Microsoft-Windows-Windows Defender

94 events across 2 channels

Event ID	Title	Channel
101	Microsoft Defender Antivirus state updated to %1.	WHC
1000	%1 scan has started.	Operational
1001	%1 scan has finished.	Operational
1002	%1 scan has been stopped before completion.	Operational
1003	%1 scan has been paused.	Operational
1004	%1 scan has resumed.	Operational
1005	%1 scan has encountered an error and terminated.	Operational
1006	%1 has detected malware or other potentially unwanted software.	Operational
1007	%1 has taken action to protect this machine from malware or other potentially …	Operational
1008	%1 has encountered an error when taking action on malware or other potentially …	Operational
1009	%1 has restored an item from quarantine.	Operational
1010	%1 has encountered an error trying to restore an item from quarantine.	Operational
1011	%1 has deleted an item from quarantine.	Operational
1012	%1 has encountered an error trying to delete an item from quarantine.	Operational
1013	%1 has removed history of malware and other potentially unwanted software.	Operational
1014	%1 has encountered an error trying to remove history of malware and other …	Operational
1015	%1 has detected a suspicious behavior.	Operational
1116	%1 has detected malware or other potentially unwanted software.	Operational
1117	%1 has taken action to protect this machine from malware or other potentially …	Operational
1118	%1 has encountered a non-critical error when taking action on malware or other …	Operational
1119	%1 has encountered a critical error when taking action on malware or other …	Operational
1120	%1 has deduced the hashes for a threat resource.	Operational
1121	Microsoft Defender Exploit Guard has blocked an operation that is not allowed by …	Operational
1122	Microsoft Defender Exploit Guard audited an operation that is not allowed by …	Operational
1123	%8 has been blocked from modifying %7 by Controlled Folder Access.	Operational
1124	%8 would have been blocked from modifying %7 by Controlled Folder Access.	Operational
1125	Your IT administrator would have caused Microsoft Defender Exploit Guard to …	Operational
1126	Your IT administrator has caused Microsoft Defender Exploit Guard to block a …	Operational
1127	Controlled Folder Access blocked %8 from making changes to memory.	Operational
1128	Controlled Folder Access would have blocked %8 from making changes to memory.	Operational
1129	A user has allowed a blocked Microsoft Defender Exploit Guard operation.	Operational
1130	{Product Name} blocked a behavior by {Source app}.	Operational
1131	%1 has blocked an operation that your administrator doesn't allow.	Operational
1132	%1 has audited an operation.	Operational
1133	%1 has blocked an operation that your administrator doesn't allow.	Operational
1134	%1 has audited an operation.	Operational
1150	Endpoint Protection client is up and running in a healthy state.	Operational
1151	Endpoint Protection client health report (time in UTC): Platform version: %2 …	Operational
1160	%1 has detected potentially unwanted application(PUA).	Operational
2000	%1 security intelligence version updated.	Operational
2001	%1 has encountered an error trying to update security intelligence.	Operational
2002	%1 engine version has been updated.	Operational
2003	%1 has encountered an error trying to update the engine.	Operational
2004	%1 has encountered an error trying to update security intelligence and will …	Operational
2005	%1 could not load antimalware engine because current platform version is not …	Operational
2006	%1 has encountered an error trying to update the platform.	Operational
2007	%1 will soon require a newer platform version to support future versions of the …	Operational
2008	%1 platform update update to %4 is paused due to system activity.	Operational
2009	%1 platform update to %4 has resumed.	Operational
2010	%1 used cloud protection to get additional security intelligence.	Operational
2011	%1 used cloud protection to discard obsolete security intelligence updates.	Operational
2012	%1 has encountered an error trying to use cloud protection.	Operational
2013	%1 discarded all cloud protection intelligence.	Operational
2014	%1 platform update to %2 has succeeded.	Operational
2020	{Product Name} downloaded a clean file.	Operational
2021	{Product Name} has encountered an error trying to download a clean file.	Operational
2030	%1 downloaded and configured Microsoft Defender Antivirus (offline scan) to run …	Operational
2031	%1 has encountered an error trying to download and configure Microsoft Defender …	Operational
2040	The support for your operating system will expire shortly.	Operational
2041	The support for your operating system has expired.	Operational
2042	The support for your operating system has expired.	Operational
2050	%1 has uploaded a file for further analysis.	Operational
2051	%1 has encountered an error trying to upload a suspicious file for further …	Operational
3000	{Product Name} Real-Time Protection agents have started.	Operational
3001	{Product Name}Real-Time Protection agents have stopped.	Operational
3002	%1 Real-Time Protection feature has encountered an error and failed.	Operational
3003	{Product Name} Real-Time Protection checkpoint has encountered an error and …	Operational
3004	{Product Name} Real-Time Protection agent has detected changes.	Operational
3005	{Product Name} Real-Time Protection agent has taken action to protect this …	Operational
3006	{Product Name} Real-Time Protection agent has encountered an error when taking …	Operational
3007	%1 Real-time Protection feature has restarted.	Operational
4000	{Product Name} AV OnAccess Filter has detected spyware or other potentially …	Operational
4002	{param1} AV OnAccess Filter has taken action to protect this machine from …	Operational
4003	{param1} AV OnAccess Filter has encountered an error when taking action on …	Operational
5000	%1 Real-time Protection scanning for malware and other potentially unwanted …	Operational
5001	%1 Real-time Protection scanning for malware and other potentially unwanted …	Operational
5002	{param1} OnAccess scanning for viruses was enabled.	Operational
5003	{param1} OnAccess scanning for viruses was disabled.	Operational
5004	%1 Real-time Protection feature configuration has changed.	Operational
5005	{Product Name} Real-time Protection checkpoint configuration has changed.	Operational
5006	{param1} OnAccess filter seems to be a unloaded - OnAccess scanning is disabled …	Operational
5007	%1 Configuration has changed.	Operational
5008	%1 engine has been terminated due to an unexpected error.	Operational
5009	%1 scanning for spyware and other potentially unwanted software has been …	Operational
5010	%1 scanning for spyware and other potentially unwanted software is disabled.	Operational
5011	%1 scanning for viruses has been enabled.	Operational
5012	%1 scanning for viruses is disabled.	Operational
5013	Tamper Protection %3 a change to %1.	Operational
5014	%1 Resource Monitor: Memory consumption exceeded its limit.	Operational
5015	%1 Resource Monitor: CPU utilization exceeded its limit.	Operational
5016	%1 service seemed to be hung during shutdown.	Operational
5017	%1 service feature has encountered an error and failed.	Operational
5100	{Product Name} has entered a grace period and will soon expire.	Operational
5101	{Product Name} grace period has expired.	Operational

Event ID 101 — Microsoft Defender Antivirus state updated to %1.

Provider: Microsoft-Windows-Windows Defender
Channel: WHC

Message

Microsoft Defender Antivirus state updated to %1.

Fields

Name	Description
`hc_stateid`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1000 — %1 scan has started.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: 4
Samples: 1

Message

%1 scan has started.
 	Scan ID: %3
 	Scan Type: %5
 	Scan Parameters: %7
 	Scan Resources: %11
  	User: %8\%9
 	Scan Trigger: %13
 	Scan Only If Idle: %14
 	Low CPU Priority for Scans: %15
 	Thread Priority: %16

Fields

Name	Description
`Product Name`	—
`Product Version`	—
`Scan ID`	—
`Scan Type Index`	—
`Scan Type`	—
`Scan Parameters Index`	—
`Scan Parameters`	—
`Domain`	—
`User`	—
`SID`	—
`Scan Resources`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Defender
  guid: 11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78
  event_source_name: ''
  event_id: 1000
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T17:03:12.968279+00:00'
  event_record_id: 32
  correlation: {}
  execution:
    process_id: 2680
    thread_id: 2860
  channel: Microsoft-Windows-Windows Defender/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Product Name: Microsoft Defender Antivirus
  Product Version: 4.18.2104.5
  Scan ID: '{CE345D2C-02E3-48B3-8683-BF64336A98E7}'
  Scan Type Index: '1'
  Scan Type: Antimalware
  Scan Parameters Index: '1'
  Scan Parameters: Quick Scan
  Domain: NT AUTHORITY
  User: SYSTEM
  SID: S-1-5-18
  Scan Resources: ''
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1001 — %1 scan has finished.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: 4
Samples: 1

Message

%1 scan has finished.
 	Scan ID: %3
 	Scan Type: %5
 	Scan Parameters: %7
 	User: %8\%9
 	Scan Time: %11:%12:%13

Fields

Name	Description
`Product Name`	—
`Product Version`	—
`Scan ID`	—
`Scan Type Index`	—
`Scan Type`	—
`Scan Parameters Index`	—
`Scan Parameters`	—
`Domain`	—
`User`	—
`SID`	—
`Scan Time Hours`	—
`Scan Time Minutes`	—
`Scan Time Seconds`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Defender
  guid: 11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78
  event_source_name: ''
  event_id: 1001
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-04T14:09:02.003645+00:00'
  event_record_id: 102
  correlation:
    ActivityID: 5F56C890-B44B-432D-8EF6-FB4D94734C2D
  execution:
    process_id: 1796
    thread_id: 3036
  channel: Microsoft-Windows-Windows Defender/Operational
  computer: WIN-TKC15D7KHUR
  security:
    user_id: S-1-5-18
event_data:
  Product Name: Microsoft Defender Antivirus
  Product Version: 4.18.2202.4
  Scan ID: '{7749FCE9-BEE7-43EC-991B-C0ADC46B93C1}'
  Scan Type Index: '1'
  Scan Type: Antimalware
  Scan Parameters Index: '1'
  Scan Parameters: Quick Scan
  Domain: WIN-TKC15D7KHUR
  User: Administrator
  SID: S-1-5-21-1958040314-2592322477-2606035944-500
  Scan Time Hours: '0'
  Scan Time Minutes: '02'
  Scan Time Seconds: '25'
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1002 — %1 scan has been stopped before completion.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: 3
Samples: 1

Message

%1 scan has been stopped before completion.
 	Scan ID: %3
 	Scan Type: %5
 	Scan Parameters: %7
  	User: %8\%9
 	Stop Reason: %12

Fields

Name	Description
`Product Name`	—
`Product Version`	—
`Scan ID`	—
`Scan Type Index`	—
`Scan Type`	—
`Scan Parameters Index`	—
`Scan Parameters`	—
`Domain`	—
`User`	—
`SID`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Defender
  guid: 11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78
  event_source_name: ''
  event_id: 1002
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T17:04:28.116951+00:00'
  event_record_id: 33
  correlation: {}
  execution:
    process_id: 2680
    thread_id: 2860
  channel: Microsoft-Windows-Windows Defender/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Product Name: Microsoft Defender Antivirus
  Product Version: 4.18.2104.5
  Scan ID: '{CE345D2C-02E3-48B3-8683-BF64336A98E7}'
  Scan Type Index: '1'
  Scan Type: Antimalware
  Scan Parameters Index: '1'
  Scan Parameters: Quick Scan
  Domain: NT AUTHORITY
  User: SYSTEM
  SID: S-1-5-18
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1003 — %1 scan has been paused.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 scan has been paused.
 	Scan ID: %3
 	Scan Type: %5
 	Scan Parameters: %7
 	User: %8\%9

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`ScanID`	—
`ScanTypeIndex`	—
`ScanType`	—
`ScanParametersIndex`	—
`ScanParameters`	—
`Domain`	—
`User`	—
`SID`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1004 — %1 scan has resumed.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 scan has resumed.
 	Scan ID: %3
  	Scan Type: %5
 	Scan Parameters: %7
 	User: %8\%9

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`ScanID`	—
`ScanTypeIndex`	—
`ScanType`	—
`ScanParametersIndex`	—
`ScanParameters`	—
`Domain`	—
`User`	—
`SID`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1005 — %1 scan has encountered an error and terminated.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 scan has encountered an error and terminated.
 	Scan ID: %3
 	Scan Type: %5
 	Scan Parameters: %7
 	User: %8\%9
 	Error Code: %11
 	Error description: %12

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`ScanID`	—
`ScanTypeIndex`	—
`ScanType`	—
`ScanParametersIndex`	—
`ScanParameters`	—
`Domain`	—
`User`	—
`SID`	—
`ErrorCode`	—
`ErrorDescription`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1006 — %1 has detected malware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has detected malware or other potentially unwanted software.
 For more information please see the following:
%15
 	Name: %11
 	ID: %12
 	Severity: %25
 	Category: %26
 	Path Found: %16
 	Detection Type: %22
 	Detection Source: %5
 	Status: %20
 	User: %8\%9
 	Process Name: %7
 	Security intelligence Version: %27
 	Engine Version: %28

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`DetectionID`	—
`DetectionSourceIndex`	—
`DetectionSource`	—
`Unused`	—
`ProcessName`	—
`Domain`	—
`User`	—
`SID`	—
`ThreatName`	—
`ThreatID`	—
`SeverityID`	—
`CategoryID`	—
`FWLink`	—
`PathFound`	—
`DetectionOriginIndex`	—
`DetectionOrigin`	—
`ExecutionStatusIndex`	—
`ExecutionStatus`	—
`DetectionTypeIndex`	—
`DetectionType`	—
`Unused2`	—
`Unused3`	—
`SeverityName`	—
`CategoryName`	—
`SecurityintelligenceVersion`	—
`EngineVersion`	—

Sigma Rules

Windows Defender Threat Detected
Detects actions taken by Windows Defender malware detection engines

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1007 — %1 has taken action to protect this machine from malware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has taken action to protect this machine from malware or other potentially unwanted software.
 For more information please see the following:
%15
 	User: %8\%9
 	Name: %11
 	ID: %12
 	Severity: %25
 	Category: %26
 	Action: %20
 	Status: %7
 	Security intelligence Version: %27
 	Engine Version: %28

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`DetectionID`	—
`Unused`	—
`Unused2`	—
`StatusCode`	—
`StatusDescription`	—
`Domain`	—
`User`	—
`SID`	—
`ThreatName`	—
`ThreatID`	—
`SeverityID`	—
`CategoryID`	—
`FWLink`	—
`Path`	—
`Unused3`	—
`Unused4`	—
`CleaningActionIndex`	—
`CleaningAction`	—
`Unused5`	—
`Unused6`	—
`Unused7`	—
`Unused8`	—
`SeverityName`	—
`CategoryName`	—
`SecurityintelligenceVersion`	—
`EngineVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1008 — %1 has encountered an error when taking action on malware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has encountered an error when taking action on malware or other potentially unwanted software.
 For more information please see the following:
%15
 	User: %8\%9
 	Name: %11
 	ID: %12
 	Severity: %25
 	Category: %26
 	Path: %16
 	Action: %20
 	Error Code: %21
 	Error description: %22
 	Status: %7
 	Security intelligence Version: %27
 	Engine Version: %28

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`DetectionID`	—
`Unused`	—
`Unused2`	—
`StatusCode`	—
`StatusDescription`	—
`Domain`	—
`User`	—
`SID`	—
`ThreatName`	—
`ThreatID`	—
`SeverityID`	—
`CategoryID`	—
`FWLink`	—
`Path`	—
`Unused3`	—
`Unused4`	—
`CleaningActionIndex`	—
`CleaningAction`	—
`ErrorCode`	—
`ErrorDescription`	—
`Unused5`	—
`Unused6`	—
`SeverityName`	—
`CategoryName`	—
`SecurityintelligenceVersion`	—
`EngineVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1009 — %1 has restored an item from quarantine.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has restored an item from quarantine.
 For more information please see the following:
%15
 	Name: %11
 	ID: %12
 	Severity: %25
 	Category: %26
 	User: %8\%9
 	Security intelligence Version: %27
 	Engine Version: %28

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Unused`	—
`Unused2`	—
`Unused3`	—
`Unused4`	—
`Unused5`	—
`Domain`	—
`User`	—
`SID`	—
`ThreatName`	—
`ThreatID`	—
`SeverityID`	—
`CategoryID`	—
`FWLink`	—
`Path`	—
`Unused6`	—
`Unused7`	—
`Unused8`	—
`Unused9`	—
`Unused10`	—
`Unused11`	—
`Unused12`	—
`Unused13`	—
`SeverityName`	—
`CategoryName`	—
`SecurityintelligenceVersion`	—
`EngineVersion`	—

Sigma Rules

Win Defender Restored Quarantine File
Detects the restoration of files from the defender quarantine

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1010 — %1 has encountered an error trying to restore an item from quarantine.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has encountered an error trying to restore an item from quarantine.
 For more information please see the following:
%15
 	Name: %11
 	ID: %12
 	Severity: %25
 	Category: %26
 	User: %8\%9
 	Error Code: %3
 	Error description: %4
 	Security intelligence Version: %27
 	Engine Version: %28

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`ErrorCode`	—
`ErrorDescription`	—
`Unused`	—
`Unused2`	—
`Unused3`	—
`Domain`	—
`User`	—
`SID`	—
`ThreatName`	—
`ThreatID`	—
`SeverityID`	—
`CategoryID`	—
`FWLink`	—
`Path`	—
`Unused4`	—
`Unused5`	—
`Unused6`	—
`Unused7`	—
`Unused8`	—
`Unused9`	—
`Unused10`	—
`Unused11`	—
`SeverityName`	—
`CategoryName`	—
`SecurityintelligenceVersion`	—
`EngineVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1011 — %1 has deleted an item from quarantine.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has deleted an item from quarantine.
 For more information please see the following:
%15
 	Name: %11
 	ID: %12
 	Severity: %25
 	Category: %26
 	User: %8\%9
 	Security intelligence Version: %27
 	Engine Version: %28

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Unused`	—
`Unused2`	—
`Unused3`	—
`Unused4`	—
`Unused5`	—
`Domain`	—
`User`	—
`SID`	—
`ThreatName`	—
`ThreatID`	—
`SeverityID`	—
`CategoryID`	—
`FWLink`	—
`Path`	—
`Unused6`	—
`Unused7`	—
`Unused8`	—
`Unused9`	—
`Unused10`	—
`Unused11`	—
`Unused12`	—
`Unused13`	—
`SeverityName`	—
`CategoryName`	—
`SecurityintelligenceVersion`	—
`EngineVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1012 — %1 has encountered an error trying to delete an item from quarantine.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has encountered an error trying to delete an item from quarantine.
 For more information please see the following:
%15
 	Name: %11
 	ID: %12
 	Severity: %25
 	Category: %26
 	User: %8\%9
 	Error Code: %3
 	Error description: %4
 	Security intelligence Version: %27
 	Engine Version: %28

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`ErrorCode`	—
`ErrorDescription`	—
`Unused`	—
`Unused2`	—
`Unused3`	—
`Domain`	—
`User`	—
`SID`	—
`ThreatName`	—
`ThreatID`	—
`SeverityID`	—
`CategoryID`	—
`FWLink`	—
`Path`	—
`Unused4`	—
`Unused5`	—
`Unused6`	—
`Unused7`	—
`Unused8`	—
`Unused9`	—
`Unused10`	—
`Unused11`	—
`SeverityName`	—
`CategoryName`	—
`SecurityintelligenceVersion`	—
`EngineVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1013 — %1 has removed history of malware and other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has removed history of malware and other potentially unwanted software.
 	Time: %3
 	User: %8\%9

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Timestamp`	—
`Unused`	—
`Unused2`	—
`Unused3`	—
`Unused4`	—
`Domain`	—
`User`	—
`SID`	—

Sigma Rules

Windows Defender Malware Detection History Deletion
Windows Defender logs when the history of detected infections is deleted.

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1014 — %1 has encountered an error trying to remove history of malware and other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has encountered an error trying to remove history of malware and other potentially unwanted software.
 	Time: %3
 	User: %8\%9
 	Error Code: %4
 	Error description: %5

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Timestamp`	—
`ErrorCode`	—
`ErrorDescription`	—
`Unused`	—
`Unused2`	—
`Domain`	—
`User`	—
`SID`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1015 — %1 has detected a suspicious behavior.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has detected a suspicious behavior.
 	Name: %11
 	ID: %12
 	Severity: %25
 	Category: %26
 	Path Found: %16
 	Detection Origin: %18
 	Detection Type: %22
 	Detection Source: %5
 	Status: %20
 	User: %8\%9
 	Process Name: %7
 	Security intelligence ID: %30
 	Security intelligence Version: %27
 	Engine Version: %28
 	Fidelity Label:  %32
 	Target File Name:  %36

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`DetectionID`	—
`DetectionSourceIndex`	—
`DetectionSource`	—
`Unused`	—
`ProcessName`	—
`Domain`	—
`User`	—
`SID`	—
`ThreatName`	—
`ThreatID`	—
`SeverityID`	—
`CategoryID`	—
`FWLink`	—
`PathFound`	—
`DetectionOriginIndex`	—
`DetectionOrigin`	—
`ExecutionStatusIndex`	—
`ExecutionStatus`	—
`DetectionTypeIndex`	—
`DetectionType`	—
`Unused2`	—
`Unused3`	—
`SeverityName`	—
`CategoryName`	—
`SecurityintelligenceVersion`	—
`EngineVersion`	—
`ProcessID`	—
`SecurityintelligenceID`	—
`FidelityValue`	—
`FidelityLabel`	—
`ImageFileHash`	—
`Unused4`	—
`Unused5`	—
`TargetFileName`	—
`TargetFileHash`	—

Sigma Rules

Windows Defender Threat Detected
Detects actions taken by Windows Defender malware detection engines

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1116 — %1 has detected malware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: 3
Samples: 1

Message

%1 has detected malware or other potentially unwanted software.
 For more information please see the following:
%13
 	Name: %8
 	ID: %7
 	Severity: %10
 	Category: %12
 	Path: %22
 	Detection Origin: %24
 	Detection Type: %28
 	Detection Source: %18
 	User: %20
 	Process Name: %19
 	Security intelligence Version: %41
 	Engine Version: %42

Fields

Name	Description
`Product Name`	—
`Product Version`	—
`Detection ID`	—
`Detection Time`	—
`Unused`	—
`Unused2`	—
`Threat ID`	—
`Threat Name`	—
`Severity ID`	—
`Severity Name`	—
`Category ID`	—
`Category Name`	—
`FWLink`	—
`Status Code`	—
`Status Description`	—
`State`	—
`Source ID`	—
`Source Name`	—
`Process Name`	—
`Detection User`	—
`Unused3`	—
`Path`	—
`Origin ID`	—
`Origin Name`	—
`Execution ID`	—
`Execution Name`	—
`Type ID`	—
`Type Name`	—
`Pre Execution Status`	—
`Action ID`	—
`Action Name`	—
`Unused4`	—
`Error Code`	—
`Error Description`	—
`Unused5`	—
`Post Clean Status`	—
`Additional Actions ID`	—
`Additional Actions String`	—
`Remediation User`	—
`Unused6`	—
`Signature Version`	—
`Engine Version`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Defender
  guid: 11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78
  event_source_name: ''
  event_id: 1116
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2019-07-18T20:51:50.798995+00:00'
  event_record_id: 102
  correlation:
    ActivityID: 40013F0F-EF76-4940-A8B2-4DE50BE9AAC3
  execution:
    process_id: 6024
    thread_id: 6068
  channel: Microsoft-Windows-Windows Defender/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-18
event_data:
  Product Name: '%%827'
  Product Version: 4.18.1906.3
  Detection ID: '{37522D93-EBDD-4A5B-93B6-E984C9E3FD38}'
  Detection Time: '2019-07-18T20:40:16.697Z'
  Unused: ''
  Unused2: ''
  Threat ID: '2147708292'
  Threat Name: HackTool:JS/Jsprat
  Severity ID: '4'
  Severity Name: High
  Category ID: '34'
  Category Name: Tool
  FWLink: https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:JS/Jsprat&threatid=2147708292&enterprise=0
  Status Code: '1'
  Status Description: ''
  State: '1'
  Source ID: '3'
  Source Name: '%%818'
  Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Detection User: MSEDGEWIN10\IEUser
  Unused3: ''
  Path: containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp;
    file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005);
    file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0037);
    file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0045);
    file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0065);
    file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0068)
  Origin ID: '1'
  Origin Name: '%%845'
  Execution ID: '1'
  Execution Name: '%%813'
  Type ID: '8'
  Type Name: '%%862'
  Pre Execution Status: '0'
  Action ID: '9'
  Action Name: '%%887'
  Unused4: ''
  Error Code: '0x00000000'
  Error Description: 'The operation completed successfully. '
  Unused5: ''
  Post Clean Status: '0'
  Additional Actions ID: '0'
  Additional Actions String: No additional actions required
  Remediation User: ''
  Unused6: ''
  Signature Version: 'AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0'
  Engine Version: 'AM: 1.1.16100.4, NIS: 0.0.0.0'
message: ''

Sigma Rules

Windows Defender AMSI Trigger Detected
Detects triggering of AMSI by Windows Defender.
Windows Defender Threat Detected
Detects actions taken by Windows Defender malware detection engines

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1117 — %1 has taken action to protect this machine from malware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: 4
Samples: 1

Message

%1 has taken action to protect this machine from malware or other potentially unwanted software.
 For more information please see the following:
%13
 	Name: %8
 	ID: %7
 	Severity: %10
 	Category: %12
 	Path: %22
 	Detection Origin: %24
 	Detection Type: %28
 	Detection Source: %18
 	User: %39
 	Process Name: %19
 	Action: %31
 	Action Status:  %38
 	Error Code: %33
 	Error description: %34
 	Security intelligence Version: %41
 	Engine Version: %42

Fields

Name	Description
`Product Name`	—
`Product Version`	—
`Detection ID`	—
`Detection Time`	—
`Unused`	—
`Unused2`	—
`Threat ID`	—
`Threat Name`	—
`Severity ID`	—
`Severity Name`	—
`Category ID`	—
`Category Name`	—
`FWLink`	—
`Status Code`	—
`Status Description`	—
`State`	—
`Source ID`	—
`Source Name`	—
`Process Name`	—
`Detection User`	—
`Unused3`	—
`Path`	—
`Origin ID`	—
`Origin Name`	—
`Execution ID`	—
`Execution Name`	—
`Type ID`	—
`Type Name`	—
`Pre Execution Status`	—
`Action ID`	—
`Action Name`	—
`Unused4`	—
`Error Code`	—
`Error Description`	—
`Unused5`	—
`Post Clean Status`	—
`Additional Actions ID`	—
`Additional Actions String`	—
`Remediation User`	—
`Unused6`	—
`Signature Version`	—
`Engine Version`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Defender
  guid: 11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78
  event_source_name: ''
  event_id: 1117
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2019-07-18T20:53:31.952569+00:00'
  event_record_id: 106
  correlation:
    ActivityID: 2AD0CF94-C382-4568-A488-1253A4ED0F54
  execution:
    process_id: 6024
    thread_id: 6068
  channel: Microsoft-Windows-Windows Defender/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-18
event_data:
  Product Name: '%%827'
  Product Version: 4.18.1906.3
  Detection ID: '{8791B1FB-0FE7-412E-B084-524CB5A221F3}'
  Detection Time: '2019-07-18T20:40:13.775Z'
  Unused: ''
  Unused2: ''
  Threat ID: '2147735426'
  Threat Name: Trojan:XML/Exeselrun.gen!A
  Severity ID: '5'
  Severity Name: Severe
  Category ID: '8'
  Category Name: Trojan
  FWLink: https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:XML/Exeselrun.gen!A&threatid=2147735426&enterprise=0
  Status Code: '5'
  Status Description: ''
  State: '2'
  Source ID: '3'
  Source Name: '%%818'
  Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Detection User: MSEDGEWIN10\IEUser
  Unused3: ''
  Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl
  Origin ID: '1'
  Origin Name: '%%845'
  Execution ID: '1'
  Execution Name: '%%813'
  Type ID: '2'
  Type Name: '%%823'
  Pre Execution Status: '0'
  Action ID: '6'
  Action Name: '%%811'
  Unused4: ''
  Error Code: '0x80508023'
  Error Description: 'The program could not find the malware and other potentially
    unwanted software on this device. '
  Unused5: ''
  Post Clean Status: '0'
  Additional Actions ID: '0'
  Additional Actions String: No additional actions required
  Remediation User: NT AUTHORITY\SYSTEM
  Unused6: ''
  Signature Version: 'AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0'
  Engine Version: 'AM: 1.1.16100.4, NIS: 0.0.0.0'
message: ''

Sigma Rules

Windows Defender Threat Detected
Detects actions taken by Windows Defender malware detection engines

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1118 — %1 has encountered a non-critical error when taking action on malware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has encountered a non-critical error when taking action on malware or other potentially unwanted software.
 For more information please see the following:
%13
 	Name: %8
 	ID: %7
 	Severity: %10
 	Category: %12
 	Path: %22
 	Detection Origin: %24
 	Detection Type: %28
 	Detection Source: %18
 	User: %39
 	Process Name: %19
 	Action: %31
 	Action Status:  %38
 	Error Code: %33
 	Error description: %34
 	Security intelligence Version: %41
 	Engine Version: %42

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`DetectionID`	—
`DetectionTime`	—
`Unused`	—
`Unused2`	—
`ThreatID`	—
`ThreatName`	—
`SeverityID`	—
`SeverityName`	—
`CategoryID`	—
`CategoryName`	—
`FWLink`	—
`StatusCode`	—
`StatusDescription`	—
`State`	—
`SourceID`	—
`SourceName`	—
`ProcessName`	—
`DetectionUser`	—
`Unused3`	—
`Path`	—
`OriginID`	—
`OriginName`	—
`ExecutionID`	—
`ExecutionName`	—
`TypeID`	—
`TypeName`	—
`PreExecutionStatus`	—
`ActionID`	—
`ActionName`	—
`Unused4`	—
`ErrorCode`	—
`ErrorDescription`	—
`Unused5`	—
`PostCleanStatus`	—
`AdditionalActionsID`	—
`AdditionalActionsString`	—
`RemediationUser`	—
`Unused6`	—
`SecurityintelligenceVersion`	—
`EngineVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1119 — %1 has encountered a critical error when taking action on malware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has encountered a critical error when taking action on malware or other potentially unwanted software.
 For more information please see the following:
%13
 	Name: %8
 	ID: %7
 	Severity: %10
 	Category: %12
 	Path: %22
 	Detection Origin: %24
 	Detection Type: %28
 	Detection Source: %18
 	User: %39
 	Process Name: %19
 	Action: %31
 	Action Status:  %38
 	Error Code: %33
 	Error description: %34
 	Security intelligence Version: %41
 	Engine Version: %42

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`DetectionID`	—
`DetectionTime`	—
`Unused`	—
`Unused2`	—
`ThreatID`	—
`ThreatName`	—
`SeverityID`	—
`SeverityName`	—
`CategoryID`	—
`CategoryName`	—
`FWLink`	—
`StatusCode`	—
`StatusDescription`	—
`State`	—
`SourceID`	—
`SourceName`	—
`ProcessName`	—
`DetectionUser`	—
`Unused3`	—
`Path`	—
`OriginID`	—
`OriginName`	—
`ExecutionID`	—
`ExecutionName`	—
`TypeID`	—
`TypeName`	—
`PreExecutionStatus`	—
`ActionID`	—
`ActionName`	—
`Unused4`	—
`ErrorCode`	—
`ErrorDescription`	—
`Unused5`	—
`PostCleanStatus`	—
`AdditionalActionsID`	—
`AdditionalActionsString`	—
`RemediationUser`	—
`Unused6`	—
`SecurityintelligenceVersion`	—
`EngineVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1120 — %1 has deduced the hashes for a threat resource.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has deduced the hashes for a threat resource.
 	Current Platform Version: %2
 	Threat resource path: %4
 	Hashes: %5

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Unused`	—
`Threatresourcepath`	—
`Hashes`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1121 — Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
 For more information please contact your IT administrator.
 	ID: %4
 	Detection time: %5
 	User: %6
 	Path: %7
 	Process Name: %8
 	Target Commandline: %12
 	Parent Commandline: %13
 	Involved File: %14
 	Inheritance Flags: %15
 	Security intelligence Version: %9
 	Engine Version: %10
 	Product Version: %2

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Unused`	—
`ID`	—
`DetectionTime`	—
`User`	—
`Path`	—
`ProcessName`	—
`SecurityintelligenceVersion`	—
`EngineVersion`	—
`RuleType`	—
`TargetCommandline`	—
`ParentCommandline`	—
`InvolvedFile`	—
`InhertianceFlags`	—

Sigma Rules

LSASS Access Detected via Attack Surface Reduction
Detects Access to LSASS Process
PSExec and WMI Process Creations Block
Detects blocking of process creations originating from PSExec and WMI commands

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1122 — Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.
 For more information please contact your IT administrator.
 	ID: %4
 	Detection time: %5
 	User: %6
 	Path: %7
 	Process Name: %8
 	Target Commandline: %12
 	Parent Commandline: %13
 	Involved File: %14
 	Inheritance Flags: %15
 	Security intelligence Version: %9
 	Engine Version: %10
 	Product Version: %2

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Unused`	—
`ID`	—
`DetectionTime`	—
`User`	—
`Path`	—
`ProcessName`	—
`SecurityintelligenceVersion`	—
`EngineVersion`	—
`RuleType`	—
`TargetCommandline`	—
`ParentCommandline`	—
`InvolvedFile`	—
`InhertianceFlags`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1123 — %8 has been blocked from modifying %7 by Controlled Folder Access.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%8 has been blocked from modifying %7 by Controlled Folder Access.
 	Detection time: %5
 	User: %6
 	Path: %7
 	Process Name: %8
 	Security intelligence Version: %9
 	Engine Version: %10
 	Product Version: %2

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Unused`	—
`ID`	—
`DetectionTime`	—
`User`	—
`Path`	—
`ProcessName`	—
`SecurityintelligenceVersion`	—
`EngineVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1124 — %8 would have been blocked from modifying %7 by Controlled Folder Access.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%8 would have been blocked from modifying %7 by Controlled Folder Access.
 	Detection time: %5
 	User: %6
 	Path: %7
 	Process Name: %8
 	Security intelligence Version: %9
 	Engine Version: %10
 	Product Version: %2

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Unused`	—
`ID`	—
`DetectionTime`	—
`User`	—
`Path`	—
`ProcessName`	—
`SecurityintelligenceVersion`	—
`EngineVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1125 — Your IT administrator would have caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

Your IT administrator would have caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.
 	Detection time: %4
 	User: %5
 	Destination: %6
 	Process Name: %7

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`ID`	—
`DetectionTime`	—
`User`	—
`Destination`	—
`ProcessName`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1126 — Your IT administrator has caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

Your IT administrator has caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.
 	Detection time: %4
 	User: %5
 	Destination: %6
 	Process Name: %7

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`ID`	—
`DetectionTime`	—
`User`	—
`Destination`	—
`ProcessName`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1127 — Controlled Folder Access blocked %8 from making changes to memory.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

Controlled Folder Access blocked %8 from making changes to memory.
 	Detection time: %5
 	User: %6
 	Path: %7
 	Process Name: %8
 	Security intelligence Version: %9
 	Engine Version: %10
 	Product Version: %2

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Unused`	—
`ID`	—
`DetectionTime`	—
`User`	—
`Path`	—
`ProcessName`	—
`SecurityintelligenceVersion`	—
`EngineVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1128 — Controlled Folder Access would have blocked %8 from making changes to memory.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

Controlled Folder Access would have blocked %8 from making changes to memory.
 	Detection time: %5
 	User: %6
 	Path: %7
 	Process Name: %8
 	Security intelligence Version: %9
 	Engine Version: %10
 	Product Version: %2

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Unused`	—
`ID`	—
`DetectionTime`	—
`User`	—
`Path`	—
`ProcessName`	—
`SecurityintelligenceVersion`	—
`EngineVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1129 — A user has allowed a blocked Microsoft Defender Exploit Guard operation.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

A user has allowed a blocked Microsoft Defender Exploit Guard operation.
 	ID: %4
 	User: %5
 	Path: %6
 	Process Name: %7
 	Involved File: %8

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Unused`	—
`ID`	—
`User`	—
`Path`	—
`ProcessName`	—
`InvolvedFile`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1130 — {Product Name} blocked a behavior by {Source app}.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

{Product Name} blocked a behavior by {Source app}.

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1131 — %1 has blocked an operation that your administrator doesn't allow.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has blocked an operation that your administrator doesn't allow.
 For more information please contact your IT administrator.
 	ID: %4
 	State: %5
 	Timestamp: %6
 	Action: %7
 	Process: %8
 	Source: %9
 	Target: %10
 	User: %11
 %Security intelligence Version: %12
 	Engine Version: %13
 	Product Version: %2

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Unused`	—
`ID`	—
`State`	—
`Timestamp`	—
`Action`	—
`Process`	—
`Source`	—
`Target`	—
`User`	—
`SignatureVersion`	—
`EngineVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1132 — %1 has audited an operation.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has audited an operation.
 For more information please contact your IT administrator.
 	ID: %4
 	State: %5
 	Timestamp: %6
 	Action: %7
 	Process: %8
 	Source: %9
 	Target: %10
 	User: %11
 %Security intelligence Version: %12
 	Engine Version: %13
 	Product Version: %2

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Unused`	—
`ID`	—
`State`	—
`Timestamp`	—
`Action`	—
`Process`	—
`Source`	—
`Target`	—
`User`	—
`SignatureVersion`	—
`EngineVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1133 — %1 has blocked an operation that your administrator doesn't allow.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has blocked an operation that your administrator doesn't allow.
For more information please contact your IT administrator.
	Policy Version: %4
	Policy Rule ID: %5
	Enforcement Level: %6
	Timestamp: %8
	Action Type: %9
	Process: %10
	Source: %11
	Target: %12
	Session ID: %13
	User SID: %14
%Security intelligence Version: %15
	Engine Version: %16
	Product Version: %2

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Unused`	—
`PolicyVersion`	—
`PolicyRuleId`	—
`EnforcementLevel`	—
`AuditReason`	—
`EventTimestamp`	—
`ActionType`	—
`Process`	—
`Source`	—
`Target`	—
`SessionId`	—
`UserSid`	—
`SignatureVersion`	—
`EngineVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1134 — %1 has audited an operation.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has audited an operation.
For more information please contact your IT administrator.
	Policy Version: %4
	Policy Rule ID: %5
	Enforcement Level: %6
	Audit Reason: %7
	Timestamp: %8
	Action Type: %9
	Process: %10
	Source: %11
	Target: %12
	Session ID: %13
	User SID: %14
%Security intelligence Version: %15
	Engine Version: %16
	Product Version: %2

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Unused`	—
`PolicyVersion`	—
`PolicyRuleId`	—
`EnforcementLevel`	—
`AuditReason`	—
`EventTimestamp`	—
`ActionType`	—
`Process`	—
`Source`	—
`Target`	—
`SessionId`	—
`UserSid`	—
`SignatureVersion`	—
`EngineVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1150 — Endpoint Protection client is up and running in a healthy state.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: 4
Samples: 1

Message

Endpoint Protection client is up and running in a healthy state.
 	Platform version: %2
 	Engine version: %4
 	Security intelligence version: %5

Fields

Name	Description
`Product Name`	—
`Platform version`	—
`Unused`	—
`Engine version`	—
`Security intelligence version`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Defender
  guid: 11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78
  event_source_name: ''
  event_id: 1150
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-05T23:33:02.683905+00:00'
  event_record_id: 136
  correlation: {}
  execution:
    process_id: 3332
    thread_id: 4248
  channel: Microsoft-Windows-Windows Defender/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Product Name: Microsoft Defender Antivirus
  Platform version: 4.18.23090.2008
  Unused: ''
  Engine version: 1.1.23090.2007
  Security intelligence version: 1.399.1311.0
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1151 — Endpoint Protection client health report (time in UTC): Platform version: %2 Engine version: %4 Network Realtime Inspection engine version: %5 Anti...

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: 4
Samples: 1

Message

Endpoint Protection client health report (time in UTC):
 	Platform version: %2
 	Engine version: %4
 	Network Realtime Inspection engine version: %5
 	Antivirus security intelligence version: %6
 	Antispyware security intelligence version: %7
 	Network Realtime Inspection security intelligence version: %8
 	RTP state: %9
 	OA state: %10
 	IOAV state: %11
 	BM state: %12
 	Antivirus security intelligence age: %13
 	Antispyware security intelligence age: %14
 	Last quick scan age: %15
 	Last full scan age: %16
 	Antivirus security intelligence creation time: %17
 	Antispyware security intelligence creation time: %18
 	Last quick scan start time: %19
 	Last quick scan end time: %20
 	Last quick scan source: %21
 	Last full scan start time: %22
 	Last full scan end time: %23
 	Last full scan source: %24
 	Product status: %25

Fields

Name	Description
`Product Name`	—
`Platform version`	—
`Unused`	—
`Engine version`	—
`NRI engine version`	—
`AV security intelligence version`	—
`AS security intelligence version`	—
`NRI security intelligence version`	—
`RTP state`	—
`OA state`	—
`IOAV state`	—
`BM state`	—
`Last AV security intelligence age`	—
`Last AS security intelligence age`	—
`Last quick scan age`	—
`Last full scan age`	—
`AV security intelligence creation time`	—
`AS security intelligence creation time`	—
`Last quick scan start time`	—
`Last quick scan end time`	—
`Last quick scan source`	—
`Last full scan start time`	—
`Last full scan end time`	—
`Last full scan source`	—
`Product status`	—
`Latest engine version`	—
`Engine up-to-date`	—
`Latest platform version`	—
`Platform up-to-date`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Defender
  guid: 11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78
  event_source_name: ''
  event_id: 1151
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T01:33:02.916969+00:00'
  event_record_id: 160
  correlation: {}
  execution:
    process_id: 3332
    thread_id: 7940
  channel: Microsoft-Windows-Windows Defender/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Product Name: Microsoft Defender Antivirus
  Platform version: 4.18.23090.2008
  Unused: ''
  Engine version: 1.1.23090.2007
  NRI engine version: 1.1.23090.2007
  AV security intelligence version: 1.399.1311.0
  AS security intelligence version: 1.399.1311.0
  NRI security intelligence version: 1.399.1311.0
  RTP state: Disabled
  OA state: Disabled
  IOAV state: Disabled
  BM state: Disabled
  Last AV security intelligence age: '11'
  Last AS security intelligence age: '11'
  Last quick scan age: '4294967295'
  Last full scan age: '4294967295'
  AV security intelligence creation time: '2023-10-25T15:24:36Z'
  AS security intelligence creation time: '2023-10-25T15:24:36Z'
  Last quick scan start time: '1601-01-01T00:00:00Z'
  Last quick scan end time: '1601-01-01T00:00:00Z'
  Last quick scan source: '0'
  Last full scan start time: '1601-01-01T00:00:00Z'
  Last full scan end time: '1601-01-01T00:00:00Z'
  Last full scan source: '0'
  Product status: '0x00080000'
  Latest engine version: 1.1.23090.2007
  Engine up-to-date: '0'
  Latest platform version: 4.18.23090.2008
  Platform up-to-date: '1'
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1160 — %1 has detected potentially unwanted application(PUA).

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has detected potentially unwanted application(PUA).
 For more information please see the following:
%13
 	Name: %8
 	ID: %7
 	Severity: %10
 	Category: %12
 	Path: %22
 	Detection Origin: %24
 	Detection Type: %28
 	Detection Source: %18
 	User: %20
 	Process Name: %19
 	Security intelligence Version: %41
 	Engine Version: %42

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`DetectionID`	—
`DetectionTime`	—
`Unused`	—
`Unused2`	—
`ThreatID`	—
`ThreatName`	—
`SeverityID`	—
`SeverityName`	—
`CategoryID`	—
`CategoryName`	—
`FWLink`	—
`StatusCode`	—
`StatusDescription`	—
`State`	—
`SourceID`	—
`SourceName`	—
`ProcessName`	—
`DetectionUser`	—
`Unused3`	—
`Path`	—
`OriginID`	—
`OriginName`	—
`ExecutionID`	—
`ExecutionName`	—
`TypeID`	—
`TypeName`	—
`PreExecutionStatus`	—
`ActionID`	—
`ActionName`	—
`Unused4`	—
`ErrorCode`	—
`ErrorDescription`	—
`Unused5`	—
`PostCleanStatus`	—
`AdditionalActionsID`	—
`AdditionalActionsString`	—
`RemediationUser`	—
`Unused6`	—
`SecurityintelligenceVersion`	—
`EngineVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2000 — %1 security intelligence version updated.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: 4
Samples: 1

Message

%1 security intelligence version updated.
 	Current security intelligence Version: %3
 	Previous security intelligence Version: %4
 	Security intelligence Type: %12
 	Update Type: %14
 	User: %8\%9
 	Current Engine Version: %15
 	Previous Engine Version: %16

Fields

Name	Description
`Product Name`	—
`Product Version`	—
`Current security intelligence Version`	—
`Previous security intelligence Version`	—
`Unused`	—
`Unused2`	—
`Unused3`	—
`Domain`	—
`User`	—
`SID`	—
`Security intelligence Type Index`	—
`Security intelligence Type`	—
`Update Type Index`	—
`Update Type`	—
`Current Engine Version`	—
`Previous Engine Version`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Defender
  guid: 11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78
  event_source_name: ''
  event_id: 2000
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-10-25T21:44:41.065306+00:00'
  event_record_id: 38
  correlation: {}
  execution:
    process_id: 2976
    thread_id: 4276
  channel: Microsoft-Windows-Windows Defender/Operational
  computer: WinDevEval
  security:
    user_id: S-1-5-18
event_data:
  Product Name: Microsoft Defender Antivirus
  Product Version: 4.18.2201.11
  Current security intelligence Version: 1.399.1311.0
  Previous security intelligence Version: 1.321.69.0
  Unused: ''
  Unused2: ''
  Unused3: ''
  Domain: NT AUTHORITY
  User: SYSTEM
  SID: S-1-5-18
  Security intelligence Type Index: '2'
  Security intelligence Type: AntiSpyware
  Update Type Index: '1'
  Update Type: Full
  Current Engine Version: 1.1.23090.2007
  Previous Engine Version: 1.1.17300.4
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2001 — %1 has encountered an error trying to update security intelligence.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has encountered an error trying to update security intelligence.
 	New security intelligence Version: %3
 	Previous security intelligence Version: %4
 	Update Source: %6
 	Security intelligence Type: %12
 	Update Type: %14
 	User: %8\%9
 	Current Engine Version: %15
 	Previous Engine Version: %16
 	Error code: %17
 	Error description: %18

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`CurrentsecurityintelligenceVersion`	—
`PrevioussecurityintelligenceVersion`	—
`UpdateSourceIndex`	—
`UpdateSource`	—
`Unused`	—
`Domain`	—
`User`	—
`SID`	—
`SecurityintelligenceTypeIndex`	—
`SecurityintelligenceType`	—
`UpdateTypeIndex`	—
`UpdateType`	—
`CurrentEngineVersion`	—
`PreviousEngineVersion`	—
`ErrorCode`	—
`ErrorDescription`	—
`UpdateStateIndex`	—
`UpdateState`	—
`SourcePath`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2002 — %1 engine version has been updated.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: 4
Samples: 1

Message

%1 engine version has been updated.
 	Current Engine Version: %3
 	Previous Engine Version: %4
 	User: %8\%9

Fields

Name	Description
`Product Name`	—
`Product Version`	—
`Current Engine Version`	—
`Previous Engine Version`	—
`Unused`	—
`Unused2`	—
`Unused3`	—
`Domain`	—
`User`	—
`SID`	—
`Unused4`	—
`Unused5`	—
`Feature Index`	—
`Feature Name`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Defender
  guid: 11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78
  event_source_name: ''
  event_id: 2002
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-10-25T21:44:41.062981+00:00'
  event_record_id: 36
  correlation: {}
  execution:
    process_id: 2976
    thread_id: 4276
  channel: Microsoft-Windows-Windows Defender/Operational
  computer: WinDevEval
  security:
    user_id: S-1-5-18
event_data:
  Product Name: Microsoft Defender Antivirus
  Product Version: 4.18.2201.11
  Current Engine Version: 1.1.23090.2007
  Previous Engine Version: 1.1.17300.4
  Unused: ''
  Unused2: ''
  Unused3: ''
  Domain: NT AUTHORITY
  User: SYSTEM
  SID: S-1-5-18
  Unused4: ''
  Unused5: ''
  Feature Index: '0'
  Feature Name: Antimalware
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2003 — %1 has encountered an error trying to update the engine.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has encountered an error trying to update the engine.
 	New Engine Version: %3
 	Previous Engine Version: %4
 	User: %8\%9
 	Error Code: %11
 	Error description: %12

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`CurrentEngineVersion`	—
`PreviousEngineVersion`	—
`Unused`	—
`Unused2`	—
`Unused3`	—
`Domain`	—
`User`	—
`SID`	—
`ErrorCode`	—
`ErrorDescription`	—
`UpdateStateIndex`	—
`UpdateState`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2004 — %1 has encountered an error trying to update security intelligence and will attempt to revert to a previous version.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has encountered an error trying to update security intelligence and will attempt to revert to a previous version.
 	Security intelligence Attempted: %4
 	Error Code: %5
 	Error description: %6
 	Security intelligence Version: %9
 	Engine Version: %10

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`SecurityintelligenceAttemptedIndex`	—
`SecurityintelligenceAttempted`	—
`ErrorCode`	—
`ErrorDescription`	—
`Unused`	—
`Unused2`	—
`Loadingsecurityintelligenceversion`	—
`Loadingengineversion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2005 — %1 could not load antimalware engine because current platform version is not supported.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 could not load antimalware engine because current platform version is not supported. %1 will revert back to the last known-good engine and a platform update will be attempted.
 	Current Platform Version: %2

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2006 — %1 has encountered an error trying to update the platform.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has encountered an error trying to update the platform.
 	Current Platform Version: %2
 	Error code: %4
 	Error description: %5

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Unused`	—
`ErrorCode`	—
`ErrorDescription`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2007 — %1 will soon require a newer platform version to support future versions of the antimalware engine.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 will soon require a newer platform version to support future versions of the antimalware engine. Download the latest %1 platform to maintain the best level of protection available.
 	Current Platform Version: %2

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2008 — %1 platform update update to %4 is paused due to system activity.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 platform update update to %4 is paused due to system activity. For more details see the latest MpLog*.log entry under ProgramData.

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Unused`	—
`NewPlatformVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2009 — %1 platform update to %4 has resumed.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 platform update to %4 has resumed.

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Unused`	—
`NewPlatformVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2010 — %1 used cloud protection to get additional security intelligence.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: 4
Samples: 1

Message

%1 used cloud protection to get additional security intelligence.
 	Current security intelligence Version: %3
 	Security intelligence Type: %12
 	User: %8\%9
 	Current Engine Version: %15
 	Cloud protection intelligence Type: %23
 	Persistence Path: %24
 	Cloud protection intelligence Version: %25
 	Cloud protection intelligence Compilation Timestamp: %26
 	Persistence Limit Type: %28
 	Persistence Limit: %29

Fields

Name	Description
`Product Name`	—
`Product Version`	—
`Current security intelligence Version`	—
`Unused`	—
`Unused2`	—
`Unused3`	—
`Unused4`	—
`Domain`	—
`User`	—
`SID`	—
`Security intelligence Type Index`	—
`Security intelligence Type`	—
`Unused5`	—
`Unused6`	—
`Current Engine Version`	—
`Unused7`	—
`Unused8`	—
`Unused9`	—
`Unused10`	—
`Unused11`	—
`Unused12`	—
`Cloud protection intelligence Type Index`	—
`Cloud protection intelligence Type`	—
`Persistence Path`	—
`Cloud protection intelligence Version`	—
`Cloud protection intelligence Compilation Timestamp`	—
`Persistence Limit Type Index`	—
`Persistence Limit Type`	—
`Persistence Limit Value`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Defender
  guid: 11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78
  event_source_name: ''
  event_id: 2010
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T01:34:04.823948+00:00'
  event_record_id: 162
  correlation: {}
  execution:
    process_id: 3332
    thread_id: 12556
  channel: Microsoft-Windows-Windows Defender/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Product Name: Microsoft Defender Antivirus
  Product Version: 4.18.23090.2008
  Current security intelligence Version: 1.399.1311.0
  Unused: ''
  Unused2: ''
  Unused3: ''
  Unused4: ''
  Domain: ''
  User: ''
  SID: ''
  Security intelligence Type Index: '0'
  Security intelligence Type: ''
  Unused5: ''
  Unused6: ''
  Current Engine Version: 1.1.23090.2007
  Unused7: ''
  Unused8: ''
  Unused9: ''
  Unused10: ''
  Unused11: ''
  Unused12: ''
  Cloud protection intelligence Type Index: '1'
  Cloud protection intelligence Type: Security intelligence update
  Persistence Path: C:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\data\2c120ea46d796db0984b96884f1a90a8dab2bfe3
  Cloud protection intelligence Version: 0.0.0.0
  Cloud protection intelligence Compilation Timestamp: 11/6/2023 1:34:04 AM
  Persistence Limit Type Index: '2'
  Persistence Limit Type: Duration
  Persistence Limit Value: '100000'
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2011 — %1 used cloud protection to discard obsolete security intelligence updates.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 used cloud protection to discard obsolete security intelligence updates.
 	Current security intelligence Version: %3
 	Security intelligence Type: %12
 	Current Engine Version: %15
 	Cloud protection intelligence Type: %23
 	Persistence Path: %24
 	Cloud protection intelligence Version: %25
 	Cloud protection intelligence Compilation Timestamp: %26
 	Removal Reason: %31
 	Persistence Limit Type: %28
 	Persistence Limit: %29

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`CurrentsecurityintelligenceVersion`	—
`Unused`	—
`Unused2`	—
`Unused3`	—
`Unused4`	—
`Domain`	—
`User`	—
`SID`	—
`SecurityintelligenceTypeIndex`	—
`SecurityintelligenceType`	—
`Unused5`	—
`Unused6`	—
`CurrentEngineVersion`	—
`Unused7`	—
`Unused8`	—
`Unused9`	—
`Unused10`	—
`Unused11`	—
`Unused12`	—
`CloudprotectionintelligenceTypeIndex`	—
`CloudprotectionintelligenceType`	—
`PersistencePath`	—
`CloudprotectionintelligenceVersion`	—
`CloudprotectionintelligenceCompilationTimestamp`	—
`PersistenceLimitTypeIndex`	—
`PersistenceLimitType`	—
`PersistenceLimitValue`	—
`RemovalReasonIndex`	—
`RemovalReasonValue`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2012 — %1 has encountered an error trying to use cloud protection.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has encountered an error trying to use cloud protection.
 	Current security intelligence Version: %3
 	Security intelligence Type: %12
 	User: %8\%9
 	Current Engine Version: %15
 	Error code: %17
 	Error description: %18 	Cloud protection intelligence Type: %23
 	Persistence Path: %24
 	Cloud protection intelligence Version: %25
 	Cloud protection intelligence Compilation Timestamp: %26
 	Persistence Limit Type: %28
 	Persistence Limit: %29

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`CurrentsecurityintelligenceVersion`	—
`Unused`	—
`Unused2`	—
`Unused3`	—
`Unused4`	—
`Domain`	—
`User`	—
`SID`	—
`SecurityintelligenceTypeIndex`	—
`SecurityintelligenceType`	—
`Unused5`	—
`Unused6`	—
`CurrentEngineVersion`	—
`Unused7`	—
`ErrorCode`	—
`ErrorDescription`	—
`Unused8`	—
`Unused9`	—
`Unused10`	—
`CloudprotectionintelligenceTypeIndex`	—
`CloudprotectionintelligenceType`	—
`PersistencePath`	—
`CloudprotectionintelligenceVersion`	—
`CloudprotectionintelligenceCompilationTimestamp`	—
`PersistenceLimitTypeIndex`	—
`PersistenceLimitType`	—
`PersistenceLimitValue`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2013 — %1 discarded all cloud protection intelligence.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 discarded all cloud protection intelligence.
 	User: %8\%9
 	Current Engine Version: %15

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`CurrentsecurityintelligenceVersion`	—
`Unused`	—
`Unused2`	—
`Unused3`	—
`Unused4`	—
`Domain`	—
`User`	—
`SID`	—
`SecurityintelligenceTypeIndex`	—
`SecurityintelligenceType`	—
`Unused5`	—
`Unused6`	—
`CurrentEngineVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2014 — %1 platform update to %2 has succeeded.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: 4
Samples: 1

Message

%1 platform update to %2 has succeeded.

Fields

Name	Description
`Product Name`	—
`Product Version`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Defender
  guid: 11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78
  event_source_name: ''
  event_id: 2014
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-10-25T21:49:53.778165+00:00'
  event_record_id: 58
  correlation: {}
  execution:
    process_id: 1332
    thread_id: 4624
  channel: Microsoft-Windows-Windows Defender/Operational
  computer: WinDevEval
  security:
    user_id: S-1-5-18
event_data:
  Product Name: Microsoft Defender Antivirus
  Product Version: 4.18.23090.2008
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2020 — {Product Name} downloaded a clean file.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

{Product Name} downloaded a clean file. 	Filename: {Filename} 	Current Signature Version: {Current Signature Version} 	Current Engine Version: {Current Engine Version}

Fields

Name	Description
`Filename`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2021 — {Product Name} has encountered an error trying to download a clean file.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

{Product Name} has encountered an error trying to download a clean file. 	Filename: {Filename} 	Current Signature Version: {Current Signature Version} 	Current Engine Version: {Current Engine Version} 	Error code: {Error Code} 	Error description: {Error Description}

Fields

Name	Description
`Filename`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2030 — %1 downloaded and configured Microsoft Defender Antivirus (offline scan) to run on the next reboot.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 downloaded and configured Microsoft Defender Antivirus (offline scan) to run on the next reboot.

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2031 — %1 has encountered an error trying to download and configure Microsoft Defender Antivirus (offline scan).

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has encountered an error trying to download and configure Microsoft Defender Antivirus (offline scan).
	Error code: %4
	Error description: %5

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Unused`	—
`ErrorCode`	—
`ErrorDescription`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2040 — The support for your operating system will expire shortly.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

The support for your operating system will expire shortly. Running %1 on an out of support operating system is not an adequate solution to protect against threats.

Fields

Name	Description
`ProductName`	—
`Unused`	—
`Unused2`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2041 — The support for your operating system has expired.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

The support for your operating system has expired. Running %1 on an out of support operating system is not an adequate solution to protect against threats.

Fields

Name	Description
`ProductName`	—
`Unused`	—
`Unused2`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2042 — The support for your operating system has expired.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

The support for your operating system has expired. %1 is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.

Fields

Name	Description
`ProductName`	—
`Unused`	—
`Unused2`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2050 — %1 has uploaded a file for further analysis.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has uploaded a file for further analysis.
 	Filename: %3
 	Sha256: %4

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Filename`	—
`Sha256`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2051 — %1 has encountered an error trying to upload a suspicious file for further analysis.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 has encountered an error trying to upload a suspicious file for further analysis.
 	Filename: %3
 	Sha256: %4
 	Current security intelligence Version: %5
 	Current Engine Version: %6
 	Error code: %7

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Filename`	—
`Sha256`	—
`CurrentsecurityintelligenceVersion`	—
`CurrentEngineVersion`	—
`ErrorCode`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 3000 — {Product Name} Real-Time Protection agents have started.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

{Product Name} Real-Time Protection agents have started. 	User: {Domain}\{User}

Fields

Name	Description
`Domain`	—
`User`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 3001 — {Product Name}Real-Time Protection agents have stopped.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

{Product Name}Real-Time Protection agents have stopped. 	User: {Domain}\{User}

Fields

Name	Description
`Domain`	—
`User`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 3002 — %1 Real-Time Protection feature has encountered an error and failed.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 Real-Time Protection feature has encountered an error and failed.
 	Feature: %3
 	Error Code: %5
 	Error description: %6
 	Reason: %4

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`FeatureName`	—
`Reason`	—
`ErrorCode`	—
`ErrorDescription`	—
`FeatureID`	—

Sigma Rules

Windows Defender Real-Time Protection Failure/Restart
Detects issues with Windows Defender Real-Time Protection features

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 3003 — {Product Name} Real-Time Protection checkpoint has encountered an error and failed to start.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

{Product Name} Real-Time Protection checkpoint has encountered an error and failed to start. 	User: {Domain}\{User} 	Checkpoint ID: {Checkpoint} 	Error Code: {Error Code} 	Error description: {Error Description}

Fields

Name	Description
`Domain`	—
`User`	—
`Checkpoint`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 3004 — {Product Name} Real-Time Protection agent has detected changes.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

{Product Name} Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. {Product Name} can't undo changes that you allow. For more information please see the following:{Product Name}5 	Scan ID: {Scan ID} 	User: {Domain}\{User} 	Name: {Product Name}1 	ID: {Product Name}2 	Severity ID: {Product Name}3 	Category ID: {Product Name}4 	Path Found: {Product Name}6 	Alert Type: {Product Name}8 	Detection Type: {Product Version}2

Fields

Name	Description
`Domain`	—
`User`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 3005 — {Product Name} Real-Time Protection agent has taken action to protect this machine from spyware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

{Product Name} Real-Time Protection agent has taken action to protect this machine from spyware or other potentially unwanted software. For more information please see the following:{Product Name}5 	Scan ID: {Scan ID} 	User: {Domain}\{User} 	Name: {Product Name}1 	ID: {Product Name}2 	Severity ID: {Product Name}3 	Category ID: {Product Name}4 	Alert Type: {Product Name}8 	Action: {Product Version}0

Fields

Name	Description
`Domain`	—
`User`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 3006 — {Product Name} Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

{Product Name} Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following:{Product Name}5 	Scan ID: {Scan ID} 	User: {Domain}\{User} 	Name: {Product Name}1 	ID: {Product Name}2 	Severity ID: {Product Name}3 	Category ID: {Product Name}4 	Path: {Product Name}6 	Alert Type: {Product Name}8 	Action: {Product Version}0 	Error Code: {Product Version}1 	Error description: {Product Version}2

Fields

Name	Description
`Domain`	—
`User`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 3007 — %1 Real-time Protection feature has restarted.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 Real-time Protection feature has restarted. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
 	Feature: %3
 	Reason: %4

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`FeatureName`	—
`Reason`	—
`Unused`	—
`Unused2`	—
`FeatureID`	—

Sigma Rules

Windows Defender Real-Time Protection Failure/Restart
Detects issues with Windows Defender Real-Time Protection features

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 4000 — {Product Name} AV OnAccess Filter has detected spyware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

{Product Name} AV OnAccess Filter has detected spyware or other potentially unwanted software. For more information please see the following:{Product Name}5 	Scan ID: {param2} 	User: {param7}\{param8} 	Name: {Product Name}1 	ID: {Product Name}2 	Severity ID: {Product Name}3 	Category ID: {Product Name}4 	Path Found: {Product Name}6 	Local Copy Path: {Product Name}7 	Process Name: {Product Name}8 	Detection Type: {param1}2

Fields

Name	Description
`param2`	—
`param7`	—
`param8`	—
`param1`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 4002 — {param1} AV OnAccess Filter has taken action to protect this machine from detected spyware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

{param1} AV OnAccess Filter has taken action to protect this machine from detected spyware or other potentially unwanted software. For more information please see the following:{param1}5 	Scan ID: {param3} 	User: {param8}\{param9} 	Name: {param1}1 	ID: {param1}2 	Severity ID: {param1}3 	Category ID: {param1}4 	Action: {param2}0

Fields

Name	Description
`param1`	—
`param3`	—
`param8`	—
`param9`	—
`param2`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 4003 — {param1} AV OnAccess Filter has encountered an error when taking action on detected spyware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

{param1} AV OnAccess Filter has encountered an error when taking action on detected spyware or other potentially unwanted software. For more information please see the following:{param1}5 	Scan ID: {param3} 	User: {param8}\{param9} 	Name: {param1}1 	ID: {param1}2 	Severity ID: {param1}3 	Category ID: {param1}4 	Path: {param1}6 	Action: {param2}0 	Error Code: {param2}1 	Error Description: {param2}2

Fields

Name	Description
`param1`	—
`param3`	—
`param8`	—
`param9`	—
`param2`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5000 — %1 Real-time Protection scanning for malware and other potentially unwanted software was enabled.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 Real-time Protection scanning for malware and other potentially unwanted software was enabled.

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5001 — %1 Real-time Protection scanning for malware and other potentially unwanted software was disabled.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: 4
Samples: 1

Message

%1 Real-time Protection scanning for malware and other potentially unwanted software was disabled.

Fields

Name	Description
`Product Name`	—
`Product Version`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Defender
  guid: 11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78
  event_source_name: ''
  event_id: 5001
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T00:11:26.945147+00:00'
  event_record_id: 150
  correlation: {}
  execution:
    process_id: 3332
    thread_id: 9444
  channel: Microsoft-Windows-Windows Defender/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Product Name: Microsoft Defender Antivirus
  Product Version: 4.18.23090.2008
message: ''

Sigma Rules

Windows Defender Real-time Protection Disabled
Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment

References

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5002 — {param1} OnAccess scanning for viruses was enabled.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

{param1} OnAccess scanning for viruses was enabled.

Fields

Name	Description
`param1`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5003 — {param1} OnAccess scanning for viruses was disabled.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

{param1} OnAccess scanning for viruses was disabled.

Fields

Name	Description
`param1`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5004 — %1 Real-time Protection feature configuration has changed.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: 4
Samples: 1

Message

%1 Real-time Protection feature configuration has changed.
 	Feature: %3
 	Configuration: %4

Fields

Name	Description
`Product Name`	—
`Product Version`	—
`Feature Name`	—
`Configuration`	—
`Unused`	—
`Feature ID`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Defender
  guid: 11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78
  event_source_name: ''
  event_id: 5004
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-10-25T21:49:40.464437+00:00'
  event_record_id: 56
  correlation: {}
  execution:
    process_id: 1004
    thread_id: 912
  channel: Microsoft-Windows-Windows Defender/Operational
  computer: WinDevEval
  security:
    user_id: S-1-5-18
event_data:
  Product Name: Microsoft Defender Antivirus
  Product Version: 4.18.2201.11
  Feature Name: Network Inspection System
  Configuration: '0'
  Unused: ''
  Feature ID: '9'
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5005 — {Product Name} Real-time Protection checkpoint configuration has changed.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

{Product Name} Real-time Protection checkpoint configuration has changed. 	Checkpoint: {Checkpoint} 	Configuration: {Configuration}

Fields

Name	Description
`Checkpoint`	—
`Configuration`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5006 — {param1} OnAccess filter seems to be a unloaded - OnAccess scanning is disabled - Please restart the service.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

{param1} OnAccess filter seems to be a unloaded - OnAccess scanning is disabled - Please restart the service.

Fields

Name	Description
`param1`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5007 — %1 Configuration has changed.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: 4
Samples: 1

Message

%1 Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
 	Old value: %3
 	New value: %4

Fields

Name	Description
`Product Name`	—
`Product Version`	—
`Old Value`	—
`New Value`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Defender
  guid: 11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78
  event_source_name: ''
  event_id: 5007
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:25:45.697776+00:00'
  event_record_id: 113
  correlation: {}
  execution:
    process_id: 3944
    thread_id: 4488
  channel: Microsoft-Windows-Windows Defender/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Product Name: Microsoft Defender Antivirus
  Product Version: 4.18.23090.2008
  Old Value: Default\IsServiceRunning = 0x0
  New Value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1
message: ''

Sigma Rules

Windows Defender Exclusions Added
Detects the Setting of Windows Defender Exclusions
Windows Defender Exploit Guard Tamper
Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"
Windows Defender Submit Sample Feature Disabled
Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.
Windows Defender Configuration Changes
Detects suspicious changes to the Windows Defender configuration

References

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5008 — %1 engine has been terminated due to an unexpected error.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 engine has been terminated due to an unexpected error.
 	Failure Type: %5
 	Exception code: %6
 	Resource: %3
 	Engine Code: %7

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Resource`	—
`FailureTypeIndex`	—
`FailureType`	—
`ExceptionCode`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5009 — %1 scanning for spyware and other potentially unwanted software has been enabled.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 scanning for spyware and other potentially unwanted software has been enabled.

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5010 — %1 scanning for spyware and other potentially unwanted software is disabled.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 scanning for spyware and other potentially unwanted software is disabled.

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—

Sigma Rules

Windows Defender Malware And PUA Scanning Disabled
Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5011 — %1 scanning for viruses has been enabled.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 scanning for viruses has been enabled.

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5012 — %1 scanning for viruses is disabled.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 scanning for viruses is disabled.

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—

Sigma Rules

Windows Defender Virus Scanning Feature Disabled
Detects disabling of the Windows Defender virus scanning feature

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5013 — Tamper Protection %3 a change to %1.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

Tamper Protection %3 a change to %1.
 	Value: %4

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`ChangedType`	—
`Value`	—

Sigma Rules

Microsoft Defender Tamper Protection Trigger
Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5014 — %1 Resource Monitor: Memory consumption exceeded its limit.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 Resource Monitor: Memory consumption exceeded its limit.
 	Hit count:  %3
 	Current Threshold:  %4

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`HitCount`	—
`Threshold`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5015 — %1 Resource Monitor: CPU utilization exceeded its limit.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 Resource Monitor: CPU utilization exceeded its limit.
 	Hit count:  %3
 	Current Threshold:  %4

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`HitCount`	—
`Threshold`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5016 — %1 service seemed to be hung during shutdown.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 service seemed to be hung during shutdown.
 	Timout (seconds):  %3
 	Component:  %4
 	Self-terminated:  %5

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`Timeout`	—
`Component`	—
`Crashed`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5017 — %1 service feature has encountered an error and failed.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

%1 service feature has encountered an error and failed.
 	Feature: %3
  	Failure Reason: %5
 	Recommended Mitigation: %6
 	Error Code: %7
 	Error description: %8

Fields

Name	Description
`ProductName`	—
`ProductVersion`	—
`FeatureName`	—
`FailureId`	—
`FailureReason`	—
`Recommendation`	—
`ErrorCode`	—
`ErrorDescription`	—

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5100 — {Product Name} has entered a grace period and will soon expire.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

{Product Name} has entered a grace period and will soon expire. After expiration; this program will disable protection against viruses; spyware; and other potentially unwanted software. 	Expiration Reason: {Expiration Reason} 	Expiration Date (UTC): {Expiration Date (UTC)}

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5101 — {Product Name} grace period has expired.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message

{Product Name} grace period has expired. Protection against viruses; spyware; and other potentially unwanted software is disabled. 	Expiration Reason: {Expiration Reason} 	Expiration Date (UTC): {Expiration Date (UTC)} 	Error Code: {Error Code} 	Error Description: {Error Description}

References

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/