MC697431 · Exchange Online, SharePoint Development
From Microsoft Corporation
Technical Bulletin MC697431 · Published Dec 12, 2023
Message Summary
Microsoft will be renaming the PolicyNameBuffer and PolicyIdBuffer fields in MDE Advanced Hunting WDACevents. These fields will be renamed to PolicyName and PolicyID, respectively. We will continue to improve the experience and richness of WDAC event data in Advanced Hunting.
Additionally, we will be retiring the following WDAC action types from Advanced Hunting:
- AppControlCodeIntegrityImageAudited (3035)
- AppControlCodeIntegrityPolicyAudited (3078)
- AppControlCodeIntegrityPolicyBlocked (3079)
- AppControlCodeIntegrityPolicyAudited (3080)
- AppControlCodeIntegrityPolicyBlocked (3081)
When this will happen:
We will begin rolling out this change in mid-January 2024 and expect to complete by late January 2024.
How this will affect your organization:
For customers currently using the WDAC “AppControl” action types, here is a list of the fields that will be retired, alongside their alternatives in Advanced Hunting:
| PolicyNameBuffer | PolicyName |
|---|---|
| PolicyIdBuffer | PolicyID |
What you can do to prepare:
Your organization might be using PolicyNameBufferor PolicyIdBufferin your Advanced Hunting queries and custom detections which will be retired soon. Please update your queries with the new fields to continue to leverage this valuable data and avoid breaking your current custom detections.
An example of your old query:
DeviceEvents
| where ActionType startswith 'AppControl'
| extend PolicyName = parsejson(AdditionalFields).PolicyNameBuffer
| extend PolicyId = parsejson(AdditionalFields).PolicyIdBuffer
| project ActionType,PolicyId,PolicyName
Your new query:
DeviceEvents
| where ActionType startswith 'AppControl'
| extend PolicyName = parsejson(AdditionalFields).PolicyName
| extend PolicyId = parsejson(AdditionalFields).PolicyID
| project ActionType,PolicyId,PolicyName
