KQL Search

Query Details

MDE Exploit Guard

Query

# Exploit Guard Events

## Query Information


### Description

Use the below queries to retrieve Exploit Guard audit and block events from Microsoft Defennder for Endpoint.


#### References


### Microsoft 365 Defender

Get stats on ExploitGuard blocks - count events and machines per rule

```kql
DeviceEvents
| where ActionType startswith "ExploitGuard" and ActionType endswith "Audited"
// Count total stats - count events and machines per rule
| summarize EventCount=count(), MachinesCount=dcount(DeviceName) by ActionType
```

Get stats on ExploitGuard blocks - count events and machines per rule

```kql
DeviceEvents
| where ActionType startswith "ExploitGuard" and ActionType endswith "Blocked"
// Count total stats - count events and machines per rule
| summarize EventCount=count(), MachinesCount=dcount(DeviceName) by ActionType
```

Explanation

The query retrieves Exploit Guard audit and block events from Microsoft Defender for Endpoint. It counts the total number of events and machines per rule for both audit and block actions.

Details

Alex Verboon

Released: June 4, 2023

Tables

DeviceEvents

Keywords

ExploitGuard,DeviceEvents,ActionType,Audited,Blocked,EventCount,MachinesCount,MicrosoftDefenderforEndpoint

Operators

wherestartswithendswithsummarizecountdcount

KQL Search

MDE Exploit Guard

Query

Explanation

Details

Actions