Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

the best way to collect Windows Defender logs?

corti77
Contributor
‎09-01-2023 06:53 AM

Hi,

I need to collect the logs from Windows Defender and I was looking for an official app and I couldn't find one.

I read some people recommending "TA for Microsoft Windows Defender" but I see that it didn't get update since 2017.

Any other option more recent?

thanks.

Labels (2)
Tags (2)
0 Karma
Reply

jcarlosgraca
Engager
‎02-16-2024 04:27 AM

Hello,

you can collect the logs with the following configuration on inputs.conf:

[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
disabled = 0
index = windefender
evt_resolve_ad_obj = 1
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-01-2023 10:00 AM

Hi @corti77,

you can collect data from Windows Defender using the Splunk Add-On for Windows Security (https://splunkbase.splunk.com/app/6207) that's also accepted by Microsoft (https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/the-splunk-add-on-for-microso...)

Ciao.

Giuseppe

 

0 Karma
Reply

corti77
Contributor
‎09-02-2023 02:50 AM

Hi @gcusello ,

are you sure that app includes the basic Microsoft Defender included in any Microsoft OS?

checking the app documentation mentions Microsoft 365 Defender and Defender for Endpoint products.  Those are the EDR and SOAR solutions from Microsoft , no mention of the basic AV logs.

https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Releasehistory

thanks

 

0 Karma
Reply

RichieOl
Explorer
‎10-20-2023 01:55 AM

Hi,

I am having this same issue at the moment as the domain i manage is completely airgapped form the internet so no cloud connectivity. After some digging i found have read there are events in the event viewer.

Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational

1116 - MALWAREPROTECTION_STATE_MALWARE_DETECTED

1117 - MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN

1118 - MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED

1119 - MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED

I haven't tested them yet as i have literally just found them online this minute and came across this message board at the same time. 

I hope this helps and if you have found anything extra can you put them in here too. Im going set up the forwarder now to collect these and create a dashboard 

KR

Richard 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-02-2023 03:04 AM

Hi @corti77,

you're right, this Add-on is for the O365 Defender,

but for my little knowledge of Defender (I'm not a fan of it!) and it's possible I'm wrong, it should be possible to have Defender logs from Cloud, using this Add-On.

If it isn't possible, sorry for my wrong answer!

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...