Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

the best way to collect Windows Defender logs?

corti77
Contributor
‎09-01-2023 06:53 AM

Hi,

I need to collect the logs from Windows Defender and I was looking for an official app and I couldn't find one.

I read some people recommending "TA for Microsoft Windows Defender" but I see that it didn't get update since 2017.

Any other option more recent?

thanks.

Labels (2)
Tags (2)
0 Karma
Reply

jcarlosgraca
Engager
‎02-16-2024 04:27 AM

Hello,

you can collect the logs with the following configuration on inputs.conf:

[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
disabled = 0
index = windefender
evt_resolve_ad_obj = 1
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-01-2023 10:00 AM

Hi @corti77,

you can collect data from Windows Defender using the Splunk Add-On for Windows Security (https://splunkbase.splunk.com/app/6207) that's also accepted by Microsoft (https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/the-splunk-add-on-for-microso...)

Ciao.

Giuseppe

 

0 Karma
Reply

corti77
Contributor
‎09-02-2023 02:50 AM

Hi @gcusello ,

are you sure that app includes the basic Microsoft Defender included in any Microsoft OS?

checking the app documentation mentions Microsoft 365 Defender and Defender for Endpoint products.  Those are the EDR and SOAR solutions from Microsoft , no mention of the basic AV logs.

https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Releasehistory

thanks

 

0 Karma
Reply

RichieOl
Explorer
‎10-20-2023 01:55 AM

Hi,

I am having this same issue at the moment as the domain i manage is completely airgapped form the internet so no cloud connectivity. After some digging i found have read there are events in the event viewer.

Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational

1116 - MALWAREPROTECTION_STATE_MALWARE_DETECTED

1117 - MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN

1118 - MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED

1119 - MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED

I haven't tested them yet as i have literally just found them online this minute and came across this message board at the same time. 

I hope this helps and if you have found anything extra can you put them in here too. Im going set up the forwarder now to collect these and create a dashboard 

KR

Richard 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-02-2023 03:04 AM

Hi @corti77,

you're right, this Add-on is for the O365 Defender,

but for my little knowledge of Defender (I'm not a fan of it!) and it's possible I'm wrong, it should be possible to have Defender logs from Cloud, using this Add-On.

If it isn't possible, sorry for my wrong answer!

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
li.common.scroll-to.top