I did modify my files to closely reflect what you've stated, after re-reading what you posted.. The logs come in but the EVAL statements do not work. eventtypes.conf [ms-windefender-operation] search = source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1000" OR EventCode="1001" OR EventCode="1002" OR EventCode="1005" OR EventCode="1150" OR EventCode="2*" OR EventCode="3*" OR EventCode="5*") [ms-windefender-attack] search =  source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1116" OR EventCode="1117" OR EventCode="1119" OR EventCode="1120") inputs.conf [WinEventLog://Microsoft-Windows-Windows Defender/Operational] index = len_windefender disabled = 0 renderXml = 1 props.conf [source::XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational] ... View more

Hello, I am very sorry to grave dig like this but I am experiencing similar issues and I am unable to decipher what you're saying exactly.  I have the TA installed but I am not having the eval statements working / tagging / etc. I am working out of the /apps/TA-microsoft-windefender/local/* folder eventtypes.conf [ms-windefender-operation] search = source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1000" OR EventCode="1001" OR EventCode="1002" OR EventCode="1005" OR EventCode="1150" OR EventCode="2*" OR EventCode="3*" OR EventCode="5*") [ms-windefender-attack] search =  source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" (EventCode="1116" OR EventCode="1117" OR EventCode="1119" OR EventCode="1120") inputs.conf [WinEventLog://Microsoft-Windows-Windows Defender/Operational] index = len_windefender disabled = 0 renderXml = 1 props.conf [source::XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]   I do also have the windows TA installed, is there something I need to look for in there? ... View more