ausgovcaf-cloudsoe/kql/windows-exploit-protection-events.kql

//Show all Exploit Protection events
let Mitigations = datatable (EventLogID:string, Mitigation:string)
    [
        "Microsoft-Windows-Security-Mitigations/KernelMode-1", "ACG audit",
        "Microsoft-Windows-Security-Mitigations/KernelMode-2", "ACG enforce",
        "Microsoft-Windows-Security-Mitigations/KernelMode-3", "Do not allow child processes audit",
        "Microsoft-Windows-Security-Mitigations/KernelMode-4", "Do not allow child processes block",
        "Microsoft-Windows-Security-Mitigations/KernelMode-5", "Block low integrity images audit",
        "Microsoft-Windows-Security-Mitigations/KernelMode-6", "Block low integrity images block",
        "Microsoft-Windows-Security-Mitigations/KernelMode-7", "Block remote images audit",
        "Microsoft-Windows-Security-Mitigations/KernelMode-8", "Block remote images block",
        "Microsoft-Windows-Security-Mitigations/KernelMode-9", "Disable win32k system calls audit",
        "Microsoft-Windows-Security-Mitigations/KernelMode-10", "Disable win32k system calls block",
        "Microsoft-Windows-Security-Mitigations/KernelMode-11", "Code integrity guard audit",
        "Microsoft-Windows-Security-Mitigations/KernelMode-12", "Code integrity guard block",
        "Microsoft-Windows-Security-Mitigations/KernelMode-13", "EAF audit",
        "Microsoft-Windows-Security-Mitigations/KernelMode-14", "EAF enforce",
        "Microsoft-Windows-Security-Mitigations/KernelMode-15", "EAF+ audit",
        "Microsoft-Windows-Security-Mitigations/KernelMode-16", "EAF+ enforce",
        "Microsoft-Windows-Security-Mitigations/KernelMode-17", "IAF audit",
        "Microsoft-Windows-Security-Mitigations/KernelMode-18", "IAF enforce",
        "Microsoft-Windows-Security-Mitigations/KernelMode-19", "ROP StackPivot audit",
        "Microsoft-Windows-Security-Mitigations/KernelMode-20", "ROP StackPivot enforce",
        "Microsoft-Windows-Security-Mitigations/KernelMode-21", "ROP CallerCheck audit",
        "Microsoft-Windows-Security-Mitigations/KernelMode-22", "ROP CallerCheck enforce",
        "Microsoft-Windows-Security-Mitigations/KernelMode-23", "ROP SimExec audit",
        "Microsoft-Windows-Security-Mitigations/KernelMode-24", "ROP SimExec enforce",
        "Microsoft-Windows-Security-Mitigations/UserMode-1", "ACG audit",
        "Microsoft-Windows-Security-Mitigations/UserMode-2", "ACG enforce",
        "Microsoft-Windows-Security-Mitigations/UserMode-3", "Do not allow child processes audit",
        "Microsoft-Windows-Security-Mitigations/UserMode-4", "Do not allow child processes block",
        "Microsoft-Windows-Security-Mitigations/UserMode-5", "Block low integrity images audit",
        "Microsoft-Windows-Security-Mitigations/UserMode-6", "Block low integrity images block",
        "Microsoft-Windows-Security-Mitigations/UserMode-7", "Block remote images audit",
        "Microsoft-Windows-Security-Mitigations/UserMode-8", "Block remote images block",
        "Microsoft-Windows-Security-Mitigations/UserMode-9", "Disable win32k system calls audit",
        "Microsoft-Windows-Security-Mitigations/UserMode-10", "Disable win32k system calls block",
        "Microsoft-Windows-Security-Mitigations/UserMode-11", "Code integrity guard audit",
        "Microsoft-Windows-Security-Mitigations/UserMode-12", "Code integrity guard block",
        "Microsoft-Windows-Security-Mitigations/UserMode-13", "EAF audit",
        "Microsoft-Windows-Security-Mitigations/UserMode-14", "EAF enforce",
        "Microsoft-Windows-Security-Mitigations/UserMode-15", "EAF+ audit",
        "Microsoft-Windows-Security-Mitigations/UserMode-16", "EAF+ enforce",
        "Microsoft-Windows-Security-Mitigations/UserMode-17", "IAF audit",
        "Microsoft-Windows-Security-Mitigations/UserMode-18", "IAF enforce",
        "Microsoft-Windows-Security-Mitigations/UserMode-19", "ROP StackPivot audit",
        "Microsoft-Windows-Security-Mitigations/UserMode-20", "ROP StackPivot enforce",
        "Microsoft-Windows-Security-Mitigations/UserMode-21", "ROP CallerCheck audit",
        "Microsoft-Windows-Security-Mitigations/UserMode-22", "ROP CallerCheck enforce",
        "Microsoft-Windows-Security-Mitigations/UserMode-23", "ROP SimExec audit",
        "Microsoft-Windows-Security-Mitigations/UserMode-24", "ROP SimExec enforce",
        "WER-Diagnostics-5", "CFG Block",
        "Microsoft-Windows-Win32k/Operational-260", "Untrusted Font"
    ];
Event
| where (EventID >= 1 and EventID <= 24 and (EventLog == "Microsoft-Windows-Security-Mitigations/KernelMode" or EventLog == "Microsoft-Windows-Security-Mitigations/UserMode")) or  (EventID == 260 and EventLog == "Microsoft-Windows-Win32k/Operational") or (EventID == 5 and EventLog == "System" and Source == "Microsoft-Windows-WER-Diag")
| extend EventLogID = strcat(EventLog, "-", tostring(EventID))
| join kind=leftouter Mitigations on EventLogID
| project TimeGenerated, Computer,UserName,Mitigation,RenderedDescription