Skip to main content
Skip table of contents

Catch All (Windows Defender)

Vendor Documentation

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus

Classification

Rule NameRule TypeClassificationCommon Event
Catch AllBase RuleOperations : Information General Information Log Message
EVID 1150 : Service in Healthy StateSub ruleOperations : Information  General Health Monitor Information
EVID 1151 : Service Health ReportSub ruleOperations : Information  General Health Monitor Information
EVID 2000 : Malware Signatures UpdatedSub ruleOperations : Information  Update Successful
EVID 2001 : Malware Signature Update FailedSub ruleOperations : Error  Update Failed
EVID 2002 : Malware Engine UpdatedSub ruleOperations : Information  Update Successful
EVID 2003 : Malware Engine Update FailedSub ruleOperations : Error  Update Failed
EVID 2004 : Malware Signature RevertedSub ruleOperations : Information  General System Information
EVID 2005 : Malware Platform Out of DateSub ruleOperations : Warning  General System Warning
EVID 2006 : Malware Platform Update FailedSub ruleOperations : Error  Update Failed
EVID 2007 : Malware Platform Soon to be Out of DateSub ruleOperations : Warning  General System Warning
EVID 2010 : Malware Signatures UpdatedSub ruleOperations : Information  Update Successful
EVID 2011 : Obsolete Malware Signatures DeletedSub ruleOperations : Information  General System Information
EVID 2012 : Malware Signature Update FailedSub ruleOperations : Error  Update Failed
EVID 2013 : Dynamic Malware Signatures DeletedSub ruleOperations : Information  General System Information
EVID 2020 : Malware Engine Downloaded Clean FileSub ruleOperations : Information  Update Successful
EVID 2021 : Malware Engine Failed to Download Clean FileSub ruleOperations : Error  Update Failed
EVID 2030 : Offline Scan InstalledSub ruleOperations : Information  Install Successful
EVID 2031 : Offline Scan Installation FailedSub ruleOperations : Warning  Software Installation Failed
EVID 2040 : Support for OS ExpiringSub ruleOperations : Warning  General System Warning
EVID 2041 : Support for OS EndedSub ruleOperations : Critical  General System Critical
EVID 2042 : Support for OS EndedSub ruleOperations : Critical  General System Critical
EVID 5100 : Malware Platform Expiring SoonSub ruleOperation : Warning  License Period Will Expire Soon
EVID 5101 : Malware Platform ExpiredSub ruleOperations : Critical  License expired
EVID 5007 : Malware Platform Configuration ModifiedSub ruleAudit : Configuration  Configuration Modified : Security
EVID 5008 : Malware Engine Encountered ErrorSub ruleOperations : Error  General Windefend Error
EVID 5009 : Malware Scanning EnabledSub ruleAudit : Configuration  Configuration Enabled  : Security
EVID 5010 : Malware Scanning DisabledSub ruleAudit : Configuration  Configuration Disabled  : Security
EVID 5011 : Virus Scan EnabledSub ruleAudit : Configuration  Configuration Enabled  : Security
EVID 5012 : Virus Scan DisabledSub ruleAudit : Configuration  Configuration Disabled  : Security

Mapping with LogRhythm Schema

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
Provider

Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event.
EventID<vmid>
<tag1>		NumberThe identifier that the provider used to identify the event.
Version

The version number of the event's definition.
Level<severity>String/NumberThe severity level defined in the event.
Task

The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
Opcode

The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
Keywords

A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).
TimeCreated 

The time stamp that identifies when the event was logged. The time stamp includes either the SystemTime attribute or the RawTime attribute.
EventRecordID

The record number assigned to the event when it was logged.
Correlation 

The activity identifiers that consumers can use to group related events together.
Execution 

Contains information about the process and thread that logged the event.
Channel

The channel to which the event was logged.
Computer<dname>Text/StringThe name of the computer on which the event occurred.
Security 





A description of the event.
Current Signature Version


Previous Signature Version


Signature Type


Update Type


User


Current Engine Version


Previous Engine Version



JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close