Channel: Microsoft-Windows-Windows Defender/Operational.
Events: 1006, 1007, 1008, 1009, 1010, 1011, 1012, 1013, 1015, 1116, 1117, 1118, 1119, 1121, 1122, 5001, 5007, 5010, 5012, 5013.
Events: 1006, 1007, 1008, 1009, 1010, 1011, 1012, 1013, 1015, 1116, 1117, 1118, 1119, 1121, 1122, 5001, 5007, 5010, 5012, 5013.
Overview
Windows Defender generates, among other telemetry, event logs that can be of
great use during incident response investigations. Even if another security
product is installed on the system, Windows Defender may still be generating
events related to malware detections or suspicious users behavior.
Windows Defender malware detection events
| Channel | Conditions | Events |
|---|---|---|
Microsoft-Windows-Windows Defender/Operational |
Default configuration. | Events 1006 and 1116: The antimalware engine found malware or other potentially unwanted software. Logged whenever a malware is detected by Windows Defender. Suspicious behaviors, such as the dump of the LSASS process memory by the Taskmgr or export of the SAM / SYSTEM / SECURITY registry hives using the reg utility, can also generate events 1116 (category Behavior:*). Information of interest: - The file path of the file that triggered the detection. For behavioral detections, the file path field can instead store information on the process, such as the process command line or Process ID (PID) and start time. - The threat name (such as Backdoor:JS/Chopper.VH!MSR or Trojan:PowerShell/ReverseShell.SA), category, and severity. - The eventual process and domain and username of the user associated with the detection. - The action taken by Windows Defender, such as putting the file in quarantine. |
Microsoft-Windows-Windows Defender/Operational |
Default configuration. | Event 1015: The antimalware platform detected suspicious behavior. Logged whenever suspicious behavior is detected by Windows Defender. Suspicious behaviors may generate events 1116 instead of events 1015. Information of interest: similar level of information to events 1006 / 1116. |
Microsoft-Windows-Windows Defender/Operational |
Default configuration. | Events 1007 and 1117: The antimalware platform performed an action to protect your system from malware or other potentially unwanted software. Event 1008 and 1118: The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed. Event 1119: The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. Logged whenever Windows Defender takes an action following a detection, such as putting the malicious file in quarantine. The action may however fail, resulting in error events 1008 / 1118 or 1119. Information of interest: similar level of information to events 1006 / 1116. |
Microsoft-Windows-Windows Defender/Operational |
Default configuration. | Event 1009: The antimalware platform restored an item from quarantine. Event 1010: The antimalware platform couldn't restore an item from quarantine. Event 1011: The antimalware platform deleted an item from quarantine. 1012: The antimalware platform couldn't delete an item from quarantine. Logged on quarantine lifecycle actions taken by Windows Defender: restoring a file from quarantine or deleting a quarantined file. The operation may fail, resulting in associated error events 1010 or 1012. Information of interest: - The original file path of the file in quarantine. - The threat name, category, and severity. |
Microsoft-Windows-Windows Defender/Operational |
Require ASR rules to be configured on audit / block mode. |
Event 1121: Windows Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. Event 1122: Windows Defender Exploit Guard audited an operation that is not allowed by your IT administrator. Logged whenever an ASR rule got triggered, either in block or audit mode. ASR rules may however generate many false-positives. Information of interest: - The triggered ASR rule GUID. - The process name, file, and user associated with the trigger. |
Windows Defender configuration change events
| Channel | Conditions | Events |
|---|---|---|
Microsoft-Windows-Windows Defender/Operational |
Default configuration. | Event 5001: Real-time protection is disabled. Indicates that the real-time protection of Windows Defender was disabled. The event does not indicate which user performed the action. |
Microsoft-Windows-Windows Defender/Operational |
Default configuration. | Event 5007: The antimalware platform configuration changed. Indicates a change of the Windows Defender configuration, with one configuration change per event. The previous and new value of the configuration item, as stored in the registry, are logged. For instance: Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = 0x5 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = 0x4 Indicates that the tamper protection of Windows Defender was disabled. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = 0x0 Indicates that automatic samples submission was turned off. New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = 0x0 Indicates that the C:\ folder was added to Windows Defender folder exclusion list. New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\cmd.exe = 0x0 Indicates that cmd.exe processes were added to the Windows Defender process exclusion list. The event does not indicate which user performed the action. |
Microsoft-Windows-Windows Defender/Operational |
Default configuration. | Event 5010: Scanning for malware and other potentially unwanted software is disabled (MALWAREPROTECTION_ANTISPYWARE_DISABLED). Event 5012: Scanning for viruses is disabled (MALWAREPROTECTION_ANTIVIRUS_DISABLED). Indicates that the Windows Defender feature associated with the event was disabled. |
Microsoft-Windows-Windows Defender/Operational |
Default configuration. | Event 5013: Tamper protection blocked a change to Microsoft Defender Antivirus (MALWAREPROTECTION_SCAN_CANCELLED). Indicates that a change to the Windows Defender configuration was blocked by the tamper protection mechanism. |
Microsoft-Windows-Windows Defender/Operational |
Default configuration. | Events 1013: Antivirus Microsoft Defender has removed history of malware and other potentially unwanted software. Logged whenever the Windows Defender Protection history (as displayed in the “Virus & threat protection” tab) is cleared. The Protection history is displayed to end-users and notably includes detections and quarantined files of the last 30 days. Windows Defender protection history records are automatically deleted after that 30 days period, so this event occurs legitimately. Manually clearing the Microsoft-Windows-Windows Defender%4Operational.evtx file, or other Windows Defender log files, do not generate an event 1013. The event include two timestamps: - The event timestamp, that indicates when the protection history was cleared. - The Timestamp field (in the event’s EventData section), that represents the time of occurrence of the record that was automatically removed. |
References
View on GitHub