add event viewer gif and instructions for manually viewing events

windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md

@@ -64,27 +64,27 @@ For the associated PowerShell cmdlets for each mitigation, see the [PowerShell r
 
 Mitigation | Description | Can be applied to, and default value for system mitigations | Audit mode available
 - | - | - | -
-Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level (system default: **On**) | No
+Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
-Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level (system default: **On**) | No
+Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
-Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level (system default: **Off**) | No
+Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level (system default: **Off**) | [!include[Check mark no](images/svg/check-no.md)]
-Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level (system default: **On**) | No
+Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
-Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level (system default: **On**) | No
+Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
-Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level (system default: **Off**) | No
+Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level (system default: **Off**) | [!include[Check mark no](images/svg/check-no.md)]
-Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | Yes
+Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | Yes
+Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Block remote images | Prevents loading of images from remote devices. | App-level only | Yes
+Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | Yes
+Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Windows Store signed images. | App-level only | Yes
+Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Windows Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | No
+Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.md)]
-Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | Yes
+Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Do not allow child processes | Prevents an app from creating child processes. | App-level only | Yes
+Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | Yes
+Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | Yes
+Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | Yes
+Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | Yes
+Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | No
+Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.md)]
-Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | Yes
+Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | Yes
+Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
 
 >[!IMPORTANT]
 >If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
@@ -92,10 +92,10 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
 >
 >Enabled in **Program settings** | Enabled in **System settings** | Behavior
 >:-: | :-: | :-:
-><svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'><title>Check mark yes</title><path fill='#0E8915' d='M129 20L55 94 21 60 10 71l45 45 85-85z'/></svg> | <svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'><title>Check mark no</title><polygon fill='#d83b01' points='95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2'/></svg> | As defined in **Program settings**
+>[!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | As defined in **Program settings**
-><svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'><path fill='#0E8915' d='M129 20L55 94 21 60 10 71l45 45 85-85z'/></svg> | <svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'><title>Check mark yes</title><path fill='#0E8915' d='M129 20L55 94 21 60 10 71l45 45 85-85z'/></svg> | As defined in **Program settings**
+>[!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | As defined in **Program settings**
-><svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'><title>Check mark no</title><polygon fill='#d83b01' points='95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2'/></svg> | <svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'><title>Check mark yes</title><path fill='#0E8915' d='M129 20L55 94 21 60 10 71l45 45 85-85z'/></svg> | As defined in **System settings**
+>[!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | As defined in **System settings**
->[!include[Check mark no](graphics.md)] | [!include[Check mark yes](graphics.md#yes)] | Default as defined in **Use default** option
+>[!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | Default as defined in **Use default** option
 >
 >
 >  

windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md

@@ -183,7 +183,7 @@ Malware and other threats can attempt to obfuscate or hide their malicious code
 
 ## Review Attack Surface Reduction events in Windows Event Viewer
 
-You can also review the Windows event log to see the events there were created when using the tool:
+You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
 
 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
 

windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md

@@ -81,7 +81,7 @@ You can enable Controlled Folder Access, run the tool, and see what the experien
 
 ## Review Controlled Folder Access events in Windows Event Viewer
 
-You can also review the Windows event log to see the events there were created when using the tool:
+You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
 
 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
 

windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md

@@ -58,7 +58,7 @@ First, enable the mitigation using PowerShell, and then confirm that it has been
 2. Enter the following cmdlet:
 
     ```PowerShell
-    Set—ProcessMitigation –Name iexplore.exe –Enable DisallowChildProcessCreation
+    Set-ProcessMitigation -Name iexplore.exe -Enable DisallowChildProcessCreation
     ```
 
 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -92,7 +92,7 @@ Lastly, we can disable the mitigation so that Internet Explorer works properly a
 
 ## Review Exploit Protection events in Windows Event Viewer
 
-You can now review the events that Exploit Protection sent to the Windows Event log to confirm what happened:
+You can now review the events that Exploit Protection sent to the Windows Event log to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
 
 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
 

windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md

@@ -69,7 +69,7 @@ You will get a 403 Forbidden response in the browser, and you will see a notific
  
  ## Review Network Protection events in Windows Event Viewer
  
-You can also review the Windows event log to see the events there were created when performing the demo:
+You can also review the Windows event log to see the events there were created when performing the demo. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
 
 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
 

windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md

@@ -41,6 +41,8 @@ You can create custom views in the Windows Event Viewer to only see events for s
 
 The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page.
 
+You can also manually navigate to the event area that corresponds to the Windows Defender EG feature, see the [list of all Windows Defender Exploit Guard events](#list-of-all-windows-defender-exploit-guard-events) section at the end of this topic for more details.
+
 ### Import an existing XML custom view
 
 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropraite file to an easily accessible location. The following filenames are each of the custom views:
@@ -144,40 +146,48 @@ The easiest way to do this is to import a custom view as an XML file. You can ob
 
 All Windows Defender Exploit Guard events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
 
+You can access these events in Windows Event viewer:
+
+1. Open the **Start** menu and type **event viewer**, and then click on the **Event Viewer** result.
+2. Expand **Applications and Services Logs > Microsoft > Windows** and then go to the folder listed under **Provider/source** in the table below.
+3. Double-click on the sub item to see events. Scroll through the events to find the one you are looking.
+
+  ![Animation showing using Event Viewer](images/event-viewer.gif)
+
 Feature | Provider/source | Event ID | Description
 :-|:-|:-:|:-
-Exploit Protection | Security-Mitigations | 1 | ACG audit
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 1 | ACG audit
-Exploit Protection | Security-Mitigations | 2 | ACG enforce
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 2 | ACG enforce
-Exploit Protection | Security-Mitigations | 3 | Do not allow child processes audit
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 3 | Do not allow child processes audit
-Exploit Protection | Security-Mitigations | 4 | Do not allow child processes block
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 4 | Do not allow child processes block
-Exploit Protection | Security-Mitigations | 5 | Block low integrity images audit
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 5 | Block low integrity images audit
-Exploit Protection | Security-Mitigations | 6 | Block low integrity images block
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 6 | Block low integrity images block
-Exploit Protection | Security-Mitigations | 7 | Block remote images audit
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 7 | Block remote images audit
-Exploit Protection | Security-Mitigations | 8 | Block remote images block
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 8 | Block remote images block
-Exploit Protection | Security-Mitigations | 9 | Disable win32k system calls audit
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 9 | Disable win32k system calls audit
-Exploit Protection | Security-Mitigations | 10 | Disable win32k system calls block
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 10 | Disable win32k system calls block
-Exploit Protection | Security-Mitigations | 11 | Code integrity guard audit
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 11 | Code integrity guard audit
-Exploit Protection | Security-Mitigations | 12 | Code integrity guard block
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 12 | Code integrity guard block
-Exploit Protection | Security-Mitigations | 13 | EAF audit
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 13 | EAF audit
-Exploit Protection | Security-Mitigations | 14 | EAF enforce
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 14 | EAF enforce
-Exploit Protection | Security-Mitigations | 15 | EAF+ audit
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 15 | EAF+ audit
-Exploit Protection | Security-Mitigations | 16 | EAF+ enforce
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 16 | EAF+ enforce
-Exploit Protection | Security-Mitigations | 17 | IAF audit
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 17 | IAF audit
-Exploit Protection | Security-Mitigations | 18 | IAF enforce
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 18 | IAF enforce
-Exploit Protection | Security-Mitigations | 19 | ROP StackPivot audit
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 19 | ROP StackPivot audit
-Exploit Protection | Security-Mitigations | 20 | ROP StackPivot enforce
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 20 | ROP StackPivot enforce
-Exploit Protection | Security-Mitigations | 21 | ROP CallerCheck audit
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 21 | ROP CallerCheck audit
-Exploit Protection | Security-Mitigations | 22 | ROP CallerCheck enforce
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 22 | ROP CallerCheck enforce
-Exploit Protection | Security-Mitigations | 23 | ROP SimExec audit
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 23 | ROP SimExec audit
-Exploit Protection | Security-Mitigations | 24 | ROP SimExec enforce
+Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 24 | ROP SimExec enforce
 Exploit Protection | WER-Diagnostics | 5 | CFG Block
-Exploit Protection | Win32K | 260 | Untrusted Font
+Exploit Protection | Win32K (Operational) | 260 | Untrusted Font
-Network Protection | Windows Defender | 5007 | Event when settings are changed
+Network Protection | Windows Defender (Operational) | 5007 | Event when settings are changed
-Network Protection | Windows Defender | 1125 | Event when Network Protection fires in Audit-mode 
+Network Protection | Windows Defender (Operational) | 1125 | Event when Network Protection fires in Audit-mode 
-Network Protection | Windows Defender | 1126 | Event when Network Protection fires in Block-mode 
+Network Protection | Windows Defender (Operational) | 1126 | Event when Network Protection fires in Block-mode 
-Controlled Folder Access | Windows Defender | 5007 | Event when settings are changed
+Controlled Folder Access | Windows Defender (Operational) | 5007 | Event when settings are changed
-Controlled Folder Access | Windows Defender | 1124 | Audited Controlled Folder Access event
+Controlled Folder Access | Windows Defender (Operational) | 1124 | Audited Controlled Folder Access event
-Controlled Folder Access | Windows Defender | 1123 | Blocked Controlled Folder Access event
+Controlled Folder Access | Windows Defender (Operational) | 1123 | Blocked Controlled Folder Access event
-Attack Surface Reduction | Windows Defender | 5007 | Event when settings are changed
+Attack Surface Reduction | Windows Defender (Operational) | 5007 | Event when settings are changed
-Attack Surface Reduction | Windows Defender | 1122 | Event when rule fires in Audit-mode 
+Attack Surface Reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode 
-Attack Surface Reduction | Windows Defender | 1121 | Event when rule fires in Block-mode 
+Attack Surface Reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode 

windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.md

@@ -0,0 +1,7 @@
+<svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'>
+    <title>Check mark no</title>
+    <polygon 
+        fill='#d83b01' 
+        points='95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2'
+     />
+</svg>

windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md

@@ -0,0 +1,7 @@
+<svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'>
+    <title>Check mark yes</title>
+    <path
+        fill='#0E8915' 
+        d='M129 20L55 94 21 60 10 71l45 45 85-85z'
+    />
+</svg>

windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md

@@ -59,9 +59,9 @@ Each of the features in Windows Defender EG have slightly different requirements
 Feature | [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | [Windows Defender Advanced Threat Protection license](../windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md) 
 -|-|-|-
 Exploit Protection | No requirement | Required for reporting in the Windows Defender ATP console
-Attack Surface Reduction | Must be enabled | Required for reporting in the Windows Defender ATP console
+Attack Surface Reduction | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | Required for reporting in the Windows Defender ATP console
-Network Protection | Must be enabled | Required for reporting in the Windows Defender ATP console
+Network Protection | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | Required for reporting in the Windows Defender ATP console
-Controlled Folder Access | Must be enabled | Required for reporting in the Windows Defender ATP console
+Controlled Folder Access | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | Required for reporting in the Windows Defender ATP console
 
 > [!NOTE]
 > Each feature's requirements are further described in the individual topics in this library.