Defender Exclusions
Query
//Monitor changes in exclusions for Windows Defender
DeviceRegistryEvents
| where ((ActionType == "RegistryValueSet") and (RegistryKey startswith @"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths"
or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions"
or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes"))Explanation
This query is used to monitor changes in exclusions for Windows Defender. It looks for registry events where the action type is "RegistryValueSet" and the registry key starts with specific paths related to Windows Defender exclusions.
Details

Rod Trent
Released: July 21, 2021
Tables
DeviceRegistryEvents
Keywords
DeviceRegistryEventsActionTypeRegistryKeyHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderExclusionsPathsExtensionsProcesses
Operators
whereandstartswithor