From this tweet it is possible to enumerate Windows Defender's exclusions by listing the event ID 5007.
For example, whitelisting cmd.exe generates the following event
The tool https://github.com/0xsp-SRD/MDE_Enum already implement this finding and also enumerates the event ID 1121 to retrieve the ASR rules that have matched.
From this tweet it is possible to enumerate Windows Defender's exclusions by listing the event ID 5007. For example, whitelisting cmd.exe generates the following event The tool https://github.com/0xsp-SRD/MDE_Enum already implement this finding and also enumerates the event ID 1121 to retrieve the ASR rules that have matched.