Getting Data In

Read logs from Microsoft-Windows-Windows Defender/Operational

irshadrahimbux
New Member

Hello,

I am trying to read from events logs namely {Microsoft-Windows-Windows Defender/Operational}.
From Manager>Data Inputs>Remote Event Log Collections, I get only the list below as logs:
Application
Security
System
Hardware Events
Internet Explorer
Key Management Service
MSExchange Management
Windows Powershell

I put the following in local\inputs.conf:

[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5

And it is not working. How to do so? Kinldy advise.
IR

0 Karma
1 Solution

dkeck
Influencer

Hi,

did you see that there is a TA for Defender on splunkbase? Is providin inputs, so it might be helpful to you?

https://splunkbase.splunk.com/app/3734/

View solution in original post

dkeck
Influencer
0 Karma

irshadrahimbux
New Member

Will try this too.

0 Karma

p_gurav
Champion

Are you able to see logs in Windows Event Viewer?

0 Karma

irshadrahimbux
New Member

Yes, I manage to read it now. But the XML is not formatted at all.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}'/><EventID>1117</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2019-01-17T07:30:39.203431700Z'/><EventRecordID>5464</EventRecordID><Correlation ActivityID='{836F339B-7655-4283-9C51-91811E024137}'/><Execution ProcessID='2620' ThreadID='6184'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>XXX</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>%%827</Data><Data Name='Product Version'>4.8.10240.16384</Data><Data Name='Detection ID'>{F8F2390A-DEBD-4B5E-9ADF-491B1EC25132}</Data><Data Name='Detection Time'>2019-01-17T07:29:43.550Z</Data><Data Name='Unused'>

Anything on how to decode same?
Rgds,
IR

0 Karma

dkeck
Influencer

Hi,

did you see that there is a TA for Defender on splunkbase? Is providin inputs, so it might be helpful to you?

https://splunkbase.splunk.com/app/3734/

irshadrahimbux
New Member

yeah I got this. However, i wanted to add via the normal way and not using the TA for Defender as I willhave other logs to add in the future where no TA is available.
If i got this one works, all other will follow same principle.

0 Karma

dkeck
Influencer

Just download it and have a look at it, there are field extractions for your unformatted XML as well.

0 Karma

irshadrahimbux
New Member

You were completely right.
I have downloaded it and it simplify everything. Some tweaks had to be done in the inputs.conf
But all is well and works brilliantly.

Many thanks again.

0 Karma

irshadrahimbux
New Member

I noticed it works for localhost alarms.
However for remote computers, the event is not raised.

Any idea what i am missing?

0 Karma

dkeck
Influencer

Hm not really sry..there is not much documentation for the TA.

You might want to start a new answer for that.

0 Karma

irshadrahimbux
New Member

I finally got it working as follows:
[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
disabled = 0
index = default
current_only = 0
start_from = oldest
checkpointInterval = 5

However, it is imported as plain XML as follows:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}'/><EventID>1117</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2019-01-17T07:09:58.515056300Z'/><EventRecordID>5462</EventRecordID><Correlation ActivityID='{73509B89-4403-46D8-B260-204DD0098E76}'/><Execution ProcessID='2620' ThreadID='15224'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>IT-IRSHAD.Emtel.Org</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>%%827</Data><Data Name='Product Version'>4.8.10240.16384</Data><Data Name='Detection ID'>{BDDC5EF0-DF00-46E0-B606-B8696AF2C89D}</Data><Data Name='Detection Time'>2019-01-17T07:09:03.351Z</Data><Data Name='Unused'></Data><Data Name='Unused2'></Data><Data Name='Threat ID'>2147519003</Data>

Nothing has been decoded. How to get same decoded?

Rgds,
IR

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...