Catch All (Windows Defender)

Vendor Documentation

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus

Classification

Rule Name	Rule Type	Classification	Common Event
Catch-All	Base Rule	Information	General Information Log Message
EVID 1150 : Service In Healthy State	Sub Rule	Information	General Health Monitor Information
EVID 1151 : Service Health Report	Sub Rule	Information	General Health Monitor Information
EVID 2000 : Malware Signatures Updated	Sub Rule	Information	Update Successful
EVID 2001 : Malware Signature Update Failed	Sub Rule	Error	Update Failed
EVID 2002 : Malware Engine Updated	Sub Rule	Information	Update Successful
EVID 2003 : Malware Engine Update Failed	Sub Rule	Error	Update Failed
EVID 2004 : Malware Signature Reverted	Sub Rule	Information	General System Information
EVID 2005 : Malware Platform Out Of Date	Sub Rule	Warning	General System Warning
EVID 2006 : Malware Platform Update Failed	Sub Rule	Error	Update Failed
EVID 2007 : Malware Platform Soon ToBe Out Of Date	Sub Rule	Warning	General System Warning
EVID 2010 : Malware Signatures Updated	Sub Rule	Information	Update Successful
EVID 2011 : Obsolete Malware Signatures Deleted	Sub Rule	Information	General System Information
EVID 2012 : Malware Signature Update Failed	Sub Rule	Error	Update Failed
EVID 2013 : Dynamic Malware Signatures Deleted	Sub Rule	Information	General System Information
EVID 2020 : Malware Engine Downloaded Clean File	Sub Rule	Information	Update Successful
EVID 2021 : Malw. Eng. Fail To Download Clean File	Sub Rule	Error	Update Failed
EVID 2030 : Offline Scan Installed	Sub Rule	Information	Install Successful
EVID 2031 : Offline Scan Installation Failed	Sub Rule	Warning	Software Installation Failed
EVID 2040 : Support For OS Expiring	Sub Rule	Warning	General System Warning
EVID 2041 : Support For OS Ended	Sub Rule	Critical	General System Critical
EVID 2042 : Support For OS Ended	Sub Rule	Critical	General System Critical
EVID 5008 : Malware Protection Engine Failure	Sub Rule	Error	General WinDefend Error
EVID 5009 : Malware Protection Antispyware Enabled	Sub Rule	Configuration	Configuration Enabled : Security
EVID 5010 : Malware Protection Antispyware Disable	Sub Rule	Configuration	Configuration Disabled : Security
EVID 5011 : Malware Protection Antivirus Enabled	Sub Rule	Configuration	Configuration Enabled : Security
EVID 5012 : Malware Protection Antivirus Disabled	Sub Rule	Configuration	Configuration Disabled : Security
EVID 5100 :Antimalware Platform Expiration Warning	Sub Rule	Warning	License Period Will Expire Soon
EVID 5101 : Antimalware Platform Expired	Sub Rule	Critical	License Expired

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Provider	N/A	N/A	Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event.
EventID	<vmid>	Number	The identifier that the provider used to identify the event.
Version	N/A	N/A	The version number of the event's definition.
Level	<severity>	Text/String	The severity level defined in the event.
Task	N/A	N/A	The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
Opcode	N/A	N/A	The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
Keywords	N/A	N/A	A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).
TimeCreated	N/A	N/A	The time stamp that identifies when the event was logged. The time stamp includes either the SystemTime attribute or the RawTime attribute.
EventRecordID	N/A	N/A	The record number assigned to the event when it was logged.
Correlation	N/A	N/A	The activity identifiers that consumers can use to group related events together.
Execution	N/A	N/A	Contains information about the process and thread that logged the event.
Channel	N/A	N/A	The channel to which the event was logged.
Computer	<dname>	Text/String	The name of the computer on which the event occurred.
Security	N/A	N/A	N/A