Event ID 8028 — FilePath was allowed to run but would have been prevented if the Config CI policy were enforced.
Description
FilePath was allowed to run but would have been prevented if the Config CI policy were enforced.
Message #
Fields #
| Name | Description |
|---|---|
FilePathLength UInt16 | — |
FilePath UnicodeString | — |
Sha1Hash Binary | — |
Sha256Hash Binary | — |
Result Int32 | — |
USN Int64 | — |
Sha1CatalogHash Binary | — |
Sha256CatalogHash Binary | — |
UserWriteable Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppLocker",
"guid": "CBDA4DBF-8D5D-4F69-9578-BE14AA540D22",
"event_source_name": "",
"event_id": 8028,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T00:54:55.214802+00:00",
"event_record_id": 241,
"correlation": {
"ActivityID": "E4DB489E-1037-0001-6B7D-E5E43710DA01"
},
"execution": {
"process_id": 12792,
"thread_id": 6736
},
"channel": "Microsoft-Windows-AppLocker/MSI and Script",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"FilePathLength": 70,
"FilePath": "C:\\Windows\\Installer\\{6F11CAC3-D33D-4360-B139-73F3276A2B9A}\\loc.en.mst",
"Sha1Hash": "C9FD8657FD8262EF19369B5FB6CAA7CB7632FC87",
"Sha256Hash": "3881BD701A2B9DE71742065AADC110FBFFD17F127785FDA4E17570A77FC3FA84",
"Result": -790036478,
"USN": 309169000,
"Sha1CatalogHash": "C9FD8657FD8262EF19369B5FB6CAA7CB7632FC87",
"Sha256CatalogHash": "9A71D576BC994B8C6DCFA683B38313596DCE7774784D46EFC5FE5D97724043BC",
"UserWriteable": false
},
"message": ""
}