Enterprise Microsoft Defender Exclusion Files and Folder Path Audit Activity

joomla3597 35 Reputation points
2024-10-31T11:02:01.5333333+00:00

Hi Community Members,

Does anyone know where would be the events to locate for Defender files and folder paths and file exclusions performed by Admins? Its an enterprise Defender solution and not home. Many Thanks.

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,402 questions
{count} votes

1 answer

Sort by: Most helpful
  1. James Hamil 24,926 Reputation points Microsoft Employee
    2024-10-31T17:13:43.22+00:00

    Hi @joomla3597 , you should be able to use File Integrity Monitoring for this:

    https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview

    Microsoft Defender configurations, including exclusions, are often stored in specific files. However, many settings are stored in the Windows Registry.

    Common registry keys related to Microsoft Defender exclusions include:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extension

    You can add these to your FIM monitoring list.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.