From 6f768e2360b52b7d3f8b709d5554d8914906238d Mon Sep 17 00:00:00 2001
From: Lindsay <45809756+lindspea@users.noreply.github.com>
Date: Wed, 3 Jul 2019 16:23:56 +0200
Subject: [PATCH] Update attack-surface-reduction-exploit-guard.md

Added example query.
---
 .../attack-surface-reduction-exploit-guard.md       | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index ac87bbc9ed..23084d3586 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -45,6 +45,19 @@ Triggered rules display a notification on the device. You can [customize the not
 
 For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
 
+## Review attack surface reduction events in the Windows Defender ATP Security Center
+
+Windows Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
+
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
+
+Here is an example query: 
+
+```
+MiscEvents
+| where ActionType startswith 'Asr'
+```
+
 ## Review attack surface reduction events in Windows Event Viewer
 
 You can review the Windows event log to view events that are created when attack surface reduction rules fire: