Microsoft Defender Antivirus Content Pack
Microsoft Defender Antivirus is an anti-malware client service built into supported Windows desktop and server platforms. This technology pack parses, normalizes, and enriches Defender Antivirus events from the Windows Defender Operational log to support detection, response, and operational visibility.
Supported Version(s)
-
Windows 10 and 11 (client)
-
Windows Server 2016 and later
Requirements
-
Windows host with Microsoft Defender Antivirus enabled
-
Graylog 6.0+ with a valid Enterprise license
Stream Configuration
This technology pack includes 1 stream:
- "Illuminate:Windows Event Log Messages"
Index Set Configuration
This technology pack includes 1 index set definition:
- "Windows Event Log Messages"
Log Collection
Microsoft Defender Antivirus events are collected from the Microsoft-Windows-Windows Defender/Operational channel of the Windows Event Log. The
pack identifies messages delivered through Winlogbeat or NXLog and routes them into the Windows Event Log
processing pipeline.
-
Winlogbeat (Graylog Sidecar)
-
NXLog
Log Format Examples
Malware Detection (Event 1116)
{"_winlogbeat_event_created":"2021-09-11T02:06:04.307Z","_winlogbeat_winlog_opcode":"Info","_winlogbeat_agent_id":"897a9958-4efc-4d8d-b5d6-e6649cdd709d","_winlogbeat_ecs_version":"1.5.0","_winlogbeat_event_code":1116,"_winlogbeat_tags":["windows"],"_winlogbeat_winlog_user_identifier":"S-1-5-18","_winlogbeat_winlog_user_type":"User","_winlogbeat_winlog_event_data_State":"1","_winlogbeat_winlog_activity_id":"{F47D9D6A-EB84-4FB5-B4AD-E86083737A24}","_winlogbeat_@timestamp":"2021-09-11T02:06:02.560Z","_winlogbeat_agent_version":"7.9.0","_winlogbeat_agent_ephemeral_id":"bb12ae77-ca9b-446f-a6ea-a8ac5a67e4b7","_winlogbeat_@metadata_version":"7.9.0","_winlogbeat_winlog_record_id":16681,"_winlogbeat_agent_hostname":"JUMPBOX","_winlogbeat_log_level":"warning","_winlogbeat_@metadata_type":"_doc","_winlogbeat_@metadata_beat":"winlogbeat","_winlogbeat_event_provider":"Microsoft-Windows-Windows Defender","_beats_type":"winlogbeat","_winlogbeat_winlog_user_domain":"NT AUTHORITY","_winlogbeat_agent_name":"JUMPBOX","_winlogbeat_winlog_event_id":1116,"_winlogbeat_winlog_event_data_Path":"file:_C:\\Users\\Administrator\\Downloads\\26de80e3bbbe1f053da4131ca7a405644b7443356ec97d48517f1ab86d5f1ca5","_winlogbeat_host_name":"JUMPBOX","_winlogbeat_winlog_channel":"Microsoft-Windows-Windows Defender/Operational","_winlogbeat_winlog_user_name":"SYSTEM","_winlogbeat_winlog_computer_name":"JUMPBOX","_winlogbeat_event_kind":"event","_winlogbeat_collector_node_id":"JUMPBOX","_winlogbeat_winlog_event_data_FWLink":"https://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:O97M/Donoff!rfn&threatid=2147709062&enterprise=0","_winlogbeat_winlog_process_thread_id":4108,"_winlogbeat_winlog_api":"wineventlog","message":"Windows Defender has detected malware or other potentially unwanted software.\n For more information please see the following:\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:O97M/Donoff!rfn&threatid=2147709062&enterprise=0\n \tName: TrojanDownloader:O97M/Donoff!rfn\n \tID: 2147709062\n \tSeverity: Severe\n \tCategory: Trojan Downloader\n \tPath: file:_C:\\Users\\Administrator\\Downloads\\26de80e3bbbe1f053da4131ca7a405644b7443356ec97d48517f1ab86d5f1ca5\n \tDetection Origin: Local machine\n \tDetection Type: Concrete\n \tDetection Source: User\n \tUser: JUMPBOX\\Klondike57Capsule\n \tProcess Name: Unknown\n \tSecurity intelligence Version: AV: 1.349.510.0, AS: 1.349.510.0, NIS: 0.0.0.0\n \tEngine Version: AM: 1.1.18500.10, NIS: 0.0.0.0","_winlogbeat_winlog_provider_guid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","_winlogbeat_agent_type":"winlogbeat","_winlogbeat_winlog_provider_name":"Microsoft-Windows-Windows Defender","_winlogbeat_winlog_process_pid":1776,"host":"ip-172-31-26-190","level":6,"version":"1.1","_replayed_log":"true"}
Agent Status (Event 1150)
{"_winlogbeat_log_level":"information","_winlogbeat_@metadata_type":"_doc","_winlogbeat_event_created":"2021-09-11T14:25:27.313Z","_winlogbeat_agent_id":"56231ac0-2bd0-40e3-860f-04595b12f20e","_winlogbeat_winlog_opcode":"Info","_winlogbeat_@metadata_beat":"winlogbeat","_winlogbeat_ecs_version":"1.5.0","_winlogbeat_event_code":1150,"_winlogbeat_tags":["windows"],"_winlogbeat_event_provider":"Microsoft-Windows-Windows Defender","_beats_type":"winlogbeat","_winlogbeat_winlog_user_domain":"NT AUTHORITY","_winlogbeat_winlog_user_identifier":"S-1-5-18","_winlogbeat_agent_name":"GRAYLOGMEMBER1","_winlogbeat_winlog_event_id":1150,"_winlogbeat_winlog_user_type":"User","_winlogbeat_host_name":"GRAYLOGMEMBER1.grayloglab.local","_winlogbeat_winlog_user_name":"SYSTEM","_winlogbeat_winlog_channel":"Microsoft-Windows-Windows Defender/Operational","_winlogbeat_winlog_computer_name":"GRAYLOGMEMBER1.grayloglab.local","_winlogbeat_event_kind":"event","_winlogbeat_collector_node_id":"GRAYLOGMEMBER1","_winlogbeat_winlog_process_thread_id":1500,"_winlogbeat_winlog_api":"wineventlog","message":"Endpoint Protection client is up and running in a healthy state.\n \tPlatform version: 4.18.2108.7\n \tEngine version: 1.1.18500.10\n \tSecurity intelligence version: 1.349.518.0","_winlogbeat_@timestamp":"2021-09-11T14:25:25.906Z","_winlogbeat_agent_version":"7.9.0","_winlogbeat_winlog_provider_guid":"{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}","_winlogbeat_agent_type":"winlogbeat","_winlogbeat_winlog_provider_name":"Microsoft-Windows-Windows Defender","_winlogbeat_agent_ephemeral_id":"471edb61-c9f5-4710-8af1-db6f63b0a47d","_winlogbeat_@metadata_version":"7.9.0","_winlogbeat_winlog_record_id":17349,"_winlogbeat_agent_hostname":"GRAYLOGMEMBER1","_winlogbeat_winlog_process_pid":2212,"host":"ip-172-31-26-190","level":6,"version":"1.1","_replayed_log":"true"}
What is Provided
-
Parsing, normalization, and enrichment of Defender Antivirus events.
-
Severity and file path normalization.
-
GIM categorization and enforcement fields.
-
A Spotlight dashboard.
Events Processed by This Technology Pack
The pack processes the following Microsoft Defender Antivirus event groups. Events outside these groups receive generic processing.
-
Malware Detection and Response (1006-1008, 1015, 1116-1119)
-
Scan and Quarantine Activity (1000-1014)
-
Engine, Signature, and Platform Updates (2000-2014)
-
Agent Status and Configuration (1150, 5000-5012)
GIM Categorization
GIM categorization is provided for the following Microsoft Defender Antivirus events.
| Event Code | Event Name | GIM Category | GIM Subcategory | GIM Event Type Code |
|---|---|---|---|---|
| 1000 | Antimalware scan started | agent | agent.activity | 280000 |
| 1001 | Antimalware scan finished | agent | agent.activity | 280000 |
| 1002 | Antimalware scan stopped before completion | agent | agent.activity | 280000 |
| 1003 | Antimalware scan paused | agent | agent.activity | 280000 |
| 1004 | Antimalware scan resumed | agent | agent.activity | 280000 |
| 1005 | Antimalware scan failed | agent | agent.activity | 280000 |
| 1006 | Antimalware engine found malware or other potentially unwanted software | detection | detection.host_detection | 301000 |
| 1007 | Antimalware platform performed an action against malware | detection | detection.host_detection | 301000 |
| 1008 | Antimalware platform action against malware failed | detection | detection.host_detection | 301000 |
| 1009 | Antimalware platform restored an item from quarantine | agent | agent.activity | 280000 |
| 1010 | Antimalware platform failed to restore an item from quarantine | agent | agent.activity | 280000 |
| 1011 | Antimalware platform deleted an item from quarantine | agent | agent.activity | 280000 |
| 1012 | Antimalware platform failed to delete an item from quarantine | agent | agent.activity | 280000 |
| 1013 | Antimalware platform deleted history of malware and other potentially unwanted software | agent | agent.activity | 280000 |
| 1014 | Antimalware platform failed to delete history of malware and other potentially unwanted software | agent | agent.activity | 280000 |
| 1015 | Antimalware platform detected suspicious behavior | detection | detection.host_detection | 301000 |
| 1116 | Antimalware platform detected malware or other potentially unwanted software | detection | detection.host_detection | 301000 |
| 1117 | Antimalware platform performed an action to protect the system | detection | detection.host_detection | 301000 |
| 1118 | Antimalware platform action to protect the system failed | detection | detection.host_detection | 301000 |
| 1119 | Antimalware platform encountered a critical error | detection | detection.host_detection | 301000 |
| 1150 | Endpoint Protection client is healthy | agent | agent.status | 280200 |
| 2000 | Antimalware definitions updated | agent | agent.update | 280100 |
| 2001 | Antimalware definitions update failed | agent | agent.update | 280100 |
| 2002 | Antimalware engine updated | agent | agent.update | 280100 |
| 2003 | Antimalware engine update failed | agent | agent.update | 280100 |
| 2004 | Antimalware reverted to last known good signatures | agent | agent.update | 280100 |
| 2005 | Antimalware definitions update failed to load | agent | agent.update | 280100 |
| 2010 | Antimalware loaded dynamic signatures | agent | agent.update | 280100 |
| 2011 | Antimalware discarded a dynamic signature | agent | agent.update | 280100 |
| 2014 | Antimalware platform updated | agent | agent.update | 280100 |
| 5000 | Real-time protection scanning enabled | agent | agent.status | 280200 |
| 5001 | Real-time protection scanning disabled | agent | agent.status | 280200 |
| 5004 | Real-time protection configuration changed | agent | agent.status | 280200 |
| 5007 | Antimalware platform configuration changed | agent | agent.status | 280200 |
| 5010 | Scanning for spyware and other potentially unwanted software disabled | agent | agent.status | 280200 |
| 5012 | Scanning for viruses disabled | agent | agent.status | 280200 |
Parsed Fields
The following fields are parsed and normalized from Microsoft Defender Antivirus events.
| Field Name | Description |
|---|---|
| event_code | Windows event ID |
| event_source_product | Set to microsoft_defender |
| event_outcome | Success or failure based on error code |
| event_action | Normalized action (scan_start, scan_end, blocked, allowed, quarantine, remove, etc.) |
| host_hostname | Hostname of the reporting system |
| vendor_event_description | Event description text |
| alert_signature | Malware/threat name or ASR rule ID |
| alert_signature_id | Threat definition ID |
| alert_severity | Normalized severity (low, medium, high, critical) |
| alert_severity_level | Numeric severity level (2-5) |
| alert_category | Threat category (virus, trojan, etc.) or attack surface reduction |
| alert_response_level | Response severity level (0=allow, 1=quarantine/block, 2=remove/clean) |
| file_path | Path of detected file |
| file_name | File name (derived from file_path) |
| process_path | Process associated with the event |
| process_name | Process executable name |
| user_name | User account associated with the event |
| user_domain | Domain of the user account |
| vendor_alert_severity | Original Microsoft severity text (Low, Moderate, High, Severe) |
| vendor_alert_category | Original Microsoft threat category |
| vendor_alert_object_type | Object type (file, containerfile, driver, etc.) |
| vendor_file_path | Original complex file path with container information |
| vendor_detection_origin | Detection origin (Local machine, Network, etc.) |
| vendor_detection_type | Detection type (Concrete, Heuristic, etc.) |
| vendor_detection_source | Detection source (Real-Time Protection, IOAV, etc.) |
| vendor_scan_id | Scan identifier |
| vendor_scan_type | Scan type (Antimalware, Quick, Full, Custom) |
| vendor_scan_parameters | Scan parameters |
| vendor_scan_resources | Scanned resource paths |
| vendor_asr_rule_id | Attack Surface Reduction rule GUID |
| vendor_platform_version | Defender platform version |
| vendor_engine_version | Defender engine version |
| vendor_intelligence_version | Security intelligence version |
| service_name | Set to Microsoft Defender Antivirus for service start/stop events |
Microsoft Defender Antivirus Spotlight
This spotlight offers a dashboard with 2 tabs:
Overview
Agent Activity
