From 6fbdd7753134b8acab01f508ce325b1f257a07f9 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sat, 16 Mar 2019 13:32:44 +0500
Subject: [PATCH] update attack-surface-reduction-exploit-guard.md

added section for event views
---
 .../attack-surface-reduction-exploit-guard.md | 25 ++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index f010ab338b..50deb828c4 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -35,6 +35,29 @@ Triggered rules display a notification on the device. You can [customize the not
 
 For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
 
+## Review attack surface reduction events in Windows Event Viewer
+
+You can review the Windows event log to see events that are created when attack surface reduction rules fire:
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
+
+2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
+3. On the left panel, under **Actions**, click **Import custom view...**.
+   
+4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Click **OK**.
+
+5. This will create a custom view that filters to only show the following events related to controlled folder access:
+
+Event ID | Description
+-|-
+5007 | Event when settings are changed
+1121 | Event when rule fires in Block-mode
+1122 | Event when rule fires in Audit-mode
+
+
 ## Attack surface reduction rules
 
 The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy:
@@ -238,4 +261,4 @@ GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 ## Related topics
 
 - [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
\ No newline at end of file
+- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)