advanced Hunting query, I am seeing "AppControlCodeIntegrityOriginAudited" and "AppControlCodeIntegrityPolicyAudited" in the output from today. My understanding is that if these entries are showing in the log, that would be a process that would have been blocked, had the AppControl policy not been in Audit Mode. The InitiatingProcessFileName for some of these entries are default Windows services, things like svchost.exe and explorer.exe.

Few questions:

Firstly, do I somehow have my policy configured incorrectly in that, if this were not in Audit Mode, all of these processes would be being blocked?

Is the expectation that if I have a correct policy in place, with a correct supplemental policy built from system logs and those processes are allowed, I shouldn't be seeing any new entries when I run the query for events in Advanced Hunting in MDE?

Please let me know if you need more information, IE the policies or the query being run.

Thanks

[HotCakeX]

Hello

Firstly, do I somehow have my policy configured incorrectly in that, if this were not in Audit Mode, all of these processes would be being blocked?

You deployed the policy correctly if you used the AppControl Manager. As long as the audit mode policy is deployed it will continue to generate audit logs.

If it was an enforced mode policy, all of the files mentioned in the logs would've been blocked.

But InitiatingProcessFileName is not the one that would be blocked, it just shows which process launched the file that was audited, that's not the file itself.

Is the expectation that if I have a correct policy in place, with a correct supplemental policy built from system logs and those processes are allowed, I shouldn't be seeing any new entries when I run the query for events in Advanced Hunting in MDE?

Yes, correct policy should be enforced mode in this scenario so it won't generate audit logs anymore, and the supplemental policy will be able to authorize all of the files found in the event logs.

[danielshonu]

Thanks for the quick reply.

So the results from querying MDR with:

DeviceEvents | where (ActionType startswith "AppControlCodeIntegrity" or ActionType startswith "AppControlCIScriptBlocked" or ActionType startswith "AppControlCIScriptAudited")

These are always going to be logged with a policy that is in audit mode? How would I be able to tell if I converted my policy from Audit to Enforce what is going to be blocked?

[HotCakeX]

Anytime!

You can use the Simulation feature, it lets you select files, folders or entire drives and then select your policy file to see which files will be blocked or allowed by the policy.

please let me know if you have feedback about it so i can make changes and improve.

[danielshonu]

That works well for my local machine but I have a test group of 10 Intune devices...does the Simulation mode allow for scanning those in any fashion or would you recommend building out more Supplemental policies based on the log exports from MDR?

[HotCakeX]

At the moment, the Simulation feature only works for the local device. I recommend building more supplemental policies if you need to, you can safely merge them without having any duplication among the data.

As long as audit mode policy is deployed it will generate audit logs though, so at some point you have to remove audit mode and deploy enforced mode policy that has the same exact policyID as audit mode policy.

If you audit with one policy and deploy another a policy with different ID, the supplemental policies you created won't work with the new policy, unless you change the BasePolicyID in all of the supplemental policies. Also never mix the base policy type, for example never audit with Default Windows policy type and then enforce the Allow Microsoft policy type.

[danielshonu]

On the topic of Simulation and building out Supplemental Policies so that needed programs aren't blocked right from the start:

I have a Base Policy "Default Windows Policy"

and

a Supplemental Policy which has a policy created from local logs, merged with a policy created from MDE logs targeted at just my own test machine AND a policy created from scanning the Program Files (x86) folder (because I was still getting Authorized = False during Simulation for programs and services that needed to be allowed)

So now that I have a fairly good baseline for what runs every day on my machine...since Simulation only works on my local machine, is it possible to apply the Base Policy with the Supplemental which are in Audit mode, apply those to my test case devices which are a part of a single group and somehow filter the MDE logs from this point forward and see what would be blocked if the policy was not in Audit Mode? IE a broader Simulation? The item I'm not understanding is when running the query in MDE Adv Hunting, I don't know how to tell in the returned results what would be allowed and what would be blocked were these policies not an Audit Mode.

[HotCakeX]

Of course, you can filter the MDE Advanced Hunting logs in the app via the available filters for time, date etc.
First filter the data to see only those generated after deploying your policies, then look for those with the Action column set to Audit; those are the ones that would still get blocked and need to be allowed in your supplemental policy. You can right-click or tap + hold on one or more items and delete them to fine tune the results, or you could do it in reverse where you toggle the Only use selected items button and then only the items you select in the ListView will be used in creating the supplemental policy.

I'm planning to add real time log retrieval and processing via Azure Monitor soon and it will unlock more possibilities in the app.

[danielshonu]

Thank you, I'll get the AppControl Manager plugged into MDE and take a closer look at this.

[danielshonu]

I tried the workaround for this in AppControl Manager and uploaded an unsigned XML policy but it does not show up under Devices > Configuration, nor does it show up under Endpoint Security > App Control for Business.