Skip to main content
Skip table of contents

MS Windows Event Logging XML - Windows Defender

Microsoft Defender for Endpoint is a cloud-delivered endpoint security solution that includes risk-based vulnerability management and assessment, attack surface reduction, behavioral-based and cloud-powered next generation protection, endpoint detection and response (EDR), automatic investigation and remediation, managed hunting services, rich APIs, and unified security management.

Device Details

Device NameMS Windows Event Logging XML - Windows Defender


MS Windows

Device Type

Microsoft Defender Advanced Threat Protection

Supported Model Name/Number

Windows Server 2008, 2012, 2016+

Supported Software Version(s)


Collection Method

MS Windows Event Logging

Configurable Log Output?


Log Source Type

MS Windows Event Logging XML - Windows Defender

Log Processing Policy

LogRhythm Default v2.0



Additional Information

Supported Log Messages

(List of LR Tags used to parse the log information for each message type)


Product Version

Supported Schema Fields

Catch All (Windows Defender)N/A<vmid>, <severity>, <dname>
EVID 1120 : Threat Hash IdentifiedN/A<vmid>, <severity>, <dname>, <subject>, <hash>
EVID 5007 : Malware Protection Config ChangedN/A<vmid>, <severity>, <dname>, <object>, <status>, <result>
Malware Detection EventsN/A<vmid>, <severity>, <dname>, <subject>, <threatid>, <threatname>, <status>, <login>, <domainorigin>, <process>, <action>, <responsecode>, <reason>, <object>, <tag1>
Malware Detection Events (XML Logs)N/A<vmid>, <severity>, <dname>,<threatid>, <threatname>, <status>, <login>, <domainorigin>, <process>, <action>, <tag1><responsecode>, <reason>
Malware History ManagementN/A<vmid>, <severity>, <dname>, <subject>, <login>, <domainorigin>, <responsecode>, <reason>
Malware History Management (XML Logs)N/A<vmid>, <severity>, <dname>,<login>, <domainorigin>, <responsecode>, <reason>
N/A<vmid>, <severity>, <dname>, <subject>, <session>, <object>, <login>, <domainorigin>, <responsecode>, <reason>
Malware Scan Information (XML Logs)N/A<vmid>, <severity>, <dname>,<session>, <object>, <login>, <domainorigin>, <responsecode>, <reason>
Quarantine Item Management


<vmid>, <severity>, <dname>, <subject>, <threatname>, <threatid>, <severity>, <login>, <domainorigin>, <responsecode>, <reason>
Real-Time Protection State Events


<vmid>, <severity>, <dname>, <subject>, <objectname>, <responsecode>, <result>, <reason>

Revision History

KB Version

Log Type

Change Type


KB 7.1.573.0 
*New Log Source TypeNew Device Support for MS Windows Event Logging XML - Windows Defender
KB 7.1.XXX.X*Parsing ImprovementWrite new parser for XML type samples
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.