ExploitGuardStats (1) | SOC Hunt Feed

Hunt Hypothesis

ExploitGuardStats detects potential adversary activity by identifying unusual patterns in ExploitGuard block events, which may indicate attempts to bypass endpoint protections. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover stealthy attacks that evade traditional detection mechanisms.

KQL Query

// View ExploitGuard audit events - but remove repeating events (e.g. multiple events with same machine, rule, file and process)
DeviceEvents
| where ActionType startswith "ExploitGuard" and ActionType endswith "Audited"
| summarize Timestamp =max(Timestamp) by DeviceName, ActionType,FileName, FolderPath, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessId, SHA1

Analytic Rule Definition

id: 263f7a27-7c44-4e28-adc3-df5cb3fdc2bb
name: ExploitGuardStats (1)
description: |
  Get stats on ExploitGuard blocks - count events and machines per rule.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
query: |
  // View ExploitGuard audit events - but remove repeating events (e.g. multiple events with same machine, rule, file and process)
  DeviceEvents
  | where ActionType startswith "ExploitGuard" and ActionType endswith "Audited"
  | summarize Timestamp =max(Timestamp) by DeviceName, ActionType,FileName, FolderPath, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessId, SHA1

Required Data Sources

Sentinel Table	Notes
`DeviceEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Protection events/ExploitGuardStats (1).yaml)

False Positive Guidance

Scenario: ExploitGuard Stats Collection via PowerShell Script
Description: A scheduled PowerShell script runs to gather ExploitGuard statistics for reporting purposes.
Filter/Exclusion: ProcessName != "powershell.exe" OR CommandLine NOT LIKE "*Get-MpComputerStatus*"
Scenario: Administrative Task: ExploitGuard Policy Update
Description: An admin manually updates ExploitGuard policies through the Microsoft Defender Security Center, which may temporarily trigger stats collection.
Filter/Exclusion: ProcessName != "msedge.exe" OR CommandLine NOT LIKE "*Microsoft Defender Security Center*"
Scenario: Scheduled Job: ExploitGuard Health Check
Description: A system health check job runs daily to verify ExploitGuard status across all endpoints.
Filter/Exclusion: ProcessName != "taskeng.exe" OR CommandLine NOT LIKE "*HealthCheck*"
Scenario: ExploitGuard Integration with SIEM Tool (e.g., Splunk)
Description: A SIEM tool (e.g., Splunk) periodically pulls ExploitGuard statistics for centralized monitoring.
Filter/Exclusion: ProcessName != "splunkd.exe" OR CommandLine NOT LIKE "*ExploitGuard*"
Scenario: ExploitGuard Stats Export for Compliance Audit
Description: An admin exports ExploitGuard statistics to a CSV file for compliance or audit purposes.
Filter/Exclusion: ProcessName != "cmd.exe" OR CommandLine NOT LIKE "*Export-CimInstance*"