Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Read logs from Microsoft-Windows-Windows Defender/Operational

irshadrahimbux
New Member
‎01-16-2019 10:23 PM

Hello,

I am trying to read from events logs namely {Microsoft-Windows-Windows Defender/Operational}.
From Manager>Data Inputs>Remote Event Log Collections, I get only the list below as logs:
Application
Security
System
Hardware Events
Internet Explorer
Key Management Service
MSExchange Management
Windows Powershell

I put the following in local\inputs.conf:

[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5

And it is not working. How to do so? Kinldy advise.
IR

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dkeck
Influencer
‎01-16-2019 11:24 PM

Hi,

did you see that there is a TA for Defender on splunkbase? Is providin inputs, so it might be helpful to you?

https://splunkbase.splunk.com/app/3734/

View solution in original post

Reply
Solved! Jump to solution

dkeck
Influencer
‎01-17-2019 12:47 AM

https://answers.splunk.com/answers/133533/xml-extraction.html?utm_source=typeahead&utm_medium=newque...

Try this for xml field extractions

0 Karma
Reply
Solved! Jump to solution

irshadrahimbux
New Member
‎01-17-2019 01:43 AM

Will try this too.

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎01-16-2019 11:33 PM

Are you able to see logs in Windows Event Viewer?

0 Karma
Reply
Solved! Jump to solution

irshadrahimbux
New Member
‎01-16-2019 11:36 PM

Yes, I manage to read it now. But the XML is not formatted at all.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}'/><EventID>1117</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2019-01-17T07:30:39.203431700Z'/><EventRecordID>5464</EventRecordID><Correlation ActivityID='{836F339B-7655-4283-9C51-91811E024137}'/><Execution ProcessID='2620' ThreadID='6184'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>XXX</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>%%827</Data><Data Name='Product Version'>4.8.10240.16384</Data><Data Name='Detection ID'>{F8F2390A-DEBD-4B5E-9ADF-491B1EC25132}</Data><Data Name='Detection Time'>2019-01-17T07:29:43.550Z</Data><Data Name='Unused'>

Anything on how to decode same?
Rgds,
IR

0 Karma
Reply
Solved! Jump to solution
Solution

dkeck
Influencer
‎01-16-2019 11:24 PM

Hi,

did you see that there is a TA for Defender on splunkbase? Is providin inputs, so it might be helpful to you?

https://splunkbase.splunk.com/app/3734/

Reply
Solved! Jump to solution

irshadrahimbux
New Member
‎01-16-2019 11:38 PM

yeah I got this. However, i wanted to add via the normal way and not using the TA for Defender as I willhave other logs to add in the future where no TA is available.
If i got this one works, all other will follow same principle.

0 Karma
Reply
Solved! Jump to solution

dkeck
Influencer
‎01-16-2019 11:46 PM

Just download it and have a look at it, there are field extractions for your unformatted XML as well.

0 Karma
Reply
Solved! Jump to solution

irshadrahimbux
New Member
‎01-17-2019 01:42 AM

You were completely right.
I have downloaded it and it simplify everything. Some tweaks had to be done in the inputs.conf
But all is well and works brilliantly.

Many thanks again.

0 Karma
Reply
Solved! Jump to solution

irshadrahimbux
New Member
‎01-17-2019 01:59 AM

I noticed it works for localhost alarms.
However for remote computers, the event is not raised.

Any idea what i am missing?

0 Karma
Reply
Solved! Jump to solution

dkeck
Influencer
‎01-17-2019 02:05 AM

Hm not really sry..there is not much documentation for the TA.

You might want to start a new answer for that.

0 Karma
Reply
Solved! Jump to solution

irshadrahimbux
New Member
‎01-16-2019 11:22 PM

I finally got it working as follows:
[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
disabled = 0
index = default
current_only = 0
start_from = oldest
checkpointInterval = 5

However, it is imported as plain XML as follows:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}'/><EventID>1117</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2019-01-17T07:09:58.515056300Z'/><EventRecordID>5462</EventRecordID><Correlation ActivityID='{73509B89-4403-46D8-B260-204DD0098E76}'/><Execution ProcessID='2620' ThreadID='15224'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>IT-IRSHAD.Emtel.Org</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>%%827</Data><Data Name='Product Version'>4.8.10240.16384</Data><Data Name='Detection ID'>{BDDC5EF0-DF00-46E0-B606-B8696AF2C89D}</Data><Data Name='Detection Time'>2019-01-17T07:09:03.351Z</Data><Data Name='Unused'></Data><Data Name='Unused2'></Data><Data Name='Threat ID'>2147519003</Data>

Nothing has been decoded. How to get same decoded?

Rgds,
IR

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...