From 96f132bac503ea21f739e1d563e4bb2148d14764 Mon Sep 17 00:00:00 2001
From: Malin De Silva <malindesilva@live.com>
Date: Fri, 5 Jul 2019 13:35:57 +0530
Subject: [PATCH] Added the example query

---
 .../network-protection-exploit-guard.md                    | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
index d211891329..e4fccb655d 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
@@ -51,6 +51,13 @@ Microsoft Defender ATP provides detailed reporting into events and blocks as par
 
 You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
 
+Here is an example query 
+
+```
+MiscEvents
+| where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')
+```
+
 ## Review network protection events in Windows Event Viewer
 
 You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain: