https://community.splunk.com/t5/Getting-Data-In/the-best-way-to-collect-Windows-Defender-logs/m-p/677790#M113296 <P>Hello,</P> <P>you can collect the logs with the following configuration on&nbsp;inputs.conf:</P> <LI-CODE lang="markup">[WinEventLog://Microsoft-Windows-Windows Defender/Operational] disabled = 0 index = windefender evt_resolve_ad_obj = 1</LI-CODE> Fri, 16 Feb 2024 13:05:38 GMT jcarlosgraca 2024-02-16T13:05:38Z https://community.splunk.com/t5/Getting-Data-In/the-best-way-to-collect-Windows-Defender-logs/m-p/656437#M111170 <P>Hi,</P><P>I need to collect the logs from Windows Defender and I was looking for an official app and I couldn't find one.</P><P>I read some people recommending "TA for Microsoft Windows Defender" but I see that it didn't get update since 2017.</P><P>Any other option more recent?</P><P>thanks.</P> Fri, 01 Sep 2023 13:53:02 GMT https://community.splunk.com/t5/Getting-Data-In/the-best-way-to-collect-Windows-Defender-logs/m-p/656437#M111170 corti77 2023-09-01T13:53:02Z https://community.splunk.com/t5/Getting-Data-In/the-best-way-to-collect-Windows-Defender-logs/m-p/656459#M111171 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234300">@corti77</a>,</P><P>you can collect data from Windows Defender using the Splunk Add-On for Windows Security (<A href="https://splunkbase.splunk.com/app/6207" target="_blank">https://splunkbase.splunk.com/app/6207</A>) that's also accepted by Microsoft (<A href="https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/the-splunk-add-on-for-microsoft-security-is-now-available/ba-p/3171272" target="_blank">https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/the-splunk-add-on-for-microsoft-security-is-now-available/ba-p/3171272</A>)</P><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Fri, 01 Sep 2023 17:00:59 GMT https://community.splunk.com/t5/Getting-Data-In/the-best-way-to-collect-Windows-Defender-logs/m-p/656459#M111171 gcusello 2023-09-01T17:00:59Z https://community.splunk.com/t5/Getting-Data-In/the-best-way-to-collect-Windows-Defender-logs/m-p/656495#M111174 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;,</P><P>are you sure that app includes the basic Microsoft Defender included in any Microsoft OS?</P><P>checking the app documentation mentions&nbsp;<SPAN>Microsoft 365 Defender and Defender for Endpoint products.&nbsp; Those are the EDR and SOAR solutions from Microsoft , no mention of the basic AV logs.</SPAN></P><P><A href="https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Releasehistory" target="_blank">https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Releasehistory</A></P><P>thanks</P><P>&nbsp;</P> Sat, 02 Sep 2023 09:50:36 GMT https://community.splunk.com/t5/Getting-Data-In/the-best-way-to-collect-Windows-Defender-logs/m-p/656495#M111174 corti77 2023-09-02T09:50:36Z https://community.splunk.com/t5/Getting-Data-In/the-best-way-to-collect-Windows-Defender-logs/m-p/656496#M111175 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234300">@corti77</a>,</P><P>you're right, this Add-on is for the O365 Defender,</P><P>but for my little knowledge of Defender (I'm not a fan of it!) and it's possible I'm wrong, it should be possible to have Defender logs from Cloud, using this Add-On.</P><P>If it isn't possible, sorry for my wrong answer!</P><P>Ciao.</P><P>Giuseppe</P> Sat, 02 Sep 2023 10:04:42 GMT https://community.splunk.com/t5/Getting-Data-In/the-best-way-to-collect-Windows-Defender-logs/m-p/656496#M111175 gcusello 2023-09-02T10:04:42Z https://community.splunk.com/t5/Getting-Data-In/the-best-way-to-collect-Windows-Defender-logs/m-p/665656#M111791 <P>Hi,</P><P>I am having this same issue at the moment as the domain i manage is completely airgapped form the internet so no cloud connectivity. After some digging i found have read there are events in the event viewer.</P><P>Applications and Services Logs &gt; Microsoft &gt; Windows &gt; Windows Defender &gt; Operational</P><P>1116 - MALWAREPROTECTION_STATE_MALWARE_DETECTED</P><P>1117 - MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN</P><P>1118 - MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED</P><P>1119 - MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED</P><P>I haven't tested them yet as i have literally just found them online this minute and came across this message board at the same time.&nbsp;</P><P>I hope this helps and if you have found anything extra can you put them in here too. Im going set up the forwarder now to collect these and create a dashboard&nbsp;</P><P>KR</P><P>Richard&nbsp;</P> Fri, 20 Oct 2023 08:55:41 GMT https://community.splunk.com/t5/Getting-Data-In/the-best-way-to-collect-Windows-Defender-logs/m-p/665656#M111791 RichieOl 2023-10-20T08:55:41Z https://community.splunk.com/t5/Getting-Data-In/the-best-way-to-collect-Windows-Defender-logs/m-p/677790#M113296 <P>Hello,</P> <P>you can collect the logs with the following configuration on&nbsp;inputs.conf:</P> <LI-CODE lang="markup">[WinEventLog://Microsoft-Windows-Windows Defender/Operational] disabled = 0 index = windefender evt_resolve_ad_obj = 1</LI-CODE> Fri, 16 Feb 2024 13:05:38 GMT https://community.splunk.com/t5/Getting-Data-In/the-best-way-to-collect-Windows-Defender-logs/m-p/677790#M113296 jcarlosgraca 2024-02-16T13:05:38Z