Hi, I'm having trouble with the Windows Defender TA.
I have the package distributed to my UF, and it's pulling logs into the correct index. The TA is also installed on my single instance search head/indexer.
sourcetype is XmlWinEventLog
source is XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational
There seems to be a stack of fields extracted. None are CIM aligned.
It does not seem to be observing any of the tags.conf, or props.conf.
Has anyone got any ideas?
Cheers!
Having the same issue, did you manage to find a solution?
Sorry Quinton - still stuck.
Hi,
Found the issue. the props, eventypes and tags were not working because the sourcetype was being renamed by the "Splunk add-on for Microsoft windows". We modified the app a little by changing the props.conf to use the "source::" and not the sourcetype, and also changed the search for the eventtypes to use the index and the source. This solved the issue and we now have all the extractions working and the tags are firing as expected.
Hope this helps?
Just confirming - this is my conf which seems to be working.
[source::XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]
and eventtypes.conf
[ms-windefender-operation]
search = source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1000" OR EventCode="1001" OR EventCode="1002" OR EventCode="1005" OR EventCode="1150" OR EventCode="2*" OR EventCode="3*" OR EventCode="5*")
[ms-windefender-attack]
search = source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1116" OR EventCode="1117" OR EventCode="1119" OR EventCode="1120")
Cheers.
Yup, the only difference is i specified the index as well in my eventtypes.conf, but that should work as well.
Hello,
I am very sorry to grave dig like this but I am experiencing similar issues and I am unable to decipher what you're saying exactly.
I have the TA installed but I am not having the eval statements working / tagging / etc.
I am working out of the /apps/TA-microsoft-windefender/local/* folder
eventtypes.conf
[ms-windefender-operation]
search = source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1000" OR EventCode="1001" OR EventCode="1002" OR EventCode="1005" OR EventCode="1150" OR EventCode="2*" OR EventCode="3*" OR EventCode="5*")
[ms-windefender-attack]
search = source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1116" OR EventCode="1117" OR EventCode="1119" OR EventCode="1120")
inputs.conf
[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
index = len_windefender
disabled = 0
renderXml = 1
props.conf
[source::XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]
I do also have the windows TA installed, is there something I need to look for in there?
I did modify my files to closely reflect what you've stated, after re-reading what you posted.. The logs come in but the EVAL statements do not work.
eventtypes.conf
[ms-windefender-operation]
search = source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1000" OR EventCode="1001" OR EventCode="1002" OR EventCode="1005" OR EventCode="1150" OR EventCode="2*" OR EventCode="3*" OR EventCode="5*")
[ms-windefender-attack]
search = source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1116" OR EventCode="1117" OR EventCode="1119" OR EventCode="1120")
inputs.conf
[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
index = len_windefender
disabled = 0
renderXml = 1
props.conf
[source::XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]
I just submitted a pull request to the original add-on with the changes you highlighted. I am hoping the original author includes it and gets a new version uploaded to Splunkbase.
https://github.com/pdoconnell/TA-microsoft-windefender/pull/4