Here's just a quick reference for Windows Defender Application Guard Event IDs and the correspondent string (ActionType) for Defender Advanced Hunting:
|
ActionType |
EventID |
Description |
|
AppControlCodeIntegrityDriverRevoked |
3023 |
The driver file under validation didn't meet the requirements to
pass the application control policy. |
|
AppControlCodeIntegrityImageRevoked |
3036 |
The signed file under validation is signed by a code signing
certificate that has been revoked by Microsoft or the certificate issuing
authority. |
|
AppControlCodeIntegrityPolicyAudited |
3076 |
This event is the main Windows Defender Application Control
block event for audit mode policies. It indicates the file would have been
blocked if the WDAC policy was enforced. |
|
AppControlCodeIntegrityPolicyBlocked |
3077 |
This event is the main Windows Defender Application Control
block event for enforced policies. It indicates the file didn't pass your
WDAC policy and was blocked. |
|
AppControlExecutableAudited |
8003 |
Applied only when the Audit only enforcement mode is enabled.
Specifies the .exe or .dll file would be blocked if the Enforce rules
enforcement mode were enabled. |
|
AppControlExecutableBlocked |
8004 |
The .exe or .dll file can't run. |
|
AppControlPackagedAppAudited |
8021 |
Applied only when the Audit only enforcement mode is enabled.
Specifies the packaged app would be blocked if the Enforce rules enforcement
mode were enabled. |
|
AppControlPackagedAppBlocked |
8022 |
The packaged app was blocked by the policy. |
|
AppControlScriptAudited |
8006 |
Applied only when the Audit only enforcement mode is enabled.
Specifies the script or .msi file would be blocked if the Enforce rules
enforcement mode were enabled. |
|
AppControlScriptBlocked |
8007 |
Access to file name restricted by administrator. Applied when
the Enforce rules enforcement mode is set directly or indirectly through GPO
inheritance. The script or .msi file can't run. |
|
AppControlCIScriptAudited |
8028 |
Audit script/MSI file generated by Windows LockDown Policy
(WLDP) being called by the script hosts themselves. |
|
AppControlCIScriptBlocked |
8029 |
Block script/MSI file generated by Windows LockDown Policy
(WLDP) being called by the script hosts themselves. |
|
AppControlCodeIntegrityOriginAllowed |
3090 |
File was allowed due to good reputation (ISG) or installation
source (managed installer). |
|
AppControlCodeIntegrityOriginAudited |
3091 |
Reputation (ISG) and installation source (managed installer)
information for an audited file. |
|
AppControlCodeIntegrityOriginBlocked |
3092 |
Reputation (ISG) and installation source (managed installer)
information for a blocked file. |
|
AppControlCodeIntegrityPolicyLoaded |
3099 |
Indicates a policy has been successfully loaded. |
|
AppControlCodeIntegritySigningInformation |
3089 |
Signing information event correlated with either a 3076 or 3077
event. One 3089 event is generated for each signature of a file. |
|
AppControlPolicyApplied |
8001 |
Indicates the AppLocker policy was successfully applied to the
computer. |
If you need to clear AppLocker polices here's how to do it:
