Query Details

Defender for Endpoint - Exploit Guard Events

MDE Exploit Guard

Query

DeviceEvents
| where ActionType startswith "ExploitGuard" and ActionType endswith "Audited"
// Count total stats - count events and machines per rule
| summarize EventCount=count(), MachinesCount=dcount(DeviceName) by ActionType

About this query

Defender for Endpoint - Exploit Guard Events

Query Information

Description

Use the below queries to retrieve Exploit Guard audit and block events from Microsoft Defennder for Endpoint.

References

Microsoft Defender XDR

Get stats on ExploitGuard blocks - count events and machines per rule

Get stats on ExploitGuard blocks - count events and machines per rule

DeviceEvents
| where ActionType startswith "ExploitGuard" and ActionType endswith "Blocked"
// Count total stats - count events and machines per rule
| summarize EventCount=count(), MachinesCount=dcount(DeviceName) by ActionType

Explanation

This query is designed to analyze security events related to Exploit Guard in Microsoft Defender for Endpoint. It consists of two parts:

  1. Audit Events:

    • The first part of the query retrieves and summarizes events where Exploit Guard actions were audited.
    • It filters events from the DeviceEvents table where the ActionType starts with "ExploitGuard" and ends with "Audited".
    • It then counts the total number of such events (EventCount) and the number of unique machines (MachinesCount) affected, grouped by the type of action (ActionType).
  2. Block Events:

    • The second part of the query focuses on events where Exploit Guard actions were blocked.
    • Similar to the first part, it filters events where the ActionType starts with "ExploitGuard" and ends with "Blocked".
    • It summarizes the total number of block events and the number of unique machines involved, again grouped by ActionType.

In summary, these queries help you understand how often Exploit Guard rules are being triggered in audit and block modes, and how many devices are affected by each rule.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

DeviceEvents

Keywords

DeviceEventsActionTypeDeviceNameExploitGuardAuditedBlockedEventCountMachinesCount

Operators

|wherestartswithendswithsummarizecountdcountby

Actions

GitHub