From 6fbdd7753134b8acab01f508ce325b1f257a07f9 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sat, 16 Mar 2019 13:32:44 +0500
Subject: [PATCH 1/2] update attack-surface-reduction-exploit-guard.md

added section for event views
---
 .../attack-surface-reduction-exploit-guard.md | 25 ++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index f010ab338b..50deb828c4 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -35,6 +35,29 @@ Triggered rules display a notification on the device. You can [customize the not
 
 For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
 
+## Review attack surface reduction events in Windows Event Viewer
+
+You can review the Windows event log to see events that are created when attack surface reduction rules fire:
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
+
+2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
+3. On the left panel, under **Actions**, click **Import custom view...**.
+   
+4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Click **OK**.
+
+5. This will create a custom view that filters to only show the following events related to controlled folder access:
+
+Event ID | Description
+-|-
+5007 | Event when settings are changed
+1121 | Event when rule fires in Block-mode
+1122 | Event when rule fires in Audit-mode
+
+
 ## Attack surface reduction rules
 
 The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy:
@@ -238,4 +261,4 @@ GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 ## Related topics
 
 - [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
\ No newline at end of file
+- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)

From c62cacee883b776b254f267a1b45abed98247bce Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sat, 23 Mar 2019 07:53:54 +0500
Subject: [PATCH 2/2] copy editor review applied

---
 .../attack-surface-reduction-exploit-guard.md        | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 50deb828c4..6d95b7eaba 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -37,19 +37,19 @@ For information about configuring attack surface reduction rules, see [Enable at
 
 ## Review attack surface reduction events in Windows Event Viewer
 
-You can review the Windows event log to see events that are created when attack surface reduction rules fire:
+You can review the Windows event log to view events that are created when attack surface reduction rules fire:
 
 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
 
-2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+2. Type **Event Viewer** in the Start menu to open the Windows Event Viewer.
 
-3. On the left panel, under **Actions**, click **Import custom view...**.
+3. Click **Import custom view...** on the left panel, under **Actions**.
    
-4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
 
-4. Click **OK**.
+5. Click **OK**.
 
-5. This will create a custom view that filters to only show the following events related to controlled folder access:
+This will create a custom view that filters to only show the following events related to controlled folder access:
 
 Event ID | Description
 -|-