audit mode - remote event logs?

[BelOrta-TDP]

I read https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-To-Generate-Audit-Logs-via-App-Control-Policies, where you say that "The logs can also be collected in bulk from thousands of systems by the Microsoft Defender for Endpoint Advanced Hunting". We don't use Defender... Is there another way to collect these logs? I was thinking about logforwarding to a central log collector, and then run your tool there, but that feels a bit messy. Maybe there is a way to make your tool scan remote event logs (for a list of endpoints) ?

[HotCakeX]

Hi,
You could add the logs to a shared drive if devices are networked and access all logs from one location, just like you said, a central collection. I can add support for remote scenarios too but i need to know exactly which scenario. The more details i have the better i can implement the feature for you.

[BelOrta-TDP]

Well it looks that we are using Defender, but in some sort of passive mode. Will check if this can be used, and I'll get back to you if it doesn't work :-)

[BelOrta-TDP]

Apparently it does work with our passive defender :-) But I could use some help to understand what the "MDE Advanced Hunting" grid in AppControl Manager shows me.

First, I retrieve the logs for one PC that uses your SignedAndReputableAudit.xml policy. 796 logs are retrieved, but only a small part (101?) are shown? Is it correct that these are the ones that would be blocked when the policy was not in audit mode?

The Signed and Reputable policy would allow stuff signed by Microsoft. Why would it still be block things like this:

The action column tells 'Audit', is this the equivalent of 'would be blocked if not in audit mode' ?

[HotCakeX]

Yes, please see this section where i've explained about the event types supported. It is for Event logs page but the same is true for MDE Advanced Hunting as well: https://github.com/HotCakeX/Harden-Windows-Security/wiki/Create-Policy-From-Event-Logs#supported-event-types

TL/DR: what you are seeing is correct.

The action column tells 'Audit', is this the equivalent of 'would be blocked if not in audit mode' ?

Yes that's correct.

The Signed and Reputable policy would allow stuff signed by Microsoft. Why would it still be block things like this

The files you are showing in the screenshot are unsigned, that's probably why they would be blocked. Signed and Reputable's decisions are dynamic based on the ISG. It is recommended that you explicitly allow any file or program critical to your needs.

[BelOrta-TDP]

Makes sense, thanks. It's not a matter of finding out how to do the whole process (MDE advanced hunting, creating/updating existing policies and publish in intune, wait, do the hunting again, and so on). The AppControl Manager is a powerful tool but it has a UI that needs some time to get used to :-)

BTW: The MDE Advanced Hunting seems to ignore the date filter. And I'm not sure what the default ordering of the rows is, but certainly not the creation time :)

[BelOrta-TDP]

About the deduplicating of the events: I might have found a small issue when you filter on the date.

Here is a result from the Advanced hunting tool (filtered by the text 'MudBlazor'):

Here is what AppControl Manager shows without datefilter:

If I now filter for events starting from yesterday, this line will not be visible. Not sure why your tool picks the date 12/26/2025 (there are identical events before and after that date). Maybe it's better to use the most recent timestamp in this case?

(also: there seems to be a timezone issue: MDE shows 10:10 for one of the 12/26/2025 events, while your tool shows 09:10. No big deal. but it could make troubleshooting harder).

[HotCakeX]

The issue is related to timezone differences. The remote machines might be using a different timezone than the local one so it rounds everything up to 00:00 and only considers the date that you select.

Would adding a new UI control specifically for hours/minutes/seconds help with ability to set the custom timezone offset from the UTC?

[BelOrta-TDP]

The one-hour difference between AppControl Manager and MDE doesn't bother me too much. What is more important is what I described first: the events are deduplicated (good!) but the timestamp used is not the most recent one. So if I filter for all events since 'today' I don't see those events because the choosen timestamp is from a few days ago even if there are events from today.

[HotCakeX]

Ah i understand what's happening, thanks!
So I made the local Event log/EVTX file scans to work exactly like you said, but I think MDE log scans don't consider time for duplication, i'll check and make sure they do that in the next update!

[BelOrta-TDP]

Sounds good, thanks!

[BelOrta-TDP]

Using the app gives me more and more ideas on how to improve things to make it even better! :-)

• I started by creating a supplemental policy for each app I want to allow. Probably this is not the best way because it will lead to lots of policies. However, a lot of policies contain multiple file hash rules. If I merge them into fewer policies, it would become impossible to know which rule is for which app without keeping track of this in an excel file for example. Is it possible to add some sort of description when adding to an existing policy?
• I have to sign in to MS Graph for the deploy page, and again for the MDE hunting page. One time login that's used in both places would be more efficient?
• when AppControl Manager wants to open a browser (for these logins, but also for documentation links), I have to select an app to open https links. It asks this every time even if I choose 'always' instead of 'just once'.

More ideas might come soon :-)
(maybe I should create separate topics for each idea...)

[HotCakeX]

That's good and i appreciate new ways to improve the app ^^

1. It's recommended to keep the policies separate. One policy per app. The OS has no limit on how many policies you can deploy and the app offers management of cloud/local deployed policies no matter how many there are. We cannot add custom description fields to the policy but we could add similar things to other areas such as custom policy settings and they will be saved in the resulting CIP file too which means bigger generated CIP file. Locally, it won't matter, but when deploying to Intune, there is a limit of 350KB size.
2. You can and should use the same login session for everywhere else. When you log into the app and authenticate with your tenant, the login will be saved in the Signed-in accounts. All you have to do is select the account and then click/tap on Set as Active and then the page will instantly be able to use your login to perform the actions. I'd like to ask, do you feel like this workflow/behavior is not clear enough and do you have suggestion for improving it?

3. Interesting, that never happened to me, could it be possible that you have a policy in place that is causing it (just wondering)? I do plan to offer a built-in WebView2 so you won't have to leave the app. You'll be able to sign in within the app itself. Hopefully that will make it easier.

Feel free to create new issues/posts for anything else that might come up :)

[BelOrta-TDP]

I should have created separate issues, it will become messy now :-)

1. Adding documentation is not really necessary if we keep 1 policy per app, but thanks anyway
2. This does not seem to work for me. On the first login, for example on the MDE Advanced hunting page, I get this:

Then, on the Deploy policy page, under signed in accounts, I see this permission: ThreatHunting.Read.All. Clicking on 'set active' doesn't seem to do anything. On the sign in tab, the selected (default?) Authentication context is not 'intune'. I guess those 2 context cannot be mixed. As for improving ideas: if the same login session could be used, then maybe it could be automaticaly used? Or maybe just ask 'ok to use the same session?'...

3. What kind of policy would cause this? The admin account I use to start the program is a protected account, maybe that's a reason?

[HotCakeX]

It's not too late xD

Yes you're right, those are 2 groups of permissions and cannot be mixed. MDE Advanced Hunting is very limited, only a reader, but the Intune one is broad and allows for many features to work such as policy retrieval, removal, creation, group creation, assignments and so on.

I like the idea of having an option so user can set it to automatically assign an appropriate signed in account with a matching permission for each page, we probably should only do it if there are only 1 signed-in accounts for each set of permissions because if there are more i don't know what would be the good way to select one that user would want to use.

When i'm done with implementing more currently open feature requests, i want to overhaul and improve the entire sign-in experience.

About policy, i'm not really sure, i assume since it's a protected account there are limitations so you cannot change the default app associations for certain file extension handlers. Edge also has a feature that allows you to configure auto profile switching between work and profile, maybe it's an Edge policy: edge://settings/profiles/multiProfileSettings

[BelOrta-TDP]

One more suggestion. Yesterday I wanted to create a new supplemental policy but forgot to change the policy name. So it overwrote an existing xml policy without asking for confirmation. A small 'are you sure you want to overwrite the existing file' would be a lifesaver here :-)

[HotCakeX]

Ah yes i can see how it can be an issue, sorry about that. Your suggestion is great, but what do you think about this behavior: during policy creation it detects the same file exists, so it won't overwrite it and appends a (1) to the end of the file name. The number keeps going up as long as there are duplicates so if you reuse the same name 10 times you will have 10 files with names from (1),(2)...(10).

[BelOrta-TDP]

That's a possibility too. Or another way: ask the user if you should overwrite, or append a number to the filename?

[HotCakeX]

Hi @BelOrta-TDP
I just released a new update that includes 2 changes you requested: https://github.com/HotCakeX/Harden-Windows-Security/releases/tag/AppControlManager-v2.0.60.0

If you have any more requests or suggestions please open new issue for each one and i'll implement them too ^^

[BelOrta-TDP]

Wow that looks like a huge update! Thanks a lot for the effort, I will take a look at all the new stuff soon!

[HotCakeX]

It is, my pleasure, lmk what you think ^^

[HotCakeX]

Hi @BelOrta-TDP
I circled back to this thread and implemented the rest of your requests: #1080

They will be available in AppControl Manager v2.0.68.0

[BelOrta-TDP]

Thank you very much! I'm afraid I didn't find enough time to spend much time in the app yet. Too many other projects keep steeling my time. It's still on my to-do list though!