diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
index d211891329..e4fccb655d 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
@@ -51,6 +51,13 @@ Microsoft Defender ATP provides detailed reporting into events and blocks as par
 
 You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
 
+Here is an example query 
+
+```
+MiscEvents
+| where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')
+```
+
 ## Review network protection events in Windows Event Viewer
 
 You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain: