{"id":4367,"date":"2023-12-12T10:01:50","date_gmt":"2023-12-12T01:01:50","guid":{"rendered":"https:\/\/m365jp.xyz\/?p=4367"},"modified":"2023-12-12T10:14:21","modified_gmt":"2023-12-12T01:14:21","slug":"mc697431-wdac-advanced-hunting-retired-actiontypes-and-fields","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2023-12-12-mc697431-wdac-advanced-hunting-retired-actiontypes-and-fields","title":{"rendered":"MC697431 | WDAC Advanced Hunting Retired ActionTypes and Fields"},"content":{"rendered":"<div class=\"postie-post\">\n<div>\n<hr>\n<table id=\"section\">\n<tbody>\n<tr>\n<th width=\"95%\">MC697431 | WDAC Advanced Hunting Retired ActionTypes and Fields<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr>\n<table id=\"data\">\n<tbody>\n<tr>\n<th>Classification<\/th>\n<td>planForChange<\/td>\n<\/tr>\n<tr>\n<th>Last Updated<\/th>\n<td>12\/12\/2023 00:14:37<\/td>\n<\/tr>\n<tr>\n<th>Start Time<\/th>\n<td>12\/12\/2023 00:14:11<\/td>\n<\/tr>\n<tr>\n<th>End Time<\/th>\n<td>02\/15\/2024 08:00:00<\/td>\n<\/tr>\n<tr>\n<th>Message Content<\/th>\n<td>\n<p>Microsoft will be renaming the <i>PolicyNameBuffer<\/i>&nbsp;and <i>PolicyIdBuffer<\/i>&nbsp;fields in MDE Advanced Hunting  <i>WDAC<\/i><b> <\/b>events. These fields will be renamed to<i style=\"\"> PolicyName<\/i>&nbsp;and  <i>PolicyID,<\/i> respectively. We will continue to improve the experience and richness of WDAC event data in Advanced Hunting.&nbsp;<\/p>\n<p>Additionally, we will be retiring the following WDAC action types from Advanced Hunting:&nbsp;<\/p>\n<ul>\n<li>AppControlCodeIntegrityImageAudited (3035)<\/li>\n<li>AppControlCodeIntegrityPolicyAudited (3078)<\/li>\n<li>AppControlCodeIntegrityPolicyBlocked (3079)<\/li>\n<li>AppControlCodeIntegrityPolicyAudited (3080)<\/li>\n<li>AppControlCodeIntegrityPolicyBlocked (3081)<\/li>\n<\/ul>\n<p>[When this will happen:]<\/p>\n<p>We will begin rolling out this change in mid-January 2024 and expect to complete by late January 2024.<\/p>\n<p>[How this will affect your organization:]<\/p>\n<p>For customers currently using the WDAC &#8220;AppControl&#8221; action types, here is a list of the fields that will be retired, alongside their alternatives in Advanced Hunting:&nbsp;<\/p>\n<table>\n<tbody>\n<tr>  <\/p>\n<th>Old Field<\/th>\n<p>  <\/p>\n<th>New Field<\/th>\n<p>  <\/tr>\n<\/tbody>\n<tbody>\n<tr>  <\/p>\n<th><span style=\"font-weight: normal;\">PolicyNameBuffer<\/span><\/th>\n<p>  <\/p>\n<th><span style=\"font-weight: normal;\">PolicyName<\/span><\/th>\n<p>  <\/tr>\n<p>  <\/p>\n<tr>  <\/p>\n<th><span style=\"font-weight: normal;\">PolicyIdBuffer<\/span><\/th>\n<p>  <\/p>\n<th><span style=\"font-weight: normal;\">PolicyID<\/span><\/th>\n<p>  <\/tr>\n<p>  <\/tbody>\n<\/table>\n<p>[What you can do to prepare:]  <\/p>\n<p>  <\/p>\n<p>Your organization might be using&nbsp;<i>PolicyNameBuffer<\/i><b> <\/b>or <i>PolicyIdBuffer<\/i><b>&nbsp;<\/b>in your Advanced Hunting queries and custom detections which will be retired soon. Please update your queries with the new fields to continue to leverage this   valuable data and avoid breaking your current custom detections.  <\/p>\n<p>An example of your old query:  <\/p>\n<p><code>DeviceEvents<\/code><\/p>\n<p><code>| where ActionType startswith 'AppControl' <br \/>  <\/code><\/p>\n<p><code>| extend PolicyName = parsejson(AdditionalFields).PolicyNameBuffer<\/code><\/p>\n<p><code>| extend PolicyId = parsejson(AdditionalFields).PolicyIdBuffer<\/code><\/p>\n<p><code>| project ActionType,PolicyId,PolicyName<\/code><\/p>\n<p>  <\/p>\n<p>Your new query:<\/p>\n<p>  <\/p>\n<p><code>DeviceEvents<\/code><\/p>\n<p><code>| where ActionType startswith 'AppControl'<\/code><\/p>\n<p><code>| extend PolicyName = parsejson(AdditionalFields).PolicyName<\/code><\/p>\n<p><code>| extend PolicyId = parsejson(AdditionalFields).PolicyID<\/code><\/p>\n<p><code>| project ActionType,PolicyId,PolicyName<\/code><\/p>\n<\/td>\n<\/tr>\n<tr>\n<th>Machine Translation<\/th>\n<td>\n<p>Microsoft \u306f\u3001MDE Advanced Hunting <i>WDAC<\/i><b> <\/b>\u30a4\u30d9\u30f3\u30c8\u306e <i>PolicyNameBuffer \u30d5\u30a3\u30fc\u30eb\u30c9\u3068 PolicyIdBuffer<\/i>&nbsp;<i><\/i>&nbsp;\u30d5\u30a3\u30fc\u30eb\u30c9\u306e\u540d\u524d\u3092\u5909\u66f4\u3057\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u30d5\u30a3\u30fc\u30eb\u30c9\u306e\u540d\u524d\u306f\u3001\u305d\u308c\u305e\u308c<i style=\"\"> PolicyName<\/i>&nbsp;\u3068  <i>PolicyID<\/i> \u306b\u5909\u66f4\u3055\u308c\u307e\u3059\u3002Advanced Hunting \u3067\u306e WDAC \u30a4\u30d9\u30f3\u30c8 \u30c7\u30fc\u30bf\u306e\u30a8\u30af\u30b9\u30da\u30ea\u30a8\u30f3\u30b9\u3068\u8c4a\u5bcc\u3055\u3092\u5f15\u304d\u7d9a\u304d\u6539\u5584\u3057\u307e\u3059\u3002&nbsp;<\/p>\n<p>\u3055\u3089\u306b\u3001Advanced Hunting \u304b\u3089\u6b21\u306e WDAC \u30a2\u30af\u30b7\u30e7\u30f3\u306e\u7a2e\u985e\u3092\u5ec3\u6b62\u3057\u307e\u3059\u3002&nbsp;<\/p>\n<ul>\n<li>AppControlCodeIntegrityImageAudited (3035)<\/li>\n<li>AppControlCodeIntegrityPolicyAudited (3078)<\/li>\n<li>AppControlCodeIntegrityPolicyBlocked (3079)<\/li>\n<li>AppControlCodeIntegrityPolicyAudited (3080)<\/li>\n<li>AppControlCodeIntegrityPolicyBlocked (3081)<\/li>\n<\/ul>\n<p>[\u3053\u308c\u304c\u3044\u3064\u8d77\u3053\u308b\u304b:]<\/p>\n<p>\u3053\u306e\u5909\u66f4\u306f 2024 \u5e74 1 \u6708\u4e2d\u65ec\u306b\u30ed\u30fc\u30eb\u30a2\u30a6\u30c8\u3092\u958b\u59cb\u3057\u30012024 \u5e74 1 \u6708\u4e0b\u65ec\u307e\u3067\u306b\u5b8c\u4e86\u3059\u308b\u4e88\u5b9a\u3067\u3059\u3002<\/p>\n<p>[\u3053\u308c\u304c\u7d44\u7e54\u306b\u53ca\u307c\u3059\u5f71\u97ff:]<\/p>\n<p>\u73fe\u5728 WDAC \u306e &#8220;AppControl&#8221; \u30a2\u30af\u30b7\u30e7\u30f3\u306e\u7a2e\u985e\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u304a\u5ba2\u69d8\u306e\u5834\u5408\u3001\u5ec3\u6b62\u3055\u308c\u308b\u30d5\u30a3\u30fc\u30eb\u30c9\u306e\u4e00\u89a7\u3068\u3001Advanced Hunting \u306e\u4ee3\u66ff\u624b\u6bb5\u3092\u6b21\u306b\u793a\u3057\u307e\u3059\u3002&nbsp;<\/p>\n<table>\n<tbody>\n<tr>  <\/p>\n<th>\u53e4\u3044<\/th>\n<p>  \u30d5\u30a3\u30fc\u30eb\u30c9  <\/p>\n<th>\u65b0\u3057\u3044\u30d5\u30a3\u30fc\u30eb\u30c9<\/th>\n<\/tr>\n<\/tbody>\n<tbody>\n<tr>  <\/p>\n<th><span style=\"font-weight: normal;\">PolicyNameBuffer<\/span><\/th>\n<p>  <\/p>\n<th><span style=\"font-weight: normal;\">\u30dd\u30ea\u30b7\u30fc\u540d<\/span><\/th>\n<p>  <\/tr>\n<p>  <\/p>\n<tr>  <\/p>\n<th><span style=\"font-weight: normal;\">PolicyIdBuffer<\/span><\/th>\n<p>  <\/p>\n<th><span style=\"font-weight: normal;\">\u30dd\u30ea\u30b7\u30fc ID<\/span><\/th>\n<p>  <\/tr>\n<p>  <\/tbody>\n<\/table>\n<p>\u3010\u6e96\u5099\u306e\u305f\u3081\u306b\u3067\u304d\u308b\u3053\u3068\u3011<\/p>\n<p>  <\/p>\n<p>\u7d44\u7e54\u3067\u306f\u3001\u9ad8\u5ea6\u306a\u30cf\u30f3\u30c6\u30a3\u30f3\u30b0 \u30af\u30a8\u30ea\u3068\u30ab\u30b9\u30bf\u30e0\u691c\u51fa\u3067 <i>PolicyNameBuffer<\/i> \u307e\u305f\u306f <i>PolicyIdBuffer<\/i><b>&nbsp;<\/b><b><\/b>\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b&nbsp;\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u304c\u3001\u3053\u308c\u3089\u306f\u307e\u3082\u306a\u304f\u5ec3\u6b62\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u8cb4\u91cd\u306a\u30c7\u30fc\u30bf\u3092\u5f15\u304d\u7d9a\u304d\u6d3b\u7528\u3057\u3001\u73fe\u5728\u306e\u30ab\u30b9\u30bf\u30e0\u691c\u51fa\u304c\u58ca\u308c\u306a\u3044\u3088\u3046\u306b\u3001\u65b0\u3057\u3044\u30d5\u30a3\u30fc\u30eb\u30c9\u3067\u30af\u30a8\u30ea\u3092\u66f4\u65b0\u3057\u3066\u304f\u3060\u3055\u3044\u3002  <\/p>\n<p>\u53e4\u3044\u30af\u30a8\u30ea\u306e\u4f8b:<\/p>\n<p><code>DeviceEvents<\/code><\/p>\n<p><code>| where ActionType startswith 'AppControl' <br \/>  <\/code><\/p>\n<p><code>| extend PolicyName = parsejson(AdditionalFields).PolicyNameBuffer<\/code><\/p>\n<p><code>| extend PolicyId = parsejson(AdditionalFields).PolicyIdBuffer<\/code><\/p>\n<p><code>| project ActionType,PolicyId,PolicyName<\/code><\/p>\n<p>  <\/p>\n<p>\u65b0\u3057\u3044\u30af\u30a8\u30ea\u3067\u306f\u3001\u6b21\u306e\u3053\u3068\u3092\u884c\u3044\u307e\u3059\u3002<\/p>\n<p>  <\/p>\n<p><code>DeviceEvents<\/code><\/p>\n<p><code>| where ActionType startswith 'AppControl'<\/code><\/p>\n<p><code>| extend PolicyName = parsejson(AdditionalFields).PolicyName<\/code><\/p>\n<p><code>| extend PolicyId = parsejson(AdditionalFields).PolicyID<\/code><\/p>\n<p><code>| project ActionType,PolicyId,PolicyName<\/code><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>MC697431 | WDAC Advanced Hunting Retired ActionTypes and Fields Classification planForChange Last Updated 12\/1 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4367","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/4367","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/comments?post=4367"}],"version-history":[{"count":0,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/4367\/revisions"}],"wp:attachment":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/media?parent=4367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/categories?post=4367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/tags?post=4367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}