Merge pull request #2949 from MaratMussabekov/#2837

update attack-surface-reduction-exploit-guard.md, issue #2837

windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md

@@ -36,6 +36,29 @@ Triggered rules display a notification on the device. You can [customize the not
 
 For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
 
+## Review attack surface reduction events in Windows Event Viewer
+
+You can review the Windows event log to view events that are created when attack surface reduction rules fire:
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
+
+2. Type **Event Viewer** in the Start menu to open the Windows Event Viewer.
+
+3. Click **Import custom view...** on the left panel, under **Actions**.
+   
+4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+5. Click **OK**.
+
+This will create a custom view that filters to only show the following events related to controlled folder access:
+
+Event ID | Description
+-|-
+5007 | Event when settings are changed
+1121 | Event when rule fires in Block-mode
+1122 | Event when rule fires in Audit-mode
+
+
 ## Attack surface reduction rules
 
 The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs: