From bb08591be645ff8cf216260c4f63f1b955349580 Mon Sep 17 00:00:00 2001
From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com>
Date: Mon, 28 Jan 2019 10:41:52 -0800
Subject: [PATCH] Removed mention of EG eval package.

---
 .../attack-surface-reduction-exploit-guard.md | 35 +------------------
 1 file changed, 1 insertion(+), 34 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 584ec7aaf4..ca19171d66 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -67,11 +67,10 @@ The rules apply to the following Office apps:
 - Microsoft PowerPoint
 - Microsoft OneNote
 
-Except where specified, the rules do not apply to any other Office apps.
+Except where specified, ASR rules do not apply to any other Office apps.
 
 ### Rule: Block executable content from email client and webmail
 
-
 This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
 
 - Executable files (such as .exe, .dll, or .scr) 
@@ -164,38 +163,6 @@ This is a typical malware behavior, especially for macro-based attacks that atte
 
 This rule blocks Adobe Reader from creating child processes.
 
-## Review attack surface reduction rule events in Windows Event Viewer
-
-You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited):
-
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine.
-
-2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
-
-3. On the left panel, under **Actions**, click **Import custom view...**
-
-    ![Animation showing the import custom view on the Event viewer window](images/events-import.gif)
-
-4. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
-
-5. Click **OK**.
-
-6. This will create a custom view that filters to only show the following events related to attack surface reduction rules:
-
- Event ID | Description
--|-
-5007 | Event when settings are changed
-1122 | Event when rule fires in Audit-mode 
-1121 | Event when rule fires in Block-mode 
-
-### Event fields
-
-- **ID**: matches with the Rule-ID that triggered the block/audit.
-- **Detection time**: Time of detection
-- **Process Name**: The process that performed the "operation" that was blocked/audited
-- **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus
-
-
  ## Related topics
 
 Topic | Description