Windows Defender logs collection

Windows Defender is the anti-malware component of the Microsoft Windows operating system. You can configure ThreatLockDown agents installed on Windows endpoints to collect Windows Defender logs. This provides visibility on malware infections detected by Windows Defender on Windows endpoints. These logs can also provide information about:

  • The status of the Windows Defender service.

  • Results of Windows Defender scans that the users run on these endpoints.

Configuration

To collect Windows Defender logs, you must configure the ThreatLockDown agent using centralized configuration, or locally using the agent C:\Program Files (x86)\ossec-agent\ossec.conf file. Centralized configuration allows the instructions to be shared with a group of agents.

Add the following block to the configuration file to enable Windows Defender log collection:

<localfile>
  <location>Microsoft-Windows-Windows Defender/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

Decoders and rules

ThreatLockDown has out-of-the-box decoders for Microsoft Windows logs including Windows Defender. Therefore, you don’t need to create any decoders for these logs. Furthermore, we include rules for Windows Defender, which you can find at /var/ossec/ruleset/rules/0600-win-wdefender_rules.xml on the ThreatLockDown server.

Alert samples

Below are examples of Windows Defender alerts. User and malware activity triggers these kinds of alerts on monitored endpoints. You can find these alerts in the /var/ossec/logs/alerts/alerts.log and /var/ossec/logs/alerts/alerts.json files on the ThreatLockDown server. The ThreatLockDown dashboard also displays these alerts.

Alert created when Windows Defender detects malware:

{
   "timestamp":"2023-01-05T11:44:58.557+0200",
   "rule":{
      "level":12,
      "description":"Windows Defender: Antimalware platform detected  potentially unwanted software ()",
      "id":"62123",
      "firedtimes":2,
      "mail":true,
      "groups":[
         "windows",
         "windows_defender"
      ],
      "pci_dss":[
         "5.1",
         "5.2",
         "10.6.1",
         "11.4"
      ],
      "gpg13":[
         "4.2"
      ],
      "gdpr":[
         "IV_35.7.d"
      ],
      "hipaa":[
         "164.312.b"
      ],
      "nist_800_53":[
         "SI.3",
         "AU.6",
         "SI.4"
      ],
      "tsc":[
         "A1.2",
         "CC7.2",
         "CC7.3",
         "CC6.1",
         "CC6.8"
      ]
   },
   "agent":{
      "id":"012",
      "name":"Windows_11",
      "ip":"10.0.2.15"
   },
   "manager":{
      "name":"localhost.localdomain"
   },
   "id":"1672911898.1113167",
   "decoder":{
      "name":"windows_eventchannel"
   },
   "data":{
      "win":{
         "system":{
            "providerName":"Microsoft-Windows-Windows Defender",
            "providerGuid":"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}",
            "eventID":"1116",
            "version":"0",
            "level":"3",
            "task":"0",
            "opcode":"0",
            "keywords":"0x8000000000000000",
            "systemTime":"2023-01-05T09:44:55.1124563Z",
            "eventRecordID":"525",
            "processID":"2600",
            "threadID":"432",
            "channel":"Microsoft-Windows-Windows Defender/Operational",
            "computer":"Windows-11",
            "severityValue":"WARNING",
            "message":"\"Microsoft Defender Antivirus has detected malware or other potentially unwanted software.\r\n For more information please see the following:\r\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0\r\n \tName: Virus:DOS/EICAR_Test_File\r\n \tID: 2147519003\r\n \tSeverity: Severe\r\n \tCategory: Virus\r\n \tPath: file:_C:\\Users\\win11\\AppData\\Local\\Temp\\36f9c971-77e5-4f5e-bbef-f7162522dee1.tmp; webfile:_C:\\Users\\win11\\AppData\\Local\\Temp\\36f9c971-77e5-4f5e-bbef-f7162522dee1.tmp|https://secure.eicar.org/eicar.com.txt|pid:8412,ProcessStart:133173854939240064\r\n \tDetection Origin: Internet\r\n \tDetection Type: Concrete\r\n \tDetection Source: Downloads and attachments\r\n \tUser: Windows-11\\win11\r\n \tProcess Name: Unknown\r\n \tSecurity intelligence Version: AV: 1.381.1755.0, AS: 1.381.1755.0, NIS: 1.381.1755.0\r\n \tEngine Version: AM: 1.1.19900.2, NIS: 1.1.19900.2\""
         },
         "eventdata":{
            "product Name":"Microsoft Defender Antivirus",
            "product Version":"4.18.2211.5",
            "detection ID":"{53737EEC-A8A6-45E0-9155-4566B8133573}",
            "detection Time":"2023-01-05T09:44:55.064Z",
            "threat ID":"2147519003",
            "threat Name":"Virus:DOS/EICAR_Test_File",
            "severity ID":"5",
            "severity Name":"Severe",
            "category ID":"42",
            "category Name":"Virus",
            "fWLink":"https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Virus:DOS/EICAR_Test_File&amp;threatid=2147519003&amp;enterprise=0",
            "status Code":"1",
            "state":"1",
            "source ID":"4",
            "source Name":"Downloads and attachments",
            "process Name":"Unknown",
            "detection User":"Windows-11\\\\win11",
            "path":"file:_C:\\\\Users\\\\win11\\\\AppData\\\\Local\\\\Temp\\\\36f9c971-77e5-4f5e-bbef-f7162522dee1.tmp; webfile:_C:\\\\Users\\\\win11\\\\AppData\\\\Local\\\\Temp\\\\36f9c971-77e5-4f5e-bbef-f7162522dee1.tmp|https://secure.eicar.org/eicar.com.txt|pid:8412,ProcessStart:133173854939240064",
            "origin ID":"4",
            "origin Name":"Internet",
            "execution ID":"0",
            "execution Name":"Unknown",
            "type ID":"0",
            "type Name":"Concrete",
            "pre Execution Status":"0",
            "action ID":"9",
            "action Name":"Not Applicable",
            "error Code":"0x00000000",
            "error Description":"The operation completed successfully.",
            "post Clean Status":"0",
            "additional Actions ID":"0",
            "additional Actions String":"No additional actions required",
            "security intelligence Version":"AV: 1.381.1755.0, AS: 1.381.1755.0, NIS: 1.381.1755.0",
            "engine Version":"AM: 1.1.19900.2, NIS: 1.1.19900.2"
         }
      }
   },
   "location":"EventChannel"
}

Alert created when Windows Defender responds to detected malware:

{
   "timestamp":"2023-01-05T11:45:06.032+0200",
   "rule":{
      "level":3,
      "description":"Windows Defender: Antimalware platform performed an action to protect you from potentially unwanted software ()",
      "id":"62124",
      "firedtimes":2,
      "mail":false,
      "groups":[
         "windows",
         "windows_defender"
      ],
      "pci_dss":[
         "5.1",
         "5.2",
         "10.6.1",
         "11.4"
      ],
      "gpg13":[
         "4.2"
      ],
      "gdpr":[
         "IV_35.7.d"
      ],
      "hipaa":[
         "164.312.b"
      ],
      "nist_800_53":[
         "SI.3",
         "AU.6",
         "SI.4"
      ],
      "tsc":[
         "A1.2",
         "CC7.2",
         "CC7.3",
         "CC6.1",
         "CC6.8"
      ]
   },
   "agent":{
      "id":"012",
      "name":"Windows_11",
      "ip":"10.0.2.15"
   },
   "manager":{
      "name":"localhost.localdomain"
   },
   "id":"1672911906.1119694",
   "decoder":{
      "name":"windows_eventchannel"
   },
   "data":{
      "win":{
         "system":{
            "providerName":"Microsoft-Windows-Windows Defender",
            "providerGuid":"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}",
            "eventID":"1117",
            "version":"0",
            "level":"4",
            "task":"0",
            "opcode":"0",
            "keywords":"0x8000000000000000",
            "systemTime":"2023-01-05T09:45:02.6103899Z",
            "eventRecordID":"526",
            "processID":"2600",
            "threadID":"432",
            "channel":"Microsoft-Windows-Windows Defender/Operational",
            "computer":"Windows-11",
            "severityValue":"INFORMATION",
            "message":"\"Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.\r\n For more information please see the following:\r\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0\r\n \tName: Virus:DOS/EICAR_Test_File\r\n \tID: 2147519003\r\n \tSeverity: Severe\r\n \tCategory: Virus\r\n \tPath: file:_C:\\Users\\win11\\AppData\\Local\\Temp\\36f9c971-77e5-4f5e-bbef-f7162522dee1.tmp; webfile:_C:\\Users\\win11\\AppData\\Local\\Temp\\36f9c971-77e5-4f5e-bbef-f7162522dee1.tmp|https://secure.eicar.org/eicar.com.txt|pid:8412,ProcessStart:133173854939240064\r\n \tDetection Origin: Internet\r\n \tDetection Type: Concrete\r\n \tDetection Source: Downloads and attachments\r\n \tUser: NT AUTHORITY\\SYSTEM\r\n \tProcess Name: Unknown\r\n \tAction: Quarantine\r\n \tAction Status:  No additional actions required\r\n \tError Code: 0x00000000\r\n \tError description: The operation completed successfully. \r\n \tSecurity intelligence Version: AV: 1.381.1755.0, AS: 1.381.1755.0, NIS: 1.381.1755.0\r\n \tEngine Version: AM: 1.1.19900.2, NIS: 1.1.19900.2\""
         },
         "eventdata":{
            "product Name":"Microsoft Defender Antivirus",
            "product Version":"4.18.2211.5",
            "detection ID":"{53737EEC-A8A6-45E0-9155-4566B8133573}",
            "detection Time":"2023-01-05T09:44:55.064Z",
            "threat ID":"2147519003",
            "threat Name":"Virus:DOS/EICAR_Test_File",
            "severity ID":"5",
            "severity Name":"Severe",
            "category ID":"42",
            "category Name":"Virus",
            "fWLink":"https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Virus:DOS/EICAR_Test_File&amp;threatid=2147519003&amp;enterprise=0",
            "status Code":"4",
            "state":"2",
            "source ID":"4",
            "source Name":"Downloads and attachments",
            "process Name":"Unknown",
            "detection User":"Windows-11\\\\win11",
            "path":"file:_C:\\\\Users\\\\win11\\\\AppData\\\\Local\\\\Temp\\\\36f9c971-77e5-4f5e-bbef-f7162522dee1.tmp; webfile:_C:\\\\Users\\\\win11\\\\AppData\\\\Local\\\\Temp\\\\36f9c971-77e5-4f5e-bbef-f7162522dee1.tmp|https://secure.eicar.org/eicar.com.txt|pid:8412,ProcessStart:133173854939240064",
            "origin ID":"4",
            "origin Name":"Internet",
            "execution ID":"0",
            "execution Name":"Unknown",
            "type ID":"0",
            "type Name":"Concrete",
            "pre Execution Status":"0",
            "action ID":"2",
            "action Name":"Quarantine",
            "error Code":"0x00000000",
            "error Description":"The operation completed successfully.",
            "post Clean Status":"0",
            "additional Actions ID":"0",
            "additional Actions String":"No additional actions required",
            "remediation User":"NT AUTHORITY\\\\SYSTEM",
            "security intelligence Version":"AV: 1.381.1755.0, AS: 1.381.1755.0, NIS: 1.381.1755.0",
            "engine Version":"AM: 1.1.19900.2, NIS: 1.1.19900.2"
         }
      }
   },
   "location":"EventChannel"
}

Alert created when Windows Defender protection is disabled:

{
   "timestamp":"2023-01-05T16:26:55.513+0200",
   "rule":{
      "level":5,
      "description":"Windows Defender: Antivirus real-time protection is disabled",
      "id":"62152",
      "firedtimes":1,
      "mail":false,
      "groups":[
         "windows",
         "windows_defender"
      ],
      "pci_dss":[
         "5.1",
         "10.2.6",
         "10.6.1"
      ],
      "gpg13":[
         "4.14",
         "10.1"
      ],
      "gdpr":[
         "IV_35.7.d"
      ],
      "hipaa":[
         "164.312.b"
      ],
      "nist_800_53":[
         "SI.3",
         "AU.14",
         "AU.5",
         "AU.6"
      ],
      "tsc":[
         "A1.2",
         "CC6.8",
         "CC7.2",
         "CC7.3"
      ]
   },
   "agent":{
      "id":"012",
      "name":"Windows_11",
      "ip":"10.0.2.15"
   },
   "manager":{
      "name":"localhost.localdomain"
   },
   "id":"1672928815.1914866",
   "decoder":{
      "name":"windows_eventchannel"
   },
   "data":{
      "win":{
         "system":{
            "providerName":"Microsoft-Windows-Windows Defender",
            "providerGuid":"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}",
            "eventID":"5001",
            "version":"0",
            "level":"4",
            "task":"0",
            "opcode":"0",
            "keywords":"0x8000000000000000",
            "systemTime":"2023-01-05T14:33:13.3093446Z",
            "eventRecordID":"540",
            "processID":"2600",
            "threadID":"7152",
            "channel":"Microsoft-Windows-Windows Defender/Operational",
            "computer":"Windows-11",
            "severityValue":"INFORMATION",
            "message":"\"Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled.\""
         },
         "eventdata":{
            "product Name":"Microsoft Defender Antivirus",
            "product Version":"4.18.2211.5"
         }
      }
   },
   "location":"EventChannel"
}

Alert created when Windows Defender updates its signature database:

{
   "timestamp":"2023-01-05T12:55:10.920+0200",
   "rule":{
      "level":3,
      "description":"Windows Defender: Antimalware definitions updated successfully",
      "id":"62130",
      "firedtimes":2,
      "mail":false,
      "groups":[
         "windows",
         "windows_defender"
      ],
      "pci_dss":[
         "5.1",
         "10.6.1",
         "5.2"
      ],
      "gdpr":[
         "IV_35.7.d",
         "IV_35.7.d"
      ],
      "gpg13":[
         "4.4",
         "4.14"
      ],
      "hipaa":[
         "164.312.b"
      ],
      "nist_800_53":[
         "SI.3",
         "AU.6"
      ],
      "tsc":[
         "A1.2",
         "CC7.2",
         "CC7.3"
      ]
   },
   "agent":{
      "id":"011",
      "name":"ONEBOT-1",
      "ip":"10.5.0.2"
   },
   "manager":{
      "name":"localhost.localdomain"
   },
   "id":"1672916110.1441972",
   "decoder":{
      "name":"windows_eventchannel"
   },
   "data":{
      "win":{
         "system":{
            "providerName":"Microsoft-Windows-Windows Defender",
            "providerGuid":"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}",
            "eventID":"2000",
            "version":"0",
            "level":"4",
            "task":"0",
            "opcode":"0",
            "keywords":"0x8000000000000000",
            "systemTime":"2023-01-05T10:55:07.4095656Z",
            "eventRecordID":"649",
            "processID":"6716",
            "threadID":"7528",
            "channel":"Microsoft-Windows-Windows Defender/Operational",
            "computer":"ONEBOT-1",
            "severityValue":"INFORMATION",
            "message":"\"Microsoft Defender Antivirus security intelligence version updated.\r\n \tCurrent security intelligence Version: 1.381.1755.0\r\n \tPrevious security intelligence Version: 1.381.1746.0\r\n \tSecurity intelligence Type: AntiSpyware\r\n \tUpdate Type: Delta\r\n \tUser: NT AUTHORITY\\SYSTEM\r\n \tCurrent Engine Version: 1.1.19900.2\r\n \tPrevious Engine Version: 1.1.19900.2\""
         },
         "eventdata":{
            "product Name":"Microsoft Defender Antivirus",
            "product Version":"4.18.2211.5",
            "current security intelligence Version":"1.381.1755.0",
            "previous security intelligence Version":"1.381.1746.0",
            "domain":"NT AUTHORITY",
            "user":"SYSTEM",
            "sID":"S-1-5-18",
            "security intelligence Type Index":"2",
            "security intelligence Type":"AntiSpyware",
            "update Type Index":"2",
            "update Type":"Delta",
            "current Engine Version":"1.1.19900.2",
            "previous Engine Version":"1.1.19900.2"
         }
      }
   },
   "location":"EventChannel"
}