From d474a6dd01114c8fbd7a0c480c023d060a00023a Mon Sep 17 00:00:00 2001 From: Reece Peacock <49645174+Reeced40@users.noreply.github.com> Date: Thu, 4 Jul 2019 15:58:41 +0200 Subject: [PATCH 1/3] Update exploit-protection-exploit-guard.md Added a review section. --- .../exploit-protection-exploit-guard.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index c5ee205c10..1d60f79a68 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -45,6 +45,19 @@ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](http >[!WARNING] >Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network. +## Review exploit protection events in the Windows Defender ATP Security Center + +Windows Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. + +You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how exploit protection settings would affect your environment if they were enabled. + +Here is an example query: + +``` +MiscEvents +| where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection' +``` + ## Review exploit protection events in Windows Event Viewer You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app: From 60c33cb4aa3363f61dad704e0a39a2955d30f7bb Mon Sep 17 00:00:00 2001 From: Reece Peacock <49645174+Reeced40@users.noreply.github.com> Date: Sun, 7 Jul 2019 14:42:51 +0200 Subject: [PATCH 2/3] Update windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../exploit-protection-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index 1d60f79a68..dc31cb9a38 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -49,7 +49,7 @@ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](http Windows Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how exploit protection settings would affect your environment if they were enabled. +You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how exploit protection settings could affect your environment. Here is an example query: From 45387aba81f1ae001be1435aab3c854087f22df4 Mon Sep 17 00:00:00 2001 From: Reece Peacock <49645174+Reeced40@users.noreply.github.com> Date: Wed, 10 Jul 2019 09:57:38 +0200 Subject: [PATCH 3/3] Update exploit-protection-exploit-guard.md --- .../exploit-protection-exploit-guard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index dc31cb9a38..d701915788 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -45,9 +45,9 @@ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](http >[!WARNING] >Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network. -## Review exploit protection events in the Windows Defender ATP Security Center +## Review exploit protection events in the Microsoft Security Center -Windows Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. +Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how exploit protection settings could affect your environment.