topic Read logs from Microsoft-Windows-Windows Defender/Operational in Getting Data In

Read logs from Microsoft-Windows-Windows Defender/Operational

irshadrahimbux — Tue, 29 Sep 2020 22:47:21 GMT

Hello,

I am trying to read from events logs namely {Microsoft-Windows-Windows Defender/Operational}.
From Manager>Data Inputs>Remote Event Log Collections, I get only the list below as logs:
Application
Security
System
Hardware Events
Internet Explorer
Key Management Service
MSExchange Management
Windows Powershell

I put the following in local\inputs.conf:

[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5

And it is not working. How to do so? Kinldy advise.
IR

Re: Read logs from Microsoft-Windows-Windows Defender/Operational

irshadrahimbux — Tue, 29 Sep 2020 22:47:26 GMT

I finally got it working as follows:
[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
disabled = 0
index = default
current_only = 0
start_from = oldest
checkpointInterval = 5

However, it is imported as plain XML as follows:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}'/><EventID>1117</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2019-01-17T07:09:58.515056300Z'/><EventRecordID>5462</EventRecordID><Correlation ActivityID='{73509B89-4403-46D8-B260-204DD0098E76}'/><Execution ProcessID='2620' ThreadID='15224'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>IT-IRSHAD.Emtel.Org</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>%%827</Data><Data Name='Product Version'>4.8.10240.16384</Data><Data Name='Detection ID'>{BDDC5EF0-DF00-46E0-B606-B8696AF2C89D}</Data><Data Name='Detection Time'>2019-01-17T07:09:03.351Z</Data><Data Name='Unused'></Data><Data Name='Unused2'></Data><Data Name='Threat ID'>2147519003</Data>

Nothing has been decoded. How to get same decoded?

Rgds,
IR

Re: Read logs from Microsoft-Windows-Windows Defender/Operational

dkeck — Thu, 17 Jan 2019 07:24:24 GMT

Hi,

did you see that there is a TA for Defender on splunkbase? Is providin inputs, so it might be helpful to you?

https://splunkbase.splunk.com/app/3734/

Re: Read logs from Microsoft-Windows-Windows Defender/Operational

p_gurav — Thu, 17 Jan 2019 07:33:36 GMT

Are you able to see logs in Windows Event Viewer?

Re: Read logs from Microsoft-Windows-Windows Defender/Operational

irshadrahimbux — Thu, 17 Jan 2019 07:36:35 GMT

Yes, I manage to read it now. But the XML is not formatted at all.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}'/><EventID>1117</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2019-01-17T07:30:39.203431700Z'/><EventRecordID>5464</EventRecordID><Correlation ActivityID='{836F339B-7655-4283-9C51-91811E024137}'/><Execution ProcessID='2620' ThreadID='6184'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>XXX</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>%%827</Data><Data Name='Product Version'>4.8.10240.16384</Data><Data Name='Detection ID'>{F8F2390A-DEBD-4B5E-9ADF-491B1EC25132}</Data><Data Name='Detection Time'>2019-01-17T07:29:43.550Z</Data><Data Name='Unused'>

Anything on how to decode same?
Rgds,
IR

Re: Read logs from Microsoft-Windows-Windows Defender/Operational

irshadrahimbux — Thu, 17 Jan 2019 07:38:03 GMT

yeah I got this. However, i wanted to add via the normal way and not using the TA for Defender as I willhave other logs to add in the future where no TA is available.
If i got this one works, all other will follow same principle.

Re: Read logs from Microsoft-Windows-Windows Defender/Operational

dkeck — Thu, 17 Jan 2019 07:46:30 GMT

Just download it and have a look at it, there are field extractions for your unformatted XML as well.

Re: Read logs from Microsoft-Windows-Windows Defender/Operational

dkeck — Thu, 17 Jan 2019 08:47:04 GMT

https://answers.splunk.com/answers/133533/xml-extraction.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev

Try this for xml field extractions

Re: Read logs from Microsoft-Windows-Windows Defender/Operational

irshadrahimbux — Thu, 17 Jan 2019 09:42:55 GMT

You were completely right.
I have downloaded it and it simplify everything. Some tweaks had to be done in the inputs.conf
But all is well and works brilliantly.

Many thanks again.

Re: Read logs from Microsoft-Windows-Windows Defender/Operational

irshadrahimbux — Thu, 17 Jan 2019 09:43:07 GMT

Will try this too.

Re: Read logs from Microsoft-Windows-Windows Defender/Operational

irshadrahimbux — Thu, 17 Jan 2019 09:59:45 GMT

I noticed it works for localhost alarms.
However for remote computers, the event is not raised.

Any idea what i am missing?

Re: Read logs from Microsoft-Windows-Windows Defender/Operational

dkeck — Thu, 17 Jan 2019 10:05:42 GMT

Hm not really sry..there is not much documentation for the TA.

You might want to start a new answer for that.