Getting Data In

the best way to collect Windows Defender logs?

corti77
Communicator

Hi,

I need to collect the logs from Windows Defender and I was looking for an official app and I couldn't find one.

I read some people recommending "TA for Microsoft Windows Defender" but I see that it didn't get update since 2017.

Any other option more recent?

thanks.

Labels (2)
Tags (2)
0 Karma

jcarlosgraca
Engager

Hello,

you can collect the logs with the following configuration on inputs.conf:

[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
disabled = 0
index = windefender
evt_resolve_ad_obj = 1
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @corti77,

you can collect data from Windows Defender using the Splunk Add-On for Windows Security (https://splunkbase.splunk.com/app/6207) that's also accepted by Microsoft (https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/the-splunk-add-on-for-microso...)

Ciao.

Giuseppe

 

0 Karma

corti77
Communicator

Hi @gcusello ,

are you sure that app includes the basic Microsoft Defender included in any Microsoft OS?

checking the app documentation mentions Microsoft 365 Defender and Defender for Endpoint products.  Those are the EDR and SOAR solutions from Microsoft , no mention of the basic AV logs.

https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Releasehistory

thanks

 

0 Karma

RichieOl
Explorer

Hi,

I am having this same issue at the moment as the domain i manage is completely airgapped form the internet so no cloud connectivity. After some digging i found have read there are events in the event viewer.

Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational

1116 - MALWAREPROTECTION_STATE_MALWARE_DETECTED

1117 - MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN

1118 - MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED

1119 - MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED

I haven't tested them yet as i have literally just found them online this minute and came across this message board at the same time. 

I hope this helps and if you have found anything extra can you put them in here too. Im going set up the forwarder now to collect these and create a dashboard 

KR

Richard 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @corti77,

you're right, this Add-on is for the O365 Defender,

but for my little knowledge of Defender (I'm not a fan of it!) and it's possible I'm wrong, it should be possible to have Defender logs from Cloud, using this Add-On.

If it isn't possible, sorry for my wrong answer!

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...