From f8f32b28ec115175bf844d7bb4ad3d21ab5c05d8 Mon Sep 17 00:00:00 2001
From: Lindsay <45809756+lindspea@users.noreply.github.com>
Date: Tue, 23 Apr 2019 11:34:40 +0200
Subject: [PATCH] Update audit-windows-defender-exploit-guard.md

Added info about where to find audited entries.
---
 .../audit-windows-defender-exploit-guard.md                     | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
index 2207d2015d..1c4e998102 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
@@ -27,6 +27,8 @@ You might want to do this when testing how the features will work in your organi
 
 While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.
 
+To find the audited entries, go to **Applications and Services** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**.
+
 You can use Windows Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
 
 This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.