From 56c68f3a20fbbe1ad656ea708e6c3d693070c940 Mon Sep 17 00:00:00 2001
From: Malin De Silva <malindesilva@live.com>
Date: Wed, 5 Jun 2019 18:38:30 +0530
Subject: [PATCH] added the example query

---
 .../controlled-folders-exploit-guard.md                    | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
index 285795ee9d..00e0789bab 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
@@ -47,6 +47,13 @@ Microsoft Defender ATP provides detailed reporting into events and blocks as par
 
 You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
 
+Here is an example query 
+
+```
+MiscEvents
+| where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')
+```
+
 ## Review controlled folder access events in Windows Event Viewer
 
 You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app: