Microsoft Defender for Endpoint is a cloud-delivered endpoint security solution that includes risk-based vulnerability management and assessment, attack surface reduction, behavioral-based and cloud-powered next generation protection, endpoint detection and response (EDR), automatic investigation and remediation, managed hunting services, rich APIs, and unified security management.

Device Details

Device NameMS Windows Event Logging XML - Windows Defender

Vendor

MS Windows

Device Type

Microsoft Defender Advanced Threat Protection

Supported Model Name/Number

Windows Server 2008, 2012, 2016+

Supported Software Version(s)

N/A

Collection Method

MS Windows Event Logging

Configurable Log Output?

No

Log Source Type

MS Windows Event Logging XML - Windows Defender

Log Processing Policy

LogRhythm Default v2.0

Exceptions

N/A

Additional Information

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus


Supported Log Messages

(List of LR Tags used to parse the log information for each message type)

Type

Product Version

Supported Schema Fields

Catch All (Windows Defender)N/A<vmid>, <severity>, <dname>
EVID 1120 : Threat Hash IdentifiedN/A<vmid>, <severity>, <dname>, <subject>, <hash>
Malware Detection EventsN/A<vmid>, <severity>, <dname>, <subject>, <threatid>, <threatname>, <status>, <login>, <domainorigin>, <process>, <action>, <responsecode>, <reason>, <object>, <tag1>
Malware Detection Events (XML Logs)N/A<vmid>, <severity>, <dname>,<threatid>, <threatname>, <status>, <login>, <domainorigin>, <process>, <action>, <tag1><responsecode>, <reason>
Malware History ManagementN/A<vmid>, <severity>, <dname>, <subject>, <login>, <domainorigin>, <responsecode>, <reason>
Malware History Management (XML Logs)N/A<vmid>, <severity>, <dname>,<login>, <domainorigin>, <responsecode>, <reason>
N/A<vmid>, <severity>, <dname>, <subject>, <session>, <object>, <login>, <domainorigin>, <responsecode>, <reason>
Malware Scan Information (XML Logs)N/A<vmid>, <severity>, <dname>,<session>, <object>, <login>, <domainorigin>, <responsecode>, <reason>
Quarantine Item Management

N/A

<vmid>, <severity>, <dname>, <subject>, <threatname>, <threatid>, <severity>, <login>, <domainorigin>, <responsecode>, <reason>
Real-Time Protection State Events

N/A

<vmid>, <severity>, <dname>, <subject>, <objectname>, <responsecode>, <result>, <reason>


Revision History

KB Version

Log Type

Change Type

Details

KB 7.1.573.0 
*New Log Source TypeNew Device Support for MS Windows Event Logging XML - Windows Defender
KB 7.1.XXX.X*Parsing ImprovementWrite new parser for XML type samples