YAML file for exploit protection events based on ‘View attack surface reduction events’

Follow the comments below to determine descriptions of these events.

  #for attack surface reduction rule events, controlled folder access events
  - name: Microsoft-Windows-Windows Defender/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1121
        - equals.winlog.event_id: 1122
        - equals.winlog.event_id: 1123
        - equals.winlog.event_id: 1124
        - equals.winlog.event_id: 5007
    - name: Microsoft-Windows-Windows Defender/WHC
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1121
        - equals.winlog.event_id: 1122
        - equals.winlog.event_id: 5007
        - equals.winlog.event_id: 1123
        - equals.winlog.event_id: 1124
        - equals.winlog.event_id: 5007
    #for exploit protection events
    - name: Microsoft-Windows-Security-Mitigations/KernelMode
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1
        - equals.winlog.event_id: 24
        - equals.winlog.event_id: 5
        - equals.winlog.event_id: 260
      provider: Microsoft-Windows-Security-Mitigations, Microsoft-Windows-Win32k, Microsoft-Windows-WER-Diag, Win32k
    #for exploit protection events
    - name: Microsoft-Windows-Security-Mitigations/KernelMode
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1
        - equals.winlog.event_id: 24
        - equals.winlog.event_id: 5
        - equals.winlog.event_id: 260
      provider: Microsoft-Windows-Security-Mitigations, Microsoft-Windows-Win32k, Microsoft-Windows-WER-Diag, Win32k
   - name: Microsoft-Windows-Win32k/Concurrency
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1
        - equals.winlog.event_id: 24
        - equals.winlog.event_id: 5
        - equals.winlog.event_id: 260
     provider: Microsoft-Windows-Security-Mitigations, Microsoft-Windows-Win32k, Microsoft-Windows-WER-Diag, Win32k
   - name: Microsoft-Windows-Win32k/Contention
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1
        - equals.winlog.event_id: 24
        - equals.winlog.event_id: 5
        - equals.winlog.event_id: 260
     provider: Microsoft-Windows-Security-Mitigations, Microsoft-Windows-Win32k, Microsoft-Windows-WER-Diag, Win32k
   - name: Microsoft-Windows-Win32k/Message
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1
        - equals.winlog.event_id: 24
        - equals.winlog.event_id: 5
        - equals.winlog.event_id: 260
     provider: Microsoft-Windows-Security-Mitigations, Microsoft-Windows-Win32k, Microsoft-Windows-WER-Diag, Win32k
   - name: Microsoft-Windows-Win32k/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1
        - equals.winlog.event_id: 24
        - equals.winlog.event_id: 5
        - equals.winlog.event_id: 260
     provider: Microsoft-Windows-Security-Mitigations, Microsoft-Windows-Win32k, Microsoft-Windows-WER-Diag, Win32k
   - name: Microsoft-Windows-Win32k/Power
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1
        - equals.winlog.event_id: 24
        - equals.winlog.event_id: 5
        - equals.winlog.event_id: 260
     provider: Microsoft-Windows-Security-Mitigations, Microsoft-Windows-Win32k, Microsoft-Windows-WER-Diag, Win32k
   - name: Microsoft-Windows-Win32k/Render
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1
        - equals.winlog.event_id: 24
        - equals.winlog.event_id: 5
        - equals.winlog.event_id: 260
     provider: Microsoft-Windows-Security-Mitigations, Microsoft-Windows-Win32k, Microsoft-Windows-WER-Diag, Win32k
   - name: Microsoft-Windows-Win32k/Tracing
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1
        - equals.winlog.event_id: 24
        - equals.winlog.event_id: 5
        - equals.winlog.event_id: 260
     provider: Microsoft-Windows-Security-Mitigations, Microsoft-Windows-Win32k, Microsoft-Windows-WER-Diag, Win32k
   - name: Microsoft-Windows-Win32k/UIPI
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1
        - equals.winlog.event_id: 24
        - equals.winlog.event_id: 5
        - equals.winlog.event_id: 260
     provider: Microsoft-Windows-Security-Mitigations, Microsoft-Windows-Win32k, Microsoft-Windows-WER-Diag, Win32k
  #This may be moved to another section for System related events
   - name: System
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1
        - equals.winlog.event_id: 24
        - equals.winlog.event_id: 5
        - equals.winlog.event_id: 260
     provider: Microsoft-Windows-Security-Mitigations, Microsoft-Windows-Win32k, Microsoft-Windows-WER-Diag, Win32k
   - name: Microsoft-Windows-Security-Mitigations/UserMode
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1
        - equals.winlog.event_id: 24
        - equals.winlog.event_id: 5
        - equals.winlog.event_id: 260
    provider:
      - Microsoft-Windows-Security-Mitigations, Microsoft-Windows-Win32k, Microsoft-Windows-WER-Diag, Win32k
     #for network protection Events
   - name: Microsoft-Windows-Windows Defender/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1125
        - equals.winlog.event_id: 1126
        - equals.winlog.event_id: 5007
     provider: System
   - name: Microsoft-Windows-Windows Defender/WHC
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1125
        - equals.winlog.event_id: 1126
        - equals.winlog.event_id: 5007
     provider: System
     #TEST FOR POWERSHELL
   - name: Microsoft-Windows-PowerShell/Operational
   - name: Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
   - name: Windows PowerShell

YMMV! Your mileage may vary.