diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 6a7af471f3..ab6498dcae 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -236,7 +236,7 @@ SCCM name: Not applicable
 
 GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
-## Review attack surface reduction in Windows Event Viewer
+## Review attack surface reduction events in Windows Event Viewer
 
 You can review the Windows event log to see events that are created when attack surface rules block (or audit) an app:
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
index 13222c4b4d..c9effc018d 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
@@ -40,9 +40,9 @@ You can use Group Policy, PowerShell, and configuration service providers (CSPs)
 
 Audit options | How to enable audit mode | How to view events
 - | - | -
-Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled folder access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer)
-Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](attack-surface-reduction-exploit-guard.md)
-Audit applies to all events | [Enable network protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer)
+Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folders.md#review-controlled-folder-access-events-in-windows-event-viewer)
+Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer)
+Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer)
 Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
 
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
index d66b74b3af..c49eae7912 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 11/16/2018
+ms.date: 03/26/2019
 ---
 
 # Customize exploit protection
@@ -156,7 +156,7 @@ Get-ProcessMitigation -Name processName.exe
 >
 >For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. 
 >
->The default setting for each system-level mitigation can be seen in the Windows Security, as described in the [Configure system-level mitigations with the Windows Security app section above](#configure-system-level-mitigations-with-the-windows-defender-security-center-app).
+>The default setting for each system-level mitigation can be seen in the Windows Security.
 
 Use `Set` to configure each mitigation in the following format:
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
index c030233ef0..04abdfa702 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
@@ -120,7 +120,7 @@ Get-ProcessMitigation -Name processName.exe
 >
 >For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. 
 >
->The default setting for each system-level mitigation can be seen in the Windows Security, as described in the [Configure system-level mitigations with the Windows Security app section above](#configure-system-level-mitigations-with-the-windows-defender-security-center-app).
+>The default setting for each system-level mitigation can be seen in the Windows Security.
 
 Use `Set` to configure each mitigation in the following format:
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
index a34952ae85..667c554a43 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
@@ -45,7 +45,14 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode
 >If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
 You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders-exploit-guard.md).
 
-For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+## Review controlled folder access events in Windows Event Viewer
+
+The following controlled folder access events appear in Windows Event Viewer.
+
+Event ID | Description
+5007     | Event when settings are changed
+1124     | Audited controlled folder access event
+1123     | Blocked controlled folder access event
 
 ## Customize protected folders and apps
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
index 239170b7f1..c15f7d5f95 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
@@ -12,7 +12,7 @@ ms.date: 04/16/2018
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 08/08/2018
+ms.date: 03/26/2019
 ---
 
 # View attack surface reduction events
@@ -35,7 +35,7 @@ You can create custom views in the Windows Event Viewer to only see events for s
 
 The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page.
 
-You can also manually navigate to the event area that corresponds to the feature. For more details, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic.
+You can also manually navigate to the event area that corresponds to the feature. 
 
 ### Import an existing XML custom view
 
@@ -43,7 +43,7 @@ You can also manually navigate to the event area that corresponds to the feature
     -  Controlled folder access events custom view: *cfa-events.xml*
     -  Exploit protection events custom view: *ep-events.xml*
     -  Attack surface reduction events custom view: *asr-events.xml*
-    -  Network protection events custom view: *np-events.xml*
+    -  Network/ protection events custom view: *np-events.xml*
 
 1. Type **event viewer** in the Start menu and open **Event Viewer**.
 
@@ -55,7 +55,7 @@ You can also manually navigate to the event area that corresponds to the feature
 
 4. Click **Open**.
 
-5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events).
+5. This will create a custom view that filters to only show the events related to that feature.
 
 
 ### Copy the XML directly
@@ -73,7 +73,7 @@ You can also manually navigate to the event area that corresponds to the feature
 
 4. Click **OK**. Specify a name for your filter.
 
-5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events).
+5. This will create a custom view that filters to only show the events related to that feature.
 
 ### XML for attack surface reduction rule events