From 209ac57f8b3ac1fd730bc7549ac0c8f61d1ba83c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 2 Apr 2019 09:22:07 -0700 Subject: [PATCH] added table --- .../attack-surface-reduction-exploit-guard.md | 11 +---------- .../evaluate-attack-surface-reduction.md | 12 +++++++++++- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index ab6498dcae..a799cf3c7d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 03/26/2018 +ms.date: 04/02/2019 --- # Reduce attack surfaces with attack surface reduction rules @@ -236,15 +236,6 @@ SCCM name: Not applicable GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -## Review attack surface reduction events in Windows Event Viewer - -You can review the Windows event log to see events that are created when attack surface rules block (or audit) an app: - -Event ID | Description -5007 | Event when settings are changed -1121 | Event when an attack surface reduction rule fires in audit mode -1122 | Event when an attack surface reduction rule fires in block mode - ## Related topics diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index 5e3d8457aa..f54bdb311e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 11/16/2018 +ms.date: 04/02/2019 --- # Evaluate attack surface reduction rules @@ -45,6 +45,16 @@ This enables all attack surface reduction rules in audit mode. >If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction-exploit-guard.md). +## Review attack surface reduction events in Windows Event Viewer + +You can review the Windows event log to see events that are created when attack surface rules block (or audit) an app: + +| Event ID | Description | +|----------|-------------| +|5007 | Event when settings are changed | +| 1121 | Event when an attack surface reduction rule fires in audit mode | +| 1122 | Event when an attack surface reduction rule fires in block mode | + ## Customize attack surface reduction rules During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.