Defender for Endpoint - Exploit Guard Events
MDE Exploit Guard
Query
DeviceEvents
| where ActionType startswith "ExploitGuard" and ActionType endswith "Audited"
// Count total stats - count events and machines per rule
| summarize EventCount=count(), MachinesCount=dcount(DeviceName) by ActionTypeAbout this query
Defender for Endpoint - Exploit Guard Events
Query Information
Description
Use the below queries to retrieve Exploit Guard audit and block events from Microsoft Defennder for Endpoint.
References
Microsoft Defender XDR
Get stats on ExploitGuard blocks - count events and machines per rule
Get stats on ExploitGuard blocks - count events and machines per rule
DeviceEvents
| where ActionType startswith "ExploitGuard" and ActionType endswith "Blocked"
// Count total stats - count events and machines per rule
| summarize EventCount=count(), MachinesCount=dcount(DeviceName) by ActionType
Explanation
This query is designed to analyze security events related to Exploit Guard in Microsoft Defender for Endpoint. It consists of two parts:
-
Audit Events:
- The first part of the query retrieves and summarizes events where Exploit Guard actions were audited.
- It filters events from the
DeviceEventstable where theActionTypestarts with "ExploitGuard" and ends with "Audited". - It then counts the total number of such events (
EventCount) and the number of unique machines (MachinesCount) affected, grouped by the type of action (ActionType).
-
Block Events:
- The second part of the query focuses on events where Exploit Guard actions were blocked.
- Similar to the first part, it filters events where the
ActionTypestarts with "ExploitGuard" and ends with "Blocked". - It summarizes the total number of block events and the number of unique machines involved, again grouped by
ActionType.
In summary, these queries help you understand how often Exploit Guard rules are being triggered in audit and block modes, and how many devices are affected by each rule.
Details

Alex Verboon
Released: April 16, 2026
Tables
DeviceEvents
Keywords
DeviceEventsActionTypeDeviceNameExploitGuardAuditedBlockedEventCountMachinesCount
Operators
|wherestartswithendswithsummarizecountdcountby