Hello,
I am trying to read from events logs namely {Microsoft-Windows-Windows Defender/Operational}.
From Manager>Data Inputs>Remote Event Log Collections, I get only the list below as logs:
Application
Security
System
Hardware Events
Internet Explorer
Key Management Service
MSExchange Management
Windows Powershell
I put the following in local\inputs.conf:
[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
And it is not working. How to do so? Kinldy advise.
IR
Hi,
did you see that there is a TA for Defender on splunkbase? Is providin inputs, so it might be helpful to you?
Try this for xml field extractions
Will try this too.
Are you able to see logs in Windows Event Viewer?
Yes, I manage to read it now. But the XML is not formatted at all.
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}'/><EventID>1117</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2019-01-17T07:30:39.203431700Z'/><EventRecordID>5464</EventRecordID><Correlation ActivityID='{836F339B-7655-4283-9C51-91811E024137}'/><Execution ProcessID='2620' ThreadID='6184'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>XXX</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>%%827</Data><Data Name='Product Version'>4.8.10240.16384</Data><Data Name='Detection ID'>{F8F2390A-DEBD-4B5E-9ADF-491B1EC25132}</Data><Data Name='Detection Time'>2019-01-17T07:29:43.550Z</Data><Data Name='Unused'>
Anything on how to decode same?
Rgds,
IR
Hi,
did you see that there is a TA for Defender on splunkbase? Is providin inputs, so it might be helpful to you?
yeah I got this. However, i wanted to add via the normal way and not using the TA for Defender as I willhave other logs to add in the future where no TA is available.
If i got this one works, all other will follow same principle.
Just download it and have a look at it, there are field extractions for your unformatted XML as well.
You were completely right.
I have downloaded it and it simplify everything. Some tweaks had to be done in the inputs.conf
But all is well and works brilliantly.
Many thanks again.
I noticed it works for localhost alarms.
However for remote computers, the event is not raised.
Any idea what i am missing?
Hm not really sry..there is not much documentation for the TA.
You might want to start a new answer for that.
I finally got it working as follows:
[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
disabled = 0
index = default
current_only = 0
start_from = oldest
checkpointInterval = 5
However, it is imported as plain XML as follows:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}'/><EventID>1117</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2019-01-17T07:09:58.515056300Z'/><EventRecordID>5462</EventRecordID><Correlation ActivityID='{73509B89-4403-46D8-B260-204DD0098E76}'/><Execution ProcessID='2620' ThreadID='15224'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>IT-IRSHAD.Emtel.Org</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>%%827</Data><Data Name='Product Version'>4.8.10240.16384</Data><Data Name='Detection ID'>{BDDC5EF0-DF00-46E0-B606-B8696AF2C89D}</Data><Data Name='Detection Time'>2019-01-17T07:09:03.351Z</Data><Data Name='Unused'></Data><Data Name='Unused2'></Data><Data Name='Threat ID'>2147519003</Data>
Nothing has been decoded. How to get same decoded?
Rgds,
IR