added new section

windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md

@@ -11,6 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
+ms.date: 03/26/2018
 ---
 
 # Reduce attack surfaces with attack surface reduction rules 
@@ -235,6 +236,16 @@ SCCM name: Not applicable
 
 GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
+## Review attack surface reduction in Windows Event Viewer
+
+You can review the Windows event log to see events that are created when attack surface rules block (or audit) an app:
+
+Event ID | Description
+5007     | Event when settings are changed
+1121     | Event when an attack surface reduction rule fires in audit mode
+1122     | Event when an attack surface reduction rule fires in block mode
+
+
 ## Related topics
 
 - [Enable attack surface reduction rules](enable-attack-surface-reduction.md)

windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md

@@ -29,11 +29,11 @@ It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md
 
 Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
 
-You can [enable exploit protection](enable-exploit-protection.md) on an individual machine, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple domain-joined devices at once.
+You can [enable exploit protection](enable-exploit-protection.md) on an individual machine, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple devices at once.
 
 When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
 
-You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how exploit protection would impact your organization if it were enabled.
+You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how exploit protection would impact your organization if it were enabled.
 
 Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10.