diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
index 97eefc24c9..d06826fae9 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
@@ -62,7 +62,7 @@ You can enable Controlled Folder Access, run the tool, and see what the experien
 8. You can also review the Windows Event log to see the events there were created:
     1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
     2. On the left panel, under **Actions**, click **Import custom view...**
-    3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*.
+    3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [download the XML directly](scripts/cfa-events.xml).
     4. Click **OK**.
     5. This will create a custom view that filters to only show the following events related to Controlled Folder Access: