Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

the best way to collect Windows Defender logs?

corti77
Contributor
‎09-01-2023 06:53 AM

Hi,

I need to collect the logs from Windows Defender and I was looking for an official app and I couldn't find one.

I read some people recommending "TA for Microsoft Windows Defender" but I see that it didn't get update since 2017.

Any other option more recent?

thanks.

Labels (2)
Tags (2)
0 Karma
Reply

jcarlosgraca
Engager
‎02-16-2024 04:27 AM

Hello,

you can collect the logs with the following configuration on inputs.conf:

[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
disabled = 0
index = windefender
evt_resolve_ad_obj = 1
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-01-2023 10:00 AM

Hi @corti77,

you can collect data from Windows Defender using the Splunk Add-On for Windows Security (https://splunkbase.splunk.com/app/6207) that's also accepted by Microsoft (https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/the-splunk-add-on-for-microso...)

Ciao.

Giuseppe

 

0 Karma
Reply

corti77
Contributor
‎09-02-2023 02:50 AM

Hi @gcusello ,

are you sure that app includes the basic Microsoft Defender included in any Microsoft OS?

checking the app documentation mentions Microsoft 365 Defender and Defender for Endpoint products.  Those are the EDR and SOAR solutions from Microsoft , no mention of the basic AV logs.

https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Releasehistory

thanks

 

0 Karma
Reply

RichieOl
Explorer
‎10-20-2023 01:55 AM

Hi,

I am having this same issue at the moment as the domain i manage is completely airgapped form the internet so no cloud connectivity. After some digging i found have read there are events in the event viewer.

Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational

1116 - MALWAREPROTECTION_STATE_MALWARE_DETECTED

1117 - MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN

1118 - MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED

1119 - MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED

I haven't tested them yet as i have literally just found them online this minute and came across this message board at the same time. 

I hope this helps and if you have found anything extra can you put them in here too. Im going set up the forwarder now to collect these and create a dashboard 

KR

Richard 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-02-2023 03:04 AM

Hi @corti77,

you're right, this Add-on is for the O365 Defender,

but for my little knowledge of Defender (I'm not a fan of it!) and it's possible I'm wrong, it should be possible to have Defender logs from Cloud, using this Add-On.

If it isn't possible, sorry for my wrong answer!

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...