Device Events App Locker Events
Query
DeviceEvents
| where TimeGenerated > ago(30d)
| where ActionType startswith "AppLocker" //or ActionType startswith "AppControl" //for WDAC
//See all the events using the inbuilt portal schema reference: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-schema-tables#get-schema-information-in-the-security-center
//Action Types include AppLockerBlockExecutable, AppLockerBlockPackagedApp, AppLockerBlockPackagedAppInstallation, AppLockerBlockScript
// You may also want to exclude AppControlExecutableBlocked which is WDAC.Explanation
This query is designed to filter and analyze device events related to application control over the past 30 days. Here's a simple breakdown:
-
Data Source: The query is looking at the
DeviceEventstable, which contains various events generated by devices. -
Time Filter: It only considers events that have occurred in the last 30 days (
TimeGenerated > ago(30d)). -
Action Type Filter: It focuses on events where the
ActionTypestarts with "AppLocker" or "AppControl". These are related to application control activities, specifically using AppLocker or Windows Defender Application Control (WDAC). -
Event Types: The query is interested in specific types of AppLocker events, such as blocking executables, packaged apps, and scripts. However, it suggests excluding the
AppControlExecutableBlockedevent, which is specific to WDAC.
In summary, this query is used to identify and analyze recent application control events, particularly those involving AppLocker, while excluding certain WDAC events.
Details

Jay Kerai
Released: September 9, 2025
Tables
Keywords
Operators