Microsoft Defender for Endpoint is a cloud-delivered endpoint security solution that includes risk-based vulnerability management and assessment, attack surface reduction, behavioral-based and cloud-powered next generation protection, endpoint detection and response (EDR), automatic investigation and remediation, managed hunting services, rich APIs, and unified security management.
Device Details
|
Device Name |
MS Windows Event Logging XML - Windows Defender |
|---|---|
|
Vendor |
MS Windows |
|
Device Type |
Microsoft Defender Advanced Threat Protection |
|
Supported Model Name/Number |
Windows Server 2008, 2012, 2016+ |
|
Supported Software Version(s) |
N/A |
|
Collection Method |
MS Windows Event Logging |
|
Configurable Log Output? |
No |
|
Log Source Type |
MS Windows Event Logging XML - Windows Defender |
|
Log Processing Policy |
LogRhythm Default v2.0 |
|
Exceptions |
N/A |
|
Additional Information |
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus |
Supported Log Messages
(List of LR Tags used to parse the log information for each message type)
|
Type |
Product Version |
Supported Schema Fields |
|---|---|---|
| Catch All (Windows Defender) |
N/A |
<vmid>, <severity>, <dname> |
| EVID 1120 : Threat Hash Identified |
N/A |
<vmid>, <severity>, <dname>, <subject>, <hash> |
|
N/A |
<vmid>, <severity>, <dname>, <object>, <status>, <result> |
|
| Malware Detection Events |
N/A |
<vmid>, <severity>, <dname>, <subject>, <threatid>, <threatname>, <status>, <login>, <domainorigin>, <process>, <action>, <responsecode>, <reason>, <object>, <tag1> |
| Malware Detection Events (XML Logs) |
N/A |
<vmid>, <severity>, <dname>,<threatid>, <threatname>, <status>, <login>, <domainorigin>, <process>, <action>, <tag1><responsecode>, <reason> |
| Malware History Management |
N/A |
<vmid>, <severity>, <dname>, <subject>, <login>, <domainorigin>, <responsecode>, <reason> |
| Malware History Management (XML Logs) |
N/A |
<vmid>, <severity>, <dname>,<login>, <domainorigin>, <responsecode>, <reason> |
|
N/A |
<vmid>, <severity>, <dname>, <subject>, <session>, <object>, <login>, <domainorigin>, <responsecode>, <reason> |
|
| Malware Scan Information (XML Logs) |
N/A |
<vmid>, <severity>, <dname>,<session>, <object>, <login>, <domainorigin>, <responsecode>, <reason> |
| Quarantine Item Management |
N/A |
<vmid>, <severity>, <dname>, <subject>, <threatname>, <threatid>, <severity>, <login>, <domainorigin>, <responsecode>, <reason> |
| Real-Time Protection State Events |
N/A |
<vmid>, <severity>, <dname>, <subject>, <objectname>, <responsecode>, <result>, <reason> |
Revision History
|
KB Version |
Log Type |
Change Type |
Details |
|---|---|---|---|
|
KB 7.1.573.0
|
* |
New Log Source Type |
New Device Support for MS Windows Event Logging XML - Windows Defender |
|
KB 7.1.XXX.X |
* |
Parsing Improvement |
Write new parser for XML type samples |