MS Windows Event Logging XML - Windows Defender
Microsoft Defender for Endpoint is a cloud-delivered endpoint security solution that includes risk-based vulnerability management and assessment, attack surface reduction, behavioral-based and cloud-powered next generation protection, endpoint detection and response (EDR), automatic investigation and remediation, managed hunting services, rich APIs, and unified security management.
Device Details
| Device Name | MS Windows Event Logging XML - Windows Defender |
|---|---|
Vendor | MS Windows |
Device Type | Microsoft Defender Advanced Threat Protection |
Supported Model Name/Number | Windows Server 2008, 2012, 2016+ |
Supported Software Version(s) | N/A |
Collection Method | MS Windows Event Logging |
Configurable Log Output? | No |
Log Source Type | MS Windows Event Logging XML - Windows Defender |
Log Processing Policy | LogRhythm Default v2.0 |
Exceptions | N/A |
Additional Information | https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus |
Supported Log Messages
(List of LR Tags used to parse the log information for each message type)
Type | Product Version | Supported Schema Fields |
|---|---|---|
| Catch All (Windows Defender) | N/A | <vmid>, <severity>, <dname> |
| EVID 1120 : Threat Hash Identified | N/A | <vmid>, <severity>, <dname>, <subject>, <hash> |
| EVID 5007 : Malware Protection Config Changed | N/A | <vmid>, <severity>, <dname>, <object>, <status>, <result> |
| Malware Detection Events | N/A | <vmid>, <severity>, <dname>, <subject>, <threatid>, <threatname>, <status>, <login>, <domainorigin>, <process>, <action>, <responsecode>, <reason>, <object>, <tag1> |
| Malware Detection Events (XML Logs) | N/A | <vmid>, <severity>, <dname>,<threatid>, <threatname>, <status>, <login>, <domainorigin>, <process>, <action>, <tag1><responsecode>, <reason> |
| Malware History Management | N/A | <vmid>, <severity>, <dname>, <subject>, <login>, <domainorigin>, <responsecode>, <reason> |
| Malware History Management (XML Logs) | N/A | <vmid>, <severity>, <dname>,<login>, <domainorigin>, <responsecode>, <reason> |
| N/A | <vmid>, <severity>, <dname>, <subject>, <session>, <object>, <login>, <domainorigin>, <responsecode>, <reason> | |
| Malware Scan Information (XML Logs) | N/A | <vmid>, <severity>, <dname>,<session>, <object>, <login>, <domainorigin>, <responsecode>, <reason> |
| Quarantine Item Management | N/A | <vmid>, <severity>, <dname>, <subject>, <threatname>, <threatid>, <severity>, <login>, <domainorigin>, <responsecode>, <reason> |
| Real-Time Protection State Events | N/A | <vmid>, <severity>, <dname>, <subject>, <objectname>, <responsecode>, <result>, <reason> |
Revision History
KB Version | Log Type | Change Type | Details |
|---|---|---|---|
| KB 7.1.573.0 | * | New Log Source Type | New Device Support for MS Windows Event Logging XML - Windows Defender |
| KB 7.1.XXX.X | * | Parsing Improvement | Write new parser for XML type samples |