KQL Search

This query is designed to filter and analyze device events related to application control over the past 30 days. Here's a simple breakdown:

1. Data Source: The query is looking at the DeviceEvents table, which contains various events generated by devices.

2. Time Filter: It only considers events that have occurred in the last 30 days (TimeGenerated > ago(30d)).

3. Action Type Filter: It focuses on events where the ActionType starts with "AppLocker" or "AppControl". These are related to application control activities, specifically using AppLocker or Windows Defender Application Control (WDAC).

4. Event Types: The query is interested in specific types of AppLocker events, such as blocking executables, packaged apps, and scripts. However, it suggests excluding the AppControlExecutableBlocked event, which is specific to WDAC.

In summary, this query is used to identify and analyze recent application control events, particularly those involving AppLocker, while excluding certain WDAC events.