Most of the features included in Windows Defender Exploit Guard can be enabled in audit or block mode. The impact can then be analyzed either by looking at the corresponding Windows Event log entries or through advanced hunting queries in Windows Defender ATP.
Today, I’ll share a script I recently wrote to quickly pull Windows Defender Exploit Guard related events from the Windows Event log. Anytime soon I will share some Kusto queries for the advanced hunting method through MDATP.
Note that the current version of the script only pulls events for Controlled Folder Access Network Protection and Attack Surface Rules. I plan to exten the script to also include Exploit Protection rules anytime soon. Needs a bit of extra effort since these events are scattered over multiple event log sources.