Understanding Application Control events

A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:

Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational

Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script

Microsoft Windows CodeIntegrity Operational log event IDs

Event ID	Explanation
3076	Audit executable/dll file
3077	Block executable/dll file
3089	Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the «System» portion of the event data under «Correlation ActivityID».
3099	Indicates that a policy has been loaded

Microsoft Windows Applocker MSI and Script log event IDs

Event ID	Explanation
8028	Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts.
8029	Block script/MSI file
8038	Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the «System» portion of the event data under «Correlation ActivityID».

Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events

If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information.

Event ID	Explanation
3090	Allow executable/dll file
3091	Audit executable/dll file
3092	Block executable/dll file

3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template which appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated.

SmartLocker template

Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates.

Name	Explanation
StatusCode	STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode.
ManagedInstallerEnabled	Policy trusts a MI
PassesManagedInstaller	File originated from a trusted MI
SmartlockerEnabled	Policy trusts the ISG
PassesSmartlocker	File had positive reputation
AuditEnabled	True if the policy is in audit mode, otherwise it is in enforce mode

Enabling ISG and MI diagnostic events

In order to enable 3091 audit events and 3092 block events, you must create a TestFlags regkey with a value of 0x100. You can do so using the following PowerShell command:

In order to enable 3090 allow events as well as 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command:

118.4. Event IDs to monitor | Log Collection Solutions

118.4. Event IDs to monitor

When it comes to Windows log collection, one of the most challenging tasks of a system administrator is deciding which event IDs to monitor. Due to the large number of event IDs in use, this can be daunting at first sight. Therefore, this section aims to provide guidance about selecting event IDs to monitor, with some example configurations.

Event IDs are unique per source but are not globally unique. The same event ID may be used by different sources to identify unrelated occurrences.

118.4.1. Finding the right event IDs

An excellent general source to start with is the Windows 10 and Windows Server 2016 security auditing and monitoring reference. It provides detailed descriptions about event IDs used for security audit policies. There are additional resources to find events to monitor, see below:

The Microsoft Events and Errors page on Microsoft Docs provides a directory of events grouped by area. Start by navigating through the areas listed in the Available Documentation section.

Palantir has published a Windows Event Forwarding Guidance repository, which contains a comprehensive WEF Event Mappings table with categorized event IDs and details.

The NSA Spotting the Adversary with Windows Event Log Monitoring paper provides event IDs for security monitoring. See the example configuration here.

The JPCERT/CC Detecting Lateral Movements Tool Analysis resource provides a collection of event codes that are observed to indicate lateral movements. See the example configuration here.

See the NXLog User Guide on Active Directory Domain Services for a list and configuration sample of security event IDs relevant to Active Directory.

The table below displays a small sample of important events to monitor in the Windows Server Security Log for a local server. See the Security-focused Event IDs to Monitor section for the configuration file holding these event IDs.

Table 110. Example list of security-focused event IDs to monitor

The audit log was cleared.

System audit policy was changed.

A user right was assigned.

System security access was granted to an account.

A user account was changed.

A user’s local group membership was enumerated.

A user right was removed.

An operation was attempted on a privileged object.

A member was added to a security-enabled local group.

A service was installed in the system.

An account failed to log on.

A logon was attempted using explicit credentials.

An attempt was made to change an account’s password.

A change has been made to Windows Firewall exception list. A rule was added.

A Windows Firewall setting has changed.

A new external device was recognized by the system.

The installation of this device was allowed, after having previously been forbidden by policy.

118.4.2. Example monitoring configurations

Once a set of event IDs has been selected for monitoring, the im_msvistalog module can be configured.

Event ID	Description
The example configurations in this section are likely to require further modifications to suit each individual deployment.

Due to a bug or limitation of the Windows Event Log API, 23 or more clauses in a query will result in a failure with the following error message: ERROR failed to subscribe to msvistalog events, the Query is invalid: This operator is unsupported by this implementation of the filter.; [error code: 15001] Event IDs are globally applied to all providers of a given XPath expression so events that match these IDs will be collected. You should tweak your chosen dashboard or alerting system to ensure that the right Event IDs and its subsequent providers are appropriately associated.

This configuration provides a basic example of Windows Security events to monitor. Since only a small number of IDs are presented, this configuration explicitly provides the actual event IDs to be collected.

This extended configuration provides a much wider scope of log collection. Note that this approach for specifying the event IDs requires defining the event IDs based on groups of events first. The QueryXML paths are added in the QueryXML block in bulk. Then the Exec block will filter for the defined event IDs, but only within the paths specified. It also drops event IDs that are not defined.

This configuration, similar to the extended configuration above, lists event IDs associated with the detection of malicious lateral movements. It is based on the security research conducted by the CERT (Computer Emergency Response Team) cybersecurity researchers on Detecting Lateral Movement through Tracking Event Logs.

118.4. Event IDs to monitor | Log Collection Solutions

118.4. Event IDs to monitor

When it comes to Windows log collection, one of the most challenging tasks of a system administrator is deciding which event IDs to monitor. Due to the large number of event IDs in use, this can be daunting at first sight. Therefore, this section aims to provide guidance about selecting event IDs to monitor, with some example configurations.

Event IDs are unique per source but are not globally unique. The same event ID may be used by different sources to identify unrelated occurrences.

118.4.1. Finding the right event IDs

An excellent general source to start with is the Windows 10 and Windows Server 2016 security auditing and monitoring reference. It provides detailed descriptions about event IDs used for security audit policies. There are additional resources to find events to monitor, see below:

The Microsoft Events and Errors page on Microsoft Docs provides a directory of events grouped by area. Start by navigating through the areas listed in the Available Documentation section.

Palantir has published a Windows Event Forwarding Guidance repository, which contains a comprehensive WEF Event Mappings table with categorized event IDs and details.

The NSA Spotting the Adversary with Windows Event Log Monitoring paper provides event IDs for security monitoring. See the example configuration here.

The JPCERT/CC Detecting Lateral Movements Tool Analysis resource provides a collection of event codes that are observed to indicate lateral movements. See the example configuration here.

See the NXLog User Guide on Active Directory Domain Services for a list and configuration sample of security event IDs relevant to Active Directory.

The table below displays a small sample of important events to monitor in the Windows Server Security Log for a local server. See the Security-focused Event IDs to Monitor section for the configuration file holding these event IDs.

Table 110. Example list of security-focused event IDs to monitor

The audit log was cleared.

System audit policy was changed.

A user right was assigned.

System security access was granted to an account.

A user account was changed.

A user’s local group membership was enumerated.

A user right was removed.

An operation was attempted on a privileged object.

A member was added to a security-enabled local group.

A service was installed in the system.

An account failed to log on.

A logon was attempted using explicit credentials.

An attempt was made to change an account’s password.

A change has been made to Windows Firewall exception list. A rule was added.

A Windows Firewall setting has changed.

A new external device was recognized by the system.

The installation of this device was allowed, after having previously been forbidden by policy.

118.4.2. Example monitoring configurations

Once a set of event IDs has been selected for monitoring, the im_msvistalog module can be configured.

Event ID	Description
The example configurations in this section are likely to require further modifications to suit each individual deployment.

Due to a bug or limitation of the Windows Event Log API, 23 or more clauses in a query will result in a failure with the following error message: ERROR failed to subscribe to msvistalog events, the Query is invalid: This operator is unsupported by this implementation of the filter.; [error code: 15001] Event IDs are globally applied to all providers of a given XPath expression so events that match these IDs will be collected. You should tweak your chosen dashboard or alerting system to ensure that the right Event IDs and its subsequent providers are appropriately associated.

This configuration provides a basic example of Windows Security events to monitor. Since only a small number of IDs are presented, this configuration explicitly provides the actual event IDs to be collected.

This extended configuration provides a much wider scope of log collection. Note that this approach for specifying the event IDs requires defining the event IDs based on groups of events first. The QueryXML paths are added in the QueryXML block in bulk. Then the Exec block will filter for the defined event IDs, but only within the paths specified. It also drops event IDs that are not defined.

This configuration, similar to the extended configuration above, lists event IDs associated with the detection of malicious lateral movements. It is based on the security research conducted by the CERT (Computer Emergency Response Team) cybersecurity researchers on Detecting Lateral Movement through Tracking Event Logs.

Как получить список элементов имени данных XML в EventData How to get a list of XML data name elements in EventData

Область применения Applies to

В журнале безопасности используется манифест, в котором можно получить всю схему событий. The Security log uses a manifest where you can get all of the event schema.

В командной подсказке PowerShell с повышенными полномочиями запустите следующую команду: Run the following command from an elevated PowerShell prompt:

Свойство — это коллекция всех событий, перечисленных в манифесте .events на локальном компьютере. The .events property is a collection of all of the events listed in the manifest on the local machine.

Для каждого события существует свойство для XML-шаблона, используемая для свойств события .Template (если они есть). For each event, there is a .Template property for the XML template used for the event properties (if there are any).

Например: For example:

Сопоставление элементов имен данных с именами в описании события Mapping data name elements to the names in an event description

Шаблон и описание можно использовать для связи элементов имен данных, которые отображаются в представлении XML, с именами, которые отображаются в описании события. You can use the and to map the data name elements that appear in XML view to the names that appear in the event description.

Описание — это просто строка формата (если вы привыкли или инструкции), а шаблон является источником входных параметров Console.Writeline sprintf описания. The is just the format string (if you’re used to Console.Writeline or sprintf statements), and the is the source of the input parameters for the .

Использование события безопасности 4734 в качестве примера: Using Security event 4734 as an example:

Для темы: ИД безопасности: текстовый элемент, он будет использовать четвертый элемент в шаблоне SubjectUserSid. For the Subject: Security ID: text element, it will use the fourth element in the Template, SubjectUserSid.

Для дополнительных привилегий информации: он будет использовать восьмую часть, PrivilegeList. For Additional Information Privileges:, it would use the eighth element, PrivilegeList.

Оговорка к этому принципу — это часто пропускаемое свойство событий Под названием Version (в элементе SYSTEM), которое указывает на изменение схемы и описания события. A caveat to this principle is an often overlooked property of events called Version (in the element) that indicates the revision of the event schema and description. Большинство событий имеют одну версию (все события имеют версию =0, как в примере «Безопасность/4734»), но несколько событий, например Security/4624 или Security/4688, имеют по крайней мере три версии (версии 0, 1, 2) в зависимости от версии ОС, в которой создается событие. Most events have one version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least three versions (versions 0, 1, 2) depending on the OS version where the event is generated. Для создания событий в журнале безопасности используется только последняя версия. Only the latest version is used for generating events in the Security log. В любом случае версия события, из которой взят шаблон, должна использовать ту же версию события для описания. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description.