Catch All (Windows Defender)
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| Catch-All | Base Rule | Information | General Information Log Message |
| EVID 1150 : Service In Healthy State | Sub Rule | Information | General Health Monitor Information |
| EVID 1151 : Service Health Report | Sub Rule | Information | General Health Monitor Information |
| EVID 2000 : Malware Signatures Updated | Sub Rule | Information | Update Successful |
| EVID 2001 : Malware Signature Update Failed | Sub Rule | Error | Update Failed |
| EVID 2002 : Malware Engine Updated | Sub Rule | Information | Update Successful |
| EVID 2003 : Malware Engine Update Failed | Sub Rule | Error | Update Failed |
| EVID 2004 : Malware Signature Reverted | Sub Rule | Information | General System Information |
| EVID 2005 : Malware Platform Out Of Date | Sub Rule | Warning | General System Warning |
| EVID 2006 : Malware Platform Update Failed | Sub Rule | Error | Update Failed |
| EVID 2007 : Malware Platform Soon ToBe Out Of Date | Sub Rule | Warning | General System Warning |
| EVID 2010 : Malware Signatures Updated | Sub Rule | Information | Update Successful |
| EVID 2011 : Obsolete Malware Signatures Deleted | Sub Rule | Information | General System Information |
| EVID 2012 : Malware Signature Update Failed | Sub Rule | Error | Update Failed |
| EVID 2013 : Dynamic Malware Signatures Deleted | Sub Rule | Information | General System Information |
| EVID 2020 : Malware Engine Downloaded Clean File | Sub Rule | Information | Update Successful |
| EVID 2021 : Malw. Eng. Fail To Download Clean File | Sub Rule | Error | Update Failed |
| EVID 2030 : Offline Scan Installed | Sub Rule | Information | Install Successful |
| EVID 2031 : Offline Scan Installation Failed | Sub Rule | Warning | Software Installation Failed |
| EVID 2040 : Support For OS Expiring | Sub Rule | Warning | General System Warning |
| EVID 2041 : Support For OS Ended | Sub Rule | Critical | General System Critical |
| EVID 2042 : Support For OS Ended | Sub Rule | Critical | General System Critical |
| EVID 5008 : Malware Protection Engine Failure | Sub Rule | Error | General WinDefend Error |
| EVID 5009 : Malware Protection Antispyware Enabled | Sub Rule | Configuration | Configuration Enabled : Security |
| EVID 5010 : Malware Protection Antispyware Disable | Sub Rule | Configuration | Configuration Disabled : Security |
| EVID 5011 : Malware Protection Antivirus Enabled | Sub Rule | Configuration | Configuration Enabled : Security |
| EVID 5012 : Malware Protection Antivirus Disabled | Sub Rule | Configuration | Configuration Disabled : Security |
| EVID 5100 :Antimalware Platform Expiration Warning | Sub Rule | Warning | License Period Will Expire Soon |
| EVID 5101 : Antimalware Platform Expired | Sub Rule | Critical | License Expired |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
| Provider | N/A | N/A | Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. |
| EventID | <vmid> | Number | The identifier that the provider used to identify the event. |
| Version | N/A | N/A | The version number of the event's definition. |
| Level | <severity> | Text/String | The severity level defined in the event. |
| Task | N/A | N/A | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. |
| Opcode | N/A | N/A | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. |
| Keywords | N/A | N/A | A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). |
| TimeCreated | N/A | N/A | The time stamp that identifies when the event was logged. The time stamp includes either the SystemTime attribute or the RawTime attribute. |
| EventRecordID | N/A | N/A | The record number assigned to the event when it was logged. |
| Correlation | N/A | N/A | The activity identifiers that consumers can use to group related events together. |
| Execution | N/A | N/A | Contains information about the process and thread that logged the event. |
| Channel | N/A | N/A | The channel to which the event was logged. |
| Computer | <dname> | Text/String | The name of the computer on which the event occurred. |
| Security | N/A | N/A | N/A |