Posts tagged "{tag}": #execution

Using AppLocker's event logs for DFIR — allowed vs audited vs blocked (8002/8003/8004), the script and MSI channels, and how application-control logs double as an execution record even in audit mode.