deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 02:13:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

fixed applies to in exploit guard topics

Browse Source
This commit is contained in:
Justin Hall
2018-08-11 17:36:25 -07:00
parent d69115100d
commit 6e36dde10e
27 changed files with 150 additions and 224 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
View File

@ -1,5 +1,5 @@
---
title: Import custom views to see Windows Defender Exploit Guard events
title: Import custom views to see attack surface reduction events
description: Use Windows Event Viewer to import individual views for each of the features.
keywords: event view, exploit guard, audit, review, events
search.product: eADQiWindows 10XVcnh
@ -12,38 +12,37 @@ ms.date: 04/16/2018
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
# View Windows Defender Exploit Guard events
# View attack surface reduction events
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
Each of the four features in Windows Defender Exploit Guard allow you to review events in the Windows Event log. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
You can review attack surface reduction events in Event Viewer. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
Reviewing the events is also handy when you are evaluating the features, as you can enable audit mode for the features or settings, and then review what would have happened if they were fully enabled.
This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
You can also get detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md) in the Windows Defender Security Center console, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
You can also get detailed reporting into events and blocks as part of Windows Defender Security Center, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
## Use custom views to review Windows Defender Exploit Guard features
## Use custom views to review attack surface reduction capabilities
You can create custom views in the Windows Event Viewer to only see events for specific features and settings.
You can create custom views in the Windows Event Viewer to only see events for specific capabilities and settings.
The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page.
You can also manually navigate to the event area that corresponds to the Windows Defender EG feature, see the [list of all Windows Defender Exploit Guard events](#list-of-all-windows-defender-exploit-guard-events) section at the end of this topic for more details.
You can also manually navigate to the event area that corresponds to the Windows Defender EG feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details.
### Import an existing XML custom view
@ -143,10 +142,10 @@ You can also manually navigate to the event area that corresponds to the Windows
## List of all Windows Defender Exploit Guard events
## List of attack surface reduction events
All Windows Defender Exploit Guard events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
All attack surface reductiond events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
You can access these events in Windows Event viewer: