Fixed Audit/Block categorization MDE Advanced Hunting (#557)

When parsing the Microsoft Defender for Endpoint Advanced Hunting logs, Blocked events would show as Audit events in the data grid, that is now fixed.
HotCakeX · Jan 22, 2025 · c5fd8db · c5fd8db
1 parent d944863
commit c5fd8db
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/AppControl Manager/IntelGathering/GetMDEAdvancedHuntingLogsData.cs b/AppControl Manager/IntelGathering/GetMDEAdvancedHuntingLogsData.cs
@@ -184,7 +184,7 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
 				{
 
 					Origin = FileIdentityOrigin.MDEAdvancedHunting,
-					Action = EventAction.Audit,
+					Action = EventAction.Block,
 					TimeCreated = GetEventDataDateTimeValue(possibleCodeIntegrityBlockEvent.Timestamp),
 					ComputerName = possibleCodeIntegrityBlockEvent.DeviceName,
 					UserID = possibleCodeIntegrityBlockEvent.InitiatingProcessAccountName,
@@ -396,7 +396,7 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
 				{
 
 					Origin = FileIdentityOrigin.MDEAdvancedHunting,
-					Action = EventAction.Audit,
+					Action = EventAction.Block,
 					TimeCreated = GetEventDataDateTimeValue(possibleAppLockerBlockEvent.Timestamp),
 					ComputerName = possibleAppLockerBlockEvent.DeviceName,
 					UserID = possibleAppLockerBlockEvent.InitiatingProcessAccountName,
@@ -608,4 +608,4 @@ internal static HashSet<FileIdentity> Retrieve(List<MDEAdvancedHuntingData> data
 	#endregion
 
 
-}
+}