Learn Editor: Update exploit-protection.md

Author: YongRhee-MSFT

defender-endpoint/exploit-protection.md

@@ -60,6 +60,23 @@ DeviceEvents
 | where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'
 ```
 
+### Exploit Protection and advanced hunting
+
+Below are the advanced hunting actiontypes available for Exploit Protection.
+
+| Exploit Protection mitigation name | Exploit Protection - Advanced Hunting - ActionTypes | 
+|:---|:---|
+| Arbitrary code guard | ExploitGuardAcgAudited <br/> ExploitGuardAcgEnforced <br/>|
+| Don't allow child processes | ExploitGuardChildProcessAudited <br/> ExploitGuardChildProcessBlocked <br/> |
+| Export address filtering (EAF) | ExploitGuardEafViolationAudited <br/> ExploitGuardEafViolationBlocked <br/> |
+| Import address filtering (IAF) | ExploitGuardIafViolationAudited <br/> ExploitGuardIafViolationBlocked <br/> |
+| Block low integrity images | ExploitGuardLowIntegrityImageAudited <br/> ExploitGuardLowIntegrityImageBlocked <br/> |
+| Code integrity guard | ExploitGuardNonMicrosoftSignedAudited <br/> ExploitGuardNonMicrosoftSignedBlocked <br/> |
+|•	Simulate execution (SimExec)<br/> •	Validate API invocation (CallerCheck) <br/> •	Validate stack integrity (StackPivot) <br/> | ExploitGuardRopExploitAudited <br/> ExploitGuardRopExploitBlocked <br/> |
+| Block remote images | ExploitGuardSharedBinaryAudited <br/> ExploitGuardSharedBinaryBlocked <br/> |
+| Disable Win32k system calls | ExploitGuardWin32SystemCallAudited <br/> ExploitGuardWin32SystemCallBlocked <br/>|
+
+
 ## Review exploit protection events in Windows Event Viewer
 
 You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:<br/><br/>