Getting Data In
Highlighted

Read logs from Microsoft-Windows-Windows Defender/Operational

New Member

Hello,

I am trying to read from events logs namely {Microsoft-Windows-Windows Defender/Operational}.
From Manager>Data Inputs>Remote Event Log Collections, I get only the list below as logs:
Application
Security
System
Hardware Events
Internet Explorer
Key Management Service
MSExchange Management
Windows Powershell

I put the following in local\inputs.conf:

[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
disabled = 0
startfrom = oldest
current
only = 0
evtresolvead_obj = 1
checkpointInterval = 5

And it is not working. How to do so? Kinldy advise.
IR

0 Karma
Highlighted

Re: Read logs from Microsoft-Windows-Windows Defender/Operational

New Member

I finally got it working as follows:
[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
disabled = 0
index = default
currentonly = 0
start
from = oldest
checkpointInterval = 5

However, it is imported as plain XML as follows:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}'/><EventID>1117</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2019-01-17T07:09:58.515056300Z'/><EventRecordID>5462</EventRecordID><Correlation ActivityID='{73509B89-4403-46D8-B260-204DD0098E76}'/><Execution ProcessID='2620' ThreadID='15224'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>IT-IRSHAD.Emtel.Org</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>%%827</Data><Data Name='Product Version'>4.8.10240.16384</Data><Data Name='Detection ID'>{BDDC5EF0-DF00-46E0-B606-B8696AF2C89D}</Data><Data Name='Detection Time'>2019-01-17T07:09:03.351Z</Data><Data Name='Unused'></Data><Data Name='Unused2'></Data><Data Name='Threat ID'>2147519003</Data>

Nothing has been decoded. How to get same decoded?

Rgds,
IR

0 Karma
Highlighted

Re: Read logs from Microsoft-Windows-Windows Defender/Operational

Influencer

Hi,

did you see that there is a TA for Defender on splunkbase? Is providin inputs, so it might be helpful to you?

https://splunkbase.splunk.com/app/3734/

View solution in original post

Highlighted

Re: Read logs from Microsoft-Windows-Windows Defender/Operational

New Member

yeah I got this. However, i wanted to add via the normal way and not using the TA for Defender as I willhave other logs to add in the future where no TA is available.
If i got this one works, all other will follow same principle.

0 Karma
Highlighted

Re: Read logs from Microsoft-Windows-Windows Defender/Operational

Influencer

Just download it and have a look at it, there are field extractions for your unformatted XML as well.

0 Karma
Highlighted

Re: Read logs from Microsoft-Windows-Windows Defender/Operational

New Member

You were completely right.
I have downloaded it and it simplify everything. Some tweaks had to be done in the inputs.conf
But all is well and works brilliantly.

Many thanks again.

0 Karma
Highlighted

Re: Read logs from Microsoft-Windows-Windows Defender/Operational

New Member

I noticed it works for localhost alarms.
However for remote computers, the event is not raised.

Any idea what i am missing?

0 Karma
Highlighted

Re: Read logs from Microsoft-Windows-Windows Defender/Operational

Influencer

Hm not really sry..there is not much documentation for the TA.

You might want to start a new answer for that.

0 Karma
Highlighted

Re: Read logs from Microsoft-Windows-Windows Defender/Operational

Champion

Are you able to see logs in Windows Event Viewer?

0 Karma
Highlighted

Re: Read logs from Microsoft-Windows-Windows Defender/Operational

New Member

Yes, I manage to read it now. But the XML is not formatted at all.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}'/><EventID>1117</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2019-01-17T07:30:39.203431700Z'/><EventRecordID>5464</EventRecordID><Correlation ActivityID='{836F339B-7655-4283-9C51-91811E024137}'/><Execution ProcessID='2620' ThreadID='6184'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>XXX</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>%%827</Data><Data Name='Product Version'>4.8.10240.16384</Data><Data Name='Detection ID'>{F8F2390A-DEBD-4B5E-9ADF-491B1EC25132}</Data><Data Name='Detection Time'>2019-01-17T07:29:43.550Z</Data><Data Name='Unused'>

Anything on how to decode same?
Rgds,
IR

0 Karma