KQL Search

Query Details

HomeAI ToolsDevice Query

Defender Exclusions

Query

//Monitor changes in exclusions for Windows Defender

DeviceRegistryEvents 
| where ((ActionType == "RegistryValueSet") and (RegistryKey startswith @"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths" 
or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions"
or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes"))

Explanation

This query is used to monitor changes in exclusions for Windows Defender. It looks for registry events where the action type is "RegistryValueSet" and the registry key starts with specific paths related to Windows Defender exclusions.

Details

Rod Trent profile picture

Rod Trent

Released: July 21, 2021

Tables

DeviceRegistryEvents

Keywords

DeviceRegistryEvents,ActionType,RegistryKey,HKEY_LOCAL_MACHINE,SOFTWARE,Microsoft,WindowsDefender,Exclusions,Paths,Extensions,Processes

Operators

whereandstartswithor

Actions