From ff0a652c8d6971a8b213cc0c70db15ae777f9725 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 26 Mar 2019 17:58:03 -0700 Subject: [PATCH] added new section --- .../attack-surface-reduction-exploit-guard.md | 11 +++++++++++ .../exploit-protection-exploit-guard.md | 4 ++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 653d7f2a5e..6a7af471f3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,6 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic +ms.date: 03/26/2018 --- # Reduce attack surfaces with attack surface reduction rules @@ -235,6 +236,16 @@ SCCM name: Not applicable GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c +## Review attack surface reduction in Windows Event Viewer + +You can review the Windows event log to see events that are created when attack surface rules block (or audit) an app: + +Event ID | Description +5007 | Event when settings are changed +1121 | Event when an attack surface reduction rule fires in audit mode +1122 | Event when an attack surface reduction rule fires in block mode + + ## Related topics - [Enable attack surface reduction rules](enable-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index 53ff480b35..3d5b5df71f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -29,11 +29,11 @@ It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). -You can [enable exploit protection](enable-exploit-protection.md) on an individual machine, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple domain-joined devices at once. +You can [enable exploit protection](enable-exploit-protection.md) on an individual machine, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple devices at once. When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. -You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how exploit protection would impact your organization if it were enabled. +You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how exploit protection would impact your organization if it were enabled. Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10.