MC697431　WDAC Advanced Hunting Retired ActionTypes and Fields　要約

Microsoft will be renaming the PolicyNameBuffer and PolicyIdBuffer fields in MDE Advanced Hunting WDACevents. 

ここが専門用語で、

MED　＝　Microsoft Defender for Endpoint
WDAC　＝　Windows Defender アプリケーション制御

Advancedハンティングは、テナント内のセキュリティ的に弱いっぽい部分（イベント）を特定（ハントする）機能のことです。

そして、その中の対象の名称としてのPolicyNameBuffer　が　PolicyNameに、PolicyIdBufferがPolicyIDに、名前変更されるとのことです。

ついでに以下も消えるらしいです。

• AppControlCodeIntegrityImageAudited (3035)
• AppControlCodeIntegrityPolicyAudited (3078)
• AppControlCodeIntegrityPolicyBlocked (3079)
• AppControlCodeIntegrityPolicyAudited (3080)
• AppControlCodeIntegrityPolicyBlocked (3081)

具体的にやるべきこととしては、スクリプト内で該当の名称を使っている場合、新名称に変更する必要があります。

元記事

メッセージの概要

Microsoft will be renaming the PolicyNameBuffer and PolicyIdBuffer fields in MDE Advanced Hunting WDACevents. These fields will be renamed to PolicyName and PolicyID, respectively. We will continue to improve the experience and richness of WDAC event data in Advanced Hunting. 

Additionally, we will be retiring the following WDAC action types from Advanced Hunting: 

• AppControlCodeIntegrityImageAudited (3035)
• AppControlCodeIntegrityPolicyAudited (3078)
• AppControlCodeIntegrityPolicyBlocked (3079)
• AppControlCodeIntegrityPolicyAudited (3080)
• AppControlCodeIntegrityPolicyBlocked (3081)

When this will happen:

We will begin rolling out this change in mid-January 2024 and expect to complete by late January 2024.

How this will affect your organization:

For customers currently using the WDAC “AppControl” action types, here is a list of the fields that will be retired, alongside their alternatives in Advanced Hunting: 

What you can do to prepare:

Your organization might be using PolicyNameBufferor PolicyIdBufferin your Advanced Hunting queries and custom detections which will be retired soon. Please update your queries with the new fields to continue to leverage this valuable data and avoid breaking your current custom detections.

An example of your old query:

DeviceEvents

| where ActionType startswith 'AppControl'

| extend PolicyName = parsejson(AdditionalFields).PolicyNameBuffer

| extend PolicyId = parsejson(AdditionalFields).PolicyIdBuffer

| project ActionType,PolicyId,PolicyName

Your new query:

DeviceEvents

| where ActionType startswith 'AppControl'

| extend PolicyName = parsejson(AdditionalFields).PolicyName

| extend PolicyId = parsejson(AdditionalFields).PolicyID

| project ActionType,PolicyId,PolicyName