deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Corrected capitalization, changed ASR to ASR rules

Browse Source
This commit is contained in:
Andrea Bichsel
2018-09-18 11:53:06 -07:00
parent fc41f21c1c
commit 630a97cbbc
28 changed files with 274 additions and 633 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
View File

@ -15,19 +15,12 @@ ms.author: v-anbic
ms.date: 08/08/2018
---
# View attack surface reduction events
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
You can review attack surface reduction events in Event Viewer. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
Reviewing the events is also handy when you are evaluating the features, as you can enable audit mode for the features or settings, and then review what would have happened if they were fully enabled.
@ -42,7 +35,7 @@ You can create custom views in the Windows Event Viewer to only see events for s
The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page.
You can also manually navigate to the event area that corresponds to the Windows Defender EG feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details.
You can also manually navigate to the event area that corresponds to the feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details.
### Import an existing XML custom view
@ -82,11 +75,7 @@ You can also manually navigate to the event area that corresponds to the Windows
5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events).
### XML for Attack surface reduction events
### XML for attack surface reduction rule events
```xml
<QueryList>
@ -97,7 +86,7 @@ You can also manually navigate to the event area that corresponds to the Windows
</QueryList>
```
### XML for Controlled folder access events
### XML for controlled folder access events
```xml
<QueryList>
@ -108,7 +97,7 @@ You can also manually navigate to the event area that corresponds to the Windows
</QueryList>
```
### XML for Exploit protection events
### XML for exploit protection events
```xml
<QueryList>
@ -128,7 +117,7 @@ You can also manually navigate to the event area that corresponds to the Windows
</QueryList>
```
### XML for Network protection events
### XML for network protection events
```xml
<QueryList>
@ -140,8 +129,6 @@ You can also manually navigate to the event area that corresponds to the Windows
```
## List of attack surface reduction events