Merge pull request #1979 from MicrosoftDocs/main

diannegali · web-flow · commit 404ee438728c · 2024-11-21T11:08:33.000Z
publishing MDE updates
diff --git a/defender-endpoint/exploit-protection.md b/defender-endpoint/exploit-protection.md
@@ -16,7 +16,7 @@ ms.collection:
 - tier2
 - mde-asr
 search.appverid: met150
-ms.date: 12/18/2020
+ms.date: 11/21/2024
 ---
 
 # Protect devices from exploits
@@ -60,6 +60,23 @@ DeviceEvents
 | where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'
 ```
 
+### Exploit Protection and advanced hunting
+
+Below are the advanced hunting actiontypes available for Exploit Protection.
+
+| Exploit Protection mitigation name | Exploit Protection - Advanced Hunting - ActionTypes | 
+|:---|:---|
+| Arbitrary code guard | ExploitGuardAcgAudited <br/> ExploitGuardAcgEnforced <br/>|
+| Don't allow child processes | ExploitGuardChildProcessAudited <br/> ExploitGuardChildProcessBlocked <br/> |
+| Export address filtering (EAF) | ExploitGuardEafViolationAudited <br/> ExploitGuardEafViolationBlocked <br/> |
+| Import address filtering (IAF) | ExploitGuardIafViolationAudited <br/> ExploitGuardIafViolationBlocked <br/> |
+| Block low integrity images | ExploitGuardLowIntegrityImageAudited <br/> ExploitGuardLowIntegrityImageBlocked <br/> |
+| Code integrity guard | ExploitGuardNonMicrosoftSignedAudited <br/> ExploitGuardNonMicrosoftSignedBlocked <br/> |
+|•	Simulate execution (SimExec)<br/> •	Validate API invocation (CallerCheck) <br/> •	Validate stack integrity (StackPivot) <br/> | ExploitGuardRopExploitAudited <br/> ExploitGuardRopExploitBlocked <br/> |
+| Block remote images | ExploitGuardSharedBinaryAudited <br/> ExploitGuardSharedBinaryBlocked <br/> |
+| Disable Win32k system calls | ExploitGuardWin32SystemCallAudited <br/> ExploitGuardWin32SystemCallBlocked <br/>|
+
+
 ## Review exploit protection events in Windows Event Viewer
 
 You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:<br/><br/>
@@ -126,7 +143,6 @@ The table in this section indicates the availability and support of native mitig
 |Validate image dependency integrity | Yes | No |
 
 > [!NOTE]
-
 > The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10 and Windows 11, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. For more information on how Windows 10 employs existing EMET technology, see the [Mitigation threats by using Windows 10 security features](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit).
 
 ## See also
