Microsoft-Windows-Windows Defender

94 events across 2 channels

Event ID	Title	Channel
101	Microsoft Defender Antivirus state updated to hc_stateid.	WHC
1000	Product Name scan has started.	Operational
1001	Product Name scan has finished.	Operational
1002	Product Name scan has been stopped before completion.	Operational
1003	ProductName scan has been paused.	Operational
1004	ProductName scan has resumed.	Operational
1005	ProductName scan has encountered an error and terminated.	Operational
1006	ProductName has detected malware or other potentially unwanted software.	Operational
1007	ProductName has taken action to protect this machine from malware or other …	Operational
1008	ProductName has encountered an error when taking action on malware or other …	Operational
1009	ProductName has restored an item from quarantine.	Operational
1010	ProductName has encountered an error trying to restore an item from quarantine.	Operational
1011	ProductName has deleted an item from quarantine.	Operational
1012	ProductName has encountered an error trying to delete an item from quarantine.	Operational
1013	Product Name has removed history of malware and other potentially unwanted …	Operational
1014	ProductName has encountered an error trying to remove history of malware and …	Operational
1015	ProductName has detected a suspicious behavior.	Operational
1116	Product Name has detected malware or other potentially unwanted software.	Operational
1117	Product Name has taken action to protect this machine from malware or other …	Operational
1118	ProductName has encountered a non-critical error when taking action on malware …	Operational
1119	ProductName has encountered a critical error when taking action on malware or …	Operational
1120	ProductName has deduced the hashes for a threat resource.	Operational
1121	Microsoft Defender Exploit Guard has blocked an operation that is not allowed by …	Operational
1122	Microsoft Defender Exploit Guard audited an operation that is not allowed by …	Operational
1123	ProcessName has been blocked from modifying Path by Controlled Folder Access.	Operational
1124	ProcessName would have been blocked from modifying Path by Controlled Folder …	Operational
1125	Your IT administrator would have caused Microsoft Defender Exploit Guard to …	Operational
1126	Your IT administrator has caused Microsoft Defender Exploit Guard to block a …	Operational
1127	Controlled Folder Access blocked ProcessName from making changes to memory.	Operational
1128	Controlled Folder Access would have blocked ProcessName from making changes to …	Operational
1129	A user has allowed a blocked Microsoft Defender Exploit Guard operation.	Operational
1130	{Product Name} blocked a behavior by {Source app}.	Operational
1131	ProductName has blocked an operation that your administrator doesn't allow.	Operational
1132	ProductName has audited an operation.	Operational
1133	ProductName has blocked an operation that your administrator doesn't allow.	Operational
1134	ProductName has audited an operation.	Operational
1150	Endpoint Protection client is up and running in a healthy state.	Operational
1151	Endpoint Protection client health report (time in UTC).	Operational
1160	ProductName has detected potentially unwanted application(PUA).	Operational
2000	Product Name security intelligence version updated.	Operational
2001	Product Name has encountered an error trying to update security intelligence.	Operational
2002	Product Name engine version has been updated.	Operational
2003	ProductName has encountered an error trying to update the engine.	Operational
2004	ProductName has encountered an error trying to update security intelligence and …	Operational
2005	ProductName could not load antimalware engine because current platform version …	Operational
2006	ProductName has encountered an error trying to update the platform.	Operational
2007	ProductName will soon require a newer platform version to support future …	Operational
2008	ProductName platform update update to NewPlatformVersion is paused due to system …	Operational
2009	ProductName platform update to NewPlatformVersion has resumed.	Operational
2010	Product Name used cloud protection to get additional security intelligence.	Operational
2011	ProductName used cloud protection to discard obsolete security intelligence …	Operational
2012	ProductName has encountered an error trying to use cloud protection.	Operational
2013	ProductName discarded all cloud protection intelligence.	Operational
2014	Product Name platform update to Product Version has succeeded.	Operational
2020	{Product Name} downloaded a clean file.	Operational
2021	{Product Name} has encountered an error trying to download a clean file.	Operational
2030	ProductName downloaded and configured Microsoft Defender Antivirus (offline …	Operational
2031	ProductName has encountered an error trying to download and configure Microsoft …	Operational
2040	The support for your operating system will expire shortly.	Operational
2041	The support for your operating system has expired.	Operational
2042	The support for your operating system has expired.	Operational
2050	Product Name has uploaded a file for further analysis.	Operational
2051	ProductName has encountered an error trying to upload a suspicious file for …	Operational
3000	{Product Name} Real-Time Protection agents have started.	Operational
3001	{Product Name}Real-Time Protection agents have stopped.	Operational
3002	ProductName Real-Time Protection feature has encountered an error and failed.	Operational
3003	{Product Name} Real-Time Protection checkpoint has encountered an error and …	Operational
3004	{Product Name} Real-Time Protection agent has detected changes.	Operational
3005	{Product Name} Real-Time Protection agent has taken action to protect this …	Operational
3006	{Product Name} Real-Time Protection agent has encountered an error when taking …	Operational
3007	ProductName Real-time Protection feature has restarted.	Operational
4000	{Product Name} AV OnAccess Filter has detected spyware or other potentially …	Operational
4002	{param1} AV OnAccess Filter has taken action to protect this machine from …	Operational
4003	{param1} AV OnAccess Filter has encountered an error when taking action on …	Operational
5000	ProductName Real-time Protection scanning for malware and other potentially …	Operational
5001	Product Name Real-time Protection scanning for malware and other potentially …	Operational
5002	{param1} OnAccess scanning for viruses was enabled.	Operational
5003	{param1} OnAccess scanning for viruses was disabled.	Operational
5004	Product Name Real-time Protection feature configuration has changed.	Operational
5005	{Product Name} Real-time Protection checkpoint configuration has changed.	Operational
5006	{param1} OnAccess filter seems to be a unloaded - OnAccess scanning is disabled …	Operational
5007	Product Name Configuration has changed.	Operational
5008	ProductName engine has been terminated due to an unexpected error.	Operational
5009	ProductName scanning for spyware and other potentially unwanted software has …	Operational
5010	ProductName scanning for spyware and other potentially unwanted software is …	Operational
5011	ProductName scanning for viruses has been enabled.	Operational
5012	ProductName scanning for viruses is disabled.	Operational
5013	Tamper Protection Changed Type a change to Product Name.	Operational
5014	ProductName Resource Monitor: Memory consumption exceeded its limit.	Operational
5015	ProductName Resource Monitor: CPU utilization exceeded its limit.	Operational
5016	ProductName service seemed to be hung during shutdown.	Operational
5017	Product Name service feature has encountered an error and failed.	Operational
5100	{Product Name} has entered a grace period and will soon expire.	Operational
5101	{Product Name} grace period has expired.	Operational

Event ID 101 — Microsoft Defender Antivirus state updated to hc_stateid.

Provider: Microsoft-Windows-Windows Defender
Channel: WHC

Description

Microsoft Defender Antivirus state updated to hc_stateid.

Message #

Microsoft Defender Antivirus state updated to %1.

Fields #

Name	Description
`hc_stateid` UInt32	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1000 — Product Name scan has started.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Informational

Description

Product Name scan has started.

Message #

%1 scan has started.
 	Scan ID: %3
 	Scan Type: %5
 	Scan Parameters: %7
 	Scan Resources: %11
  	User: %8\%9
 	Scan Trigger: %13
 	Scan Only If Idle: %14
 	Low CPU Priority for Scans: %15
 	Thread Priority: %16

Fields #

Name	Description
`Product Name` UnicodeString	—
`Product Version` UnicodeString	—
`Scan ID` UnicodeString	—
`Scan Type Index` UnicodeString	—
`Scan Type` UnicodeString	—
`Scan Parameters Index` UnicodeString	—
`Scan Parameters` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`Scan Resources` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 1000,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T17:03:12.968279+00:00",
    "event_record_id": 32,
    "correlation": {},
    "execution": {
      "process_id": 2680,
      "thread_id": 2860
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.2104.5",
    "Scan ID": "{CE345D2C-02E3-48B3-8683-BF64336A98E7}",
    "Scan Type Index": "1",
    "Scan Type": "Antimalware",
    "Scan Parameters Index": "1",
    "Scan Parameters": "Quick Scan",
    "Domain": "NT AUTHORITY",
    "User": "SYSTEM",
    "SID": "S-1-5-18",
    "Scan Resources": ""
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1001 — Product Name scan has finished.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Informational

Description

Product Name scan has finished.

Message #

%1 scan has finished.
 	Scan ID: %3
 	Scan Type: %5
 	Scan Parameters: %7
 	User: %8\%9
 	Scan Time: %11:%12:%13

Fields #

Name	Description
`Product Name` UnicodeString	—
`Product Version` UnicodeString	—
`Scan ID` UnicodeString	—
`Scan Type Index` UnicodeString	—
`Scan Type` UnicodeString	—
`Scan Parameters Index` UnicodeString	—
`Scan Parameters` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`Scan Time Hours` UnicodeString	—
`Scan Time Minutes` UnicodeString	—
`Scan Time Seconds` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 1001,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-04T14:09:02.003645+00:00",
    "event_record_id": 102,
    "correlation": {
      "ActivityID": "5F56C890-B44B-432D-8EF6-FB4D94734C2D"
    },
    "execution": {
      "process_id": 1796,
      "thread_id": 3036
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "WIN-TKC15D7KHUR",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.2202.4",
    "Scan ID": "{7749FCE9-BEE7-43EC-991B-C0ADC46B93C1}",
    "Scan Type Index": "1",
    "Scan Type": "Antimalware",
    "Scan Parameters Index": "1",
    "Scan Parameters": "Quick Scan",
    "Domain": "WIN-TKC15D7KHUR",
    "User": "Administrator",
    "SID": "S-1-5-21-1958040314-2592322477-2606035944-500",
    "Scan Time Hours": "0",
    "Scan Time Minutes": "02",
    "Scan Time Seconds": "25"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1002 — Product Name scan has been stopped before completion.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Warning

Description

Product Name scan has been stopped before completion.

Message #

%1 scan has been stopped before completion.
 	Scan ID: %3
 	Scan Type: %5
 	Scan Parameters: %7
  	User: %8\%9
 	Stop Reason: %12

Fields #

Name	Description
`Product Name` UnicodeString	—
`Product Version` UnicodeString	—
`Scan ID` UnicodeString	—
`Scan Type Index` UnicodeString	—
`Scan Type` UnicodeString	—
`Scan Parameters Index` UnicodeString	—
`Scan Parameters` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 1002,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T17:04:28.116951+00:00",
    "event_record_id": 33,
    "correlation": {},
    "execution": {
      "process_id": 2680,
      "thread_id": 2860
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.2104.5",
    "Scan ID": "{CE345D2C-02E3-48B3-8683-BF64336A98E7}",
    "Scan Type Index": "1",
    "Scan Type": "Antimalware",
    "Scan Parameters Index": "1",
    "Scan Parameters": "Quick Scan",
    "Domain": "NT AUTHORITY",
    "User": "SYSTEM",
    "SID": "S-1-5-18"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1003 — ProductName scan has been paused.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName scan has been paused.

Message #

%1 scan has been paused.
 	Scan ID: %3
 	Scan Type: %5
 	Scan Parameters: %7
 	User: %8\%9

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`ScanID` UnicodeString	—
`ScanTypeIndex` UnicodeString	—
`ScanType` UnicodeString	—
`ScanParametersIndex` UnicodeString	—
`ScanParameters` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1004 — ProductName scan has resumed.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName scan has resumed.

Message #

%1 scan has resumed.
 	Scan ID: %3
  	Scan Type: %5
 	Scan Parameters: %7
 	User: %8\%9

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`ScanID` UnicodeString	—
`ScanTypeIndex` UnicodeString	—
`ScanType` UnicodeString	—
`ScanParametersIndex` UnicodeString	—
`ScanParameters` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1005 — ProductName scan has encountered an error and terminated.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (NSA, others)

Description

ProductName scan has encountered an error and terminated.

Message #

%1 scan has encountered an error and terminated.
 	Scan ID: %3
 	Scan Type: %5
 	Scan Parameters: %7
 	User: %8\%9
 	Error Code: %11
 	Error description: %12

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`ScanID` UnicodeString	—
`ScanTypeIndex` UnicodeString	—
`ScanType` UnicodeString	—
`ScanParametersIndex` UnicodeString	—
`ScanParameters` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`ErrorCode` UnicodeString	—
`ErrorDescription` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1006 — ProductName has detected malware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (Microsoft-Defender, others)

Description

ProductName has detected malware or other potentially unwanted software.

Message #

%1 has detected malware or other potentially unwanted software.
 For more information please see the following:
%15
 	Name: %11
 	ID: %12
 	Severity: %25
 	Category: %26
 	Path Found: %16
 	Detection Type: %22
 	Detection Source: %5
 	Status: %20
 	User: %8\%9
 	Process Name: %7
 	Security intelligence Version: %27
 	Engine Version: %28

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`DetectionID` UnicodeString	—
`DetectionSourceIndex` UnicodeString	—
`DetectionSource` UnicodeString	—
`Unused` UnicodeString	—
`ProcessName` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`ThreatName` UnicodeString	—
`ThreatID` UnicodeString	—
`SeverityID` UnicodeString	—
`CategoryID` UnicodeString	—
`FWLink` UnicodeString	—
`PathFound` UnicodeString	—
`DetectionOriginIndex` UnicodeString	—
`DetectionOrigin` UnicodeString	—
`ExecutionStatusIndex` UnicodeString	—
`ExecutionStatus` UnicodeString	—
`DetectionTypeIndex` UnicodeString	—
`DetectionType` UnicodeString	—
`Unused2` UnicodeString	—
`Unused3` UnicodeString	—
`SeverityName` UnicodeString	—
`CategoryName` UnicodeString	—
`SecurityintelligenceVersion` UnicodeString	—
`EngineVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1007 — ProductName has taken action to protect this machine from malware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (Microsoft-Defender, others)

Description

ProductName has taken action to protect this machine from malware or other potentially unwanted software.

Message #

%1 has taken action to protect this machine from malware or other potentially unwanted software.
 For more information please see the following:
%15
 	User: %8\%9
 	Name: %11
 	ID: %12
 	Severity: %25
 	Category: %26
 	Action: %20
 	Status: %7
 	Security intelligence Version: %27
 	Engine Version: %28

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`DetectionID` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`StatusCode` UnicodeString	—
`StatusDescription` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`ThreatName` UnicodeString	—
`ThreatID` UnicodeString	—
`SeverityID` UnicodeString	—
`CategoryID` UnicodeString	—
`FWLink` UnicodeString	—
`Path` UnicodeString	—
`Unused3` UnicodeString	—
`Unused4` UnicodeString	—
`CleaningActionIndex` UnicodeString	—
`CleaningAction` UnicodeString	—
`Unused5` UnicodeString	—
`Unused6` UnicodeString	—
`Unused7` UnicodeString	—
`Unused8` UnicodeString	—
`SeverityName` UnicodeString	—
`CategoryName` UnicodeString	—
`SecurityintelligenceVersion` UnicodeString	—
`EngineVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1008 — ProductName has encountered an error when taking action on malware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (Microsoft-Defender, others)

Description

ProductName has encountered an error when taking action on malware or other potentially unwanted software.

Message #

%1 has encountered an error when taking action on malware or other potentially unwanted software.
 For more information please see the following:
%15
 	User: %8\%9
 	Name: %11
 	ID: %12
 	Severity: %25
 	Category: %26
 	Path: %16
 	Action: %20
 	Error Code: %21
 	Error description: %22
 	Status: %7
 	Security intelligence Version: %27
 	Engine Version: %28

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`DetectionID` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`StatusCode` UnicodeString	—
`StatusDescription` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`ThreatName` UnicodeString	—
`ThreatID` UnicodeString	—
`SeverityID` UnicodeString	—
`CategoryID` UnicodeString	—
`FWLink` UnicodeString	—
`Path` UnicodeString	—
`Unused3` UnicodeString	—
`Unused4` UnicodeString	—
`CleaningActionIndex` UnicodeString	—
`CleaningAction` UnicodeString	—
`ErrorCode` UnicodeString	—
`ErrorDescription` UnicodeString	—
`Unused5` UnicodeString	—
`Unused6` UnicodeString	—
`SeverityName` UnicodeString	—
`CategoryName` UnicodeString	—
`SecurityintelligenceVersion` UnicodeString	—
`EngineVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1009 — ProductName has restored an item from quarantine.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (Microsoft-WEF, others)

Description

ProductName has restored an item from quarantine.

Message #

%1 has restored an item from quarantine.
 For more information please see the following:
%15
 	Name: %11
 	ID: %12
 	Severity: %25
 	Category: %26
 	User: %8\%9
 	Security intelligence Version: %27
 	Engine Version: %28

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`Unused3` UnicodeString	—
`Unused4` UnicodeString	—
`Unused5` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`ThreatName` UnicodeString	—
`ThreatID` UnicodeString	—
`SeverityID` UnicodeString	—
`CategoryID` UnicodeString	—
`FWLink` UnicodeString	—
`Path` UnicodeString	—
`Unused6` UnicodeString	—
`Unused7` UnicodeString	—
`Unused8` UnicodeString	—
`Unused9` UnicodeString	—
`Unused10` UnicodeString	—
`Unused11` UnicodeString	—
`Unused12` UnicodeString	—
`Unused13` UnicodeString	—
`SeverityName` UnicodeString	—
`CategoryName` UnicodeString	—
`SecurityintelligenceVersion` UnicodeString	—
`EngineVersion` UnicodeString	—

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Win Defender Restored Quarantine File source high: Detects the restoration of files from the defender quarantine

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1010 — ProductName has encountered an error trying to restore an item from quarantine.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (NSA, others)

Description

ProductName has encountered an error trying to restore an item from quarantine.

Message #

%1 has encountered an error trying to restore an item from quarantine.
 For more information please see the following:
%15
 	Name: %11
 	ID: %12
 	Severity: %25
 	Category: %26
 	User: %8\%9
 	Error Code: %3
 	Error description: %4
 	Security intelligence Version: %27
 	Engine Version: %28

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`ErrorCode` UnicodeString	—
`ErrorDescription` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`Unused3` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`ThreatName` UnicodeString	—
`ThreatID` UnicodeString	—
`SeverityID` UnicodeString	—
`CategoryID` UnicodeString	—
`FWLink` UnicodeString	—
`Path` UnicodeString	—
`Unused4` UnicodeString	—
`Unused5` UnicodeString	—
`Unused6` UnicodeString	—
`Unused7` UnicodeString	—
`Unused8` UnicodeString	—
`Unused9` UnicodeString	—
`Unused10` UnicodeString	—
`Unused11` UnicodeString	—
`SeverityName` UnicodeString	—
`CategoryName` UnicodeString	—
`SecurityintelligenceVersion` UnicodeString	—
`EngineVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1011 — ProductName has deleted an item from quarantine.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName has deleted an item from quarantine.

Message #

%1 has deleted an item from quarantine.
 For more information please see the following:
%15
 	Name: %11
 	ID: %12
 	Severity: %25
 	Category: %26
 	User: %8\%9
 	Security intelligence Version: %27
 	Engine Version: %28

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`Unused3` UnicodeString	—
`Unused4` UnicodeString	—
`Unused5` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`ThreatName` UnicodeString	—
`ThreatID` UnicodeString	—
`SeverityID` UnicodeString	—
`CategoryID` UnicodeString	—
`FWLink` UnicodeString	—
`Path` UnicodeString	—
`Unused6` UnicodeString	—
`Unused7` UnicodeString	—
`Unused8` UnicodeString	—
`Unused9` UnicodeString	—
`Unused10` UnicodeString	—
`Unused11` UnicodeString	—
`Unused12` UnicodeString	—
`Unused13` UnicodeString	—
`SeverityName` UnicodeString	—
`CategoryName` UnicodeString	—
`SecurityintelligenceVersion` UnicodeString	—
`EngineVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1012 — ProductName has encountered an error trying to delete an item from quarantine.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName has encountered an error trying to delete an item from quarantine.

Message #

%1 has encountered an error trying to delete an item from quarantine.
 For more information please see the following:
%15
 	Name: %11
 	ID: %12
 	Severity: %25
 	Category: %26
 	User: %8\%9
 	Error Code: %3
 	Error description: %4
 	Security intelligence Version: %27
 	Engine Version: %28

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`ErrorCode` UnicodeString	—
`ErrorDescription` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`Unused3` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`ThreatName` UnicodeString	—
`ThreatID` UnicodeString	—
`SeverityID` UnicodeString	—
`CategoryID` UnicodeString	—
`FWLink` UnicodeString	—
`Path` UnicodeString	—
`Unused4` UnicodeString	—
`Unused5` UnicodeString	—
`Unused6` UnicodeString	—
`Unused7` UnicodeString	—
`Unused8` UnicodeString	—
`Unused9` UnicodeString	—
`Unused10` UnicodeString	—
`Unused11` UnicodeString	—
`SeverityName` UnicodeString	—
`CategoryName` UnicodeString	—
`SecurityintelligenceVersion` UnicodeString	—
`EngineVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1013 — Product Name has removed history of malware and other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Informational

Description

Product Name has removed history of malware and other potentially unwanted software.

Message #

%1 has removed history of malware and other potentially unwanted software.
 	Time: %3
 	User: %8\%9

Fields #

Name	Description
`Product Name`	—
`Product Version`	—
`Timestamp` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`Unused3` UnicodeString	—
`Unused4` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 1013,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-09T18:07:25.039591+00:00",
    "event_record_id": 1344,
    "correlation": {},
    "execution": {
      "process_id": 3784,
      "thread_id": 1608
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.26010.5",
    "Timestamp": "2026-02-22T18:07:23Z",
    "Unused": "",
    "Unused2": "",
    "Unused3": "",
    "Unused4": "",
    "Domain": "NT AUTHORITY",
    "User": "SYSTEM",
    "SID": "S-1-5-18"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Windows Defender Malware Detection History Deletion source informational: Windows Defender logs when the history of detected infections is deleted.

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1014 — ProductName has encountered an error trying to remove history of malware and other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName has encountered an error trying to remove history of malware and other potentially unwanted software.

Message #

%1 has encountered an error trying to remove history of malware and other potentially unwanted software.
 	Time: %3
 	User: %8\%9
 	Error Code: %4
 	Error description: %5

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Timestamp` UnicodeString	—
`ErrorCode` UnicodeString	—
`ErrorDescription` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1015 — ProductName has detected a suspicious behavior.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (Microsoft-Defender)

Description

ProductName has detected a suspicious behavior.

Message #

%1 has detected a suspicious behavior.
 	Name: %11
 	ID: %12
 	Severity: %25
 	Category: %26
 	Path Found: %16
 	Detection Origin: %18
 	Detection Type: %22
 	Detection Source: %5
 	Status: %20
 	User: %8\%9
 	Process Name: %7
 	Security intelligence ID: %30
 	Security intelligence Version: %27
 	Engine Version: %28
 	Fidelity Label: %32
 	Target File Name: %36

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`DetectionID` UnicodeString	—
`DetectionSourceIndex` UnicodeString	—
`DetectionSource` UnicodeString	—
`Unused` UnicodeString	—
`ProcessName` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`ThreatName` UnicodeString	—
`ThreatID` UnicodeString	—
`SeverityID` UnicodeString	—
`CategoryID` UnicodeString	—
`FWLink` UnicodeString	—
`PathFound` UnicodeString	—
`DetectionOriginIndex` UnicodeString	—
`DetectionOrigin` UnicodeString	—
`ExecutionStatusIndex` UnicodeString	—
`ExecutionStatus` UnicodeString	—
`DetectionTypeIndex` UnicodeString	—
`DetectionType` UnicodeString	—
`Unused2` UnicodeString	—
`Unused3` UnicodeString	—
`SeverityName` UnicodeString	—
`CategoryName` UnicodeString	—
`SecurityintelligenceVersion` UnicodeString	—
`EngineVersion` UnicodeString	—
`ProcessID` UnicodeString	—
`SecurityintelligenceID` UnicodeString	—
`FidelityValue` UnicodeString	—
`FidelityLabel` UnicodeString	—
`ImageFileHash` UnicodeString	—
`Unused4` UnicodeString	—
`Unused5` UnicodeString	—
`TargetFileName` UnicodeString	—
`TargetFileHash` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1116 — Product Name has detected malware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Warning
Collection Priority: Recommended (Microsoft-Defender, others)

Description

Product Name has detected malware or other potentially unwanted software.

Message #

%1 has detected malware or other potentially unwanted software.
 For more information please see the following:
%13
 	Name: %8
 	ID: %7
 	Severity: %10
 	Category: %12
 	Path: %22
 	Detection Origin: %24
 	Detection Type: %28
 	Detection Source: %18
 	User: %20
 	Process Name: %19
 	Security intelligence Version: %41
 	Engine Version: %42

Fields #

Name	Description
`Product Name` UnicodeString	—
`Product Version` UnicodeString	—
`Detection ID` UnicodeString	—
`Detection Time` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`Threat ID` UnicodeString	—
`Threat Name` UnicodeString	—
`Severity ID` UnicodeString	—
`Severity Name` UnicodeString	—
`Category ID` UnicodeString	—
`Category Name` UnicodeString	—
`FWLink` UnicodeString	—
`Status Code` UnicodeString	—
`Status Description` UnicodeString	—
`State` UnicodeString	—
`Source ID` UnicodeString	—
`Source Name` UnicodeString	—
`Process Name` UnicodeString	—
`Detection User` UnicodeString	—
`Unused3` UnicodeString	—
`Path` UnicodeString	—
`Origin ID` UnicodeString	—
`Origin Name` UnicodeString	—
`Execution ID` UnicodeString	—
`Execution Name` UnicodeString	—
`Type ID` UnicodeString	—
`Type Name` UnicodeString	—
`Pre Execution Status` UnicodeString	—
`Action ID` UnicodeString	—
`Action Name` UnicodeString	—
`Unused4` UnicodeString	—
`Error Code` UnicodeString	—
`Error Description` UnicodeString	—
`Unused5` UnicodeString	—
`Post Clean Status` UnicodeString	—
`Additional Actions ID` UnicodeString	—
`Additional Actions String` UnicodeString	—
`Remediation User` UnicodeString	—
`Unused6` UnicodeString	—
`Signature Version`	—
`Engine Version` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 1116,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2019-07-18T20:51:50.798995+00:00",
    "event_record_id": 102,
    "correlation": {
      "ActivityID": "40013F0F-EF76-4940-A8B2-4DE50BE9AAC3"
    },
    "execution": {
      "process_id": 6024,
      "thread_id": 6068
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "%%827",
    "Product Version": "4.18.1906.3",
    "Detection ID": "{37522D93-EBDD-4A5B-93B6-E984C9E3FD38}",
    "Detection Time": "2019-07-18T20:40:16.697Z",
    "Unused": "",
    "Unused2": "",
    "Threat ID": "2147708292",
    "Threat Name": "HackTool:JS/Jsprat",
    "Severity ID": "4",
    "Severity Name": "High",
    "Category ID": "34",
    "Category Name": "Tool",
    "FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:JS/Jsprat&threatid=2147708292&enterprise=0",
    "Status Code": "1",
    "Status Description": "",
    "State": "1",
    "Source ID": "3",
    "Source Name": "%%818",
    "Process Name": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "Detection User": "MSEDGEWIN10\\IEUser",
    "Unused3": "",
    "Path": "containerfile:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp; file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0005); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0037); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0045); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0065); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0068)",
    "Origin ID": "1",
    "Origin Name": "%%845",
    "Execution ID": "1",
    "Execution Name": "%%813",
    "Type ID": "8",
    "Type Name": "%%862",
    "Pre Execution Status": "0",
    "Action ID": "9",
    "Action Name": "%%887",
    "Unused4": "",
    "Error Code": "0x00000000",
    "Error Description": "The operation completed successfully. ",
    "Unused5": "",
    "Post Clean Status": "0",
    "Additional Actions ID": "0",
    "Additional Actions String": "No additional actions required",
    "Remediation User": "",
    "Unused6": "",
    "Signature Version": "AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0",
    "Engine Version": "AM: 1.1.16100.4, NIS: 0.0.0.0"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Windows Defender AMSI Trigger Detected source high: Detects triggering of AMSI by Windows Defender.

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1117 — Product Name has taken action to protect this machine from malware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Informational
Collection Priority: Recommended (Microsoft-Defender, others)

Description

Product Name has taken action to protect this machine from malware or other potentially unwanted software.

Message #

%1 has taken action to protect this machine from malware or other potentially unwanted software.
 For more information please see the following:
%13
 	Name: %8
 	ID: %7
 	Severity: %10
 	Category: %12
 	Path: %22
 	Detection Origin: %24
 	Detection Type: %28
 	Detection Source: %18
 	User: %39
 	Process Name: %19
 	Action: %31
 	Action Status: %38
 	Error Code: %33
 	Error description: %34
 	Security intelligence Version: %41
 	Engine Version: %42

Fields #

Name	Description
`Product Name` UnicodeString	—
`Product Version` UnicodeString	—
`Detection ID` UnicodeString	—
`Detection Time` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`Threat ID` UnicodeString	—
`Threat Name` UnicodeString	—
`Severity ID` UnicodeString	—
`Severity Name` UnicodeString	—
`Category ID` UnicodeString	—
`Category Name` UnicodeString	—
`FWLink` UnicodeString	—
`Status Code` UnicodeString	—
`Status Description` UnicodeString	—
`State` UnicodeString	—
`Source ID` UnicodeString	—
`Source Name` UnicodeString	—
`Process Name` UnicodeString	—
`Detection User` UnicodeString	—
`Unused3` UnicodeString	—
`Path` UnicodeString	—
`Origin ID` UnicodeString	—
`Origin Name` UnicodeString	—
`Execution ID` UnicodeString	—
`Execution Name` UnicodeString	—
`Type ID` UnicodeString	—
`Type Name` UnicodeString	—
`Pre Execution Status` UnicodeString	—
`Action ID` UnicodeString	—
`Action Name` UnicodeString	—
`Unused4` UnicodeString	—
`Error Code` UnicodeString	—
`Error Description` UnicodeString	—
`Unused5` UnicodeString	—
`Post Clean Status` UnicodeString	—
`Additional Actions ID` UnicodeString	—
`Additional Actions String` UnicodeString	—
`Remediation User` UnicodeString	—
`Unused6` UnicodeString	—
`Signature Version`	—
`Engine Version` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 1117,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2019-07-18T20:53:31.952569+00:00",
    "event_record_id": 106,
    "correlation": {
      "ActivityID": "2AD0CF94-C382-4568-A488-1253A4ED0F54"
    },
    "execution": {
      "process_id": 6024,
      "thread_id": 6068
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "%%827",
    "Product Version": "4.18.1906.3",
    "Detection ID": "{8791B1FB-0FE7-412E-B084-524CB5A221F3}",
    "Detection Time": "2019-07-18T20:40:13.775Z",
    "Unused": "",
    "Unused2": "",
    "Threat ID": "2147735426",
    "Threat Name": "Trojan:XML/Exeselrun.gen!A",
    "Severity ID": "5",
    "Severity Name": "Severe",
    "Category ID": "8",
    "Category Name": "Trojan",
    "FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:XML/Exeselrun.gen!A&threatid=2147735426&enterprise=0",
    "Status Code": "5",
    "Status Description": "",
    "State": "2",
    "Source ID": "3",
    "Source Name": "%%818",
    "Process Name": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "Detection User": "MSEDGEWIN10\\IEUser",
    "Unused3": "",
    "Path": "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1086\\payloads\\test.xsl",
    "Origin ID": "1",
    "Origin Name": "%%845",
    "Execution ID": "1",
    "Execution Name": "%%813",
    "Type ID": "2",
    "Type Name": "%%823",
    "Pre Execution Status": "0",
    "Action ID": "6",
    "Action Name": "%%811",
    "Unused4": "",
    "Error Code": "0x80508023",
    "Error Description": "The program could not find the malware and other potentially unwanted software on this device. ",
    "Unused5": "",
    "Post Clean Status": "0",
    "Additional Actions ID": "0",
    "Additional Actions String": "No additional actions required",
    "Remediation User": "NT AUTHORITY\\SYSTEM",
    "Unused6": "",
    "Signature Version": "AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0",
    "Engine Version": "AM: 1.1.16100.4, NIS: 0.0.0.0"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1118 — ProductName has encountered a non-critical error when taking action on malware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (Microsoft-Defender, others)

Description

ProductName has encountered a non-critical error when taking action on malware or other potentially unwanted software.

Message #

%1 has encountered a non-critical error when taking action on malware or other potentially unwanted software.
 For more information please see the following:
%13
 	Name: %8
 	ID: %7
 	Severity: %10
 	Category: %12
 	Path: %22
 	Detection Origin: %24
 	Detection Type: %28
 	Detection Source: %18
 	User: %39
 	Process Name: %19
 	Action: %31
 	Action Status: %38
 	Error Code: %33
 	Error description: %34
 	Security intelligence Version: %41
 	Engine Version: %42

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`DetectionID` UnicodeString	—
`DetectionTime` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`ThreatID` UnicodeString	—
`ThreatName` UnicodeString	—
`SeverityID` UnicodeString	—
`SeverityName` UnicodeString	—
`CategoryID` UnicodeString	—
`CategoryName` UnicodeString	—
`FWLink` UnicodeString	—
`StatusCode` UnicodeString	—
`StatusDescription` UnicodeString	—
`State` UnicodeString	—
`SourceID` UnicodeString	—
`SourceName` UnicodeString	—
`ProcessName` UnicodeString	—
`DetectionUser` UnicodeString	—
`Unused3` UnicodeString	—
`Path` UnicodeString	—
`OriginID` UnicodeString	—
`OriginName` UnicodeString	—
`ExecutionID` UnicodeString	—
`ExecutionName` UnicodeString	—
`TypeID` UnicodeString	—
`TypeName` UnicodeString	—
`PreExecutionStatus` UnicodeString	—
`ActionID` UnicodeString	—
`ActionName` UnicodeString	—
`Unused4` UnicodeString	—
`ErrorCode` UnicodeString	—
`ErrorDescription` UnicodeString	—
`Unused5` UnicodeString	—
`PostCleanStatus` UnicodeString	—
`AdditionalActionsID` UnicodeString	—
`AdditionalActionsString` UnicodeString	—
`RemediationUser` UnicodeString	—
`Unused6` UnicodeString	—
`SecurityintelligenceVersion` UnicodeString	—
`EngineVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1119 — ProductName has encountered a critical error when taking action on malware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (Microsoft-Defender, others)

Description

ProductName has encountered a critical error when taking action on malware or other potentially unwanted software.

Message #

%1 has encountered a critical error when taking action on malware or other potentially unwanted software.
 For more information please see the following:
%13
 	Name: %8
 	ID: %7
 	Severity: %10
 	Category: %12
 	Path: %22
 	Detection Origin: %24
 	Detection Type: %28
 	Detection Source: %18
 	User: %39
 	Process Name: %19
 	Action: %31
 	Action Status: %38
 	Error Code: %33
 	Error description: %34
 	Security intelligence Version: %41
 	Engine Version: %42

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`DetectionID` UnicodeString	—
`DetectionTime` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`ThreatID` UnicodeString	—
`ThreatName` UnicodeString	—
`SeverityID` UnicodeString	—
`SeverityName` UnicodeString	—
`CategoryID` UnicodeString	—
`CategoryName` UnicodeString	—
`FWLink` UnicodeString	—
`StatusCode` UnicodeString	—
`StatusDescription` UnicodeString	—
`State` UnicodeString	—
`SourceID` UnicodeString	—
`SourceName` UnicodeString	—
`ProcessName` UnicodeString	—
`DetectionUser` UnicodeString	—
`Unused3` UnicodeString	—
`Path` UnicodeString	—
`OriginID` UnicodeString	—
`OriginName` UnicodeString	—
`ExecutionID` UnicodeString	—
`ExecutionName` UnicodeString	—
`TypeID` UnicodeString	—
`TypeName` UnicodeString	—
`PreExecutionStatus` UnicodeString	—
`ActionID` UnicodeString	—
`ActionName` UnicodeString	—
`Unused4` UnicodeString	—
`ErrorCode` UnicodeString	—
`ErrorDescription` UnicodeString	—
`Unused5` UnicodeString	—
`PostCleanStatus` UnicodeString	—
`AdditionalActionsID` UnicodeString	—
`AdditionalActionsString` UnicodeString	—
`RemediationUser` UnicodeString	—
`Unused6` UnicodeString	—
`SecurityintelligenceVersion` UnicodeString	—
`EngineVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1120 — ProductName has deduced the hashes for a threat resource.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (ANSSI)

Description

ProductName has deduced the hashes for a threat resource.

Message #

%1 has deduced the hashes for a threat resource.
 	Current Platform Version: %2
 	Threat resource path: %4
 	Hashes: %5

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Unused` UnicodeString	—
`Threatresourcepath` UnicodeString	—
`Hashes` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1121 — Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (Microsoft-Defender, others)

Description

Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.

Message #

Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
 For more information please contact your IT administrator.
 	ID: %4
 	Detection time: %5
 	User: %6
 	Path: %7
 	Process Name: %8
 	Target Commandline: %12
 	Parent Commandline: %13
 	Involved File: %14
 	Inheritance Flags: %15
 	Security intelligence Version: %9
 	Engine Version: %10
 	Product Version: %2

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Unused` UnicodeString	—
`ID` UnicodeString	—
`DetectionTime` UnicodeString	—
`User` UnicodeString	—
`Path` UnicodeString	—
`ProcessName` UnicodeString	—
`SecurityintelligenceVersion` UnicodeString	—
`EngineVersion` UnicodeString	—
`RuleType` UnicodeString	—
`TargetCommandline` UnicodeString	—
`ParentCommandline` UnicodeString	—
`InvolvedFile` UnicodeString	—
`InhertianceFlags` UnicodeString	—

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

LSASS Access Detected via Attack Surface Reduction source high: Detects Access to LSASS Process
PSExec and WMI Process Creations Block source high: Detects blocking of process creations originating from PSExec and WMI commands

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1122 — Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (JSCU-NL)

Description

Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.

Message #

Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.
 For more information please contact your IT administrator.
 	ID: %4
 	Detection time: %5
 	User: %6
 	Path: %7
 	Process Name: %8
 	Target Commandline: %12
 	Parent Commandline: %13
 	Involved File: %14
 	Inheritance Flags: %15
 	Security intelligence Version: %9
 	Engine Version: %10
 	Product Version: %2

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Unused` UnicodeString	—
`ID` UnicodeString	—
`DetectionTime` UnicodeString	—
`User` UnicodeString	—
`Path` UnicodeString	—
`ProcessName` UnicodeString	—
`SecurityintelligenceVersion` UnicodeString	—
`EngineVersion` UnicodeString	—
`RuleType` UnicodeString	—
`TargetCommandline` UnicodeString	—
`ParentCommandline` UnicodeString	—
`InvolvedFile` UnicodeString	—
`InhertianceFlags` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1123 — ProcessName has been blocked from modifying Path by Controlled Folder Access.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (JSCU-NL)

Description

ProcessName has been blocked from modifying Path by Controlled Folder Access.

Message #

%8 has been blocked from modifying %7 by Controlled Folder Access.
 	Detection time: %5
 	User: %6
 	Path: %7
 	Process Name: %8
 	Security intelligence Version: %9
 	Engine Version: %10
 	Product Version: %2

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Unused` UnicodeString	—
`ID` UnicodeString	—
`DetectionTime` UnicodeString	—
`User` UnicodeString	—
`Path` UnicodeString	—
`ProcessName` UnicodeString	—
`SecurityintelligenceVersion` UnicodeString	—
`EngineVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1124 — ProcessName would have been blocked from modifying Path by Controlled Folder Access.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (JSCU-NL)

Description

ProcessName would have been blocked from modifying Path by Controlled Folder Access.

Message #

%8 would have been blocked from modifying %7 by Controlled Folder Access.
 	Detection time: %5
 	User: %6
 	Path: %7
 	Process Name: %8
 	Security intelligence Version: %9
 	Engine Version: %10
 	Product Version: %2

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Unused` UnicodeString	—
`ID` UnicodeString	—
`DetectionTime` UnicodeString	—
`User` UnicodeString	—
`Path` UnicodeString	—
`ProcessName` UnicodeString	—
`SecurityintelligenceVersion` UnicodeString	—
`EngineVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1125 — Your IT administrator would have caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (JSCU-NL)

Description

Your IT administrator would have caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.

Message #

Your IT administrator would have caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.
 	Detection time: %4
 	User: %5
 	Destination: %6
 	Process Name: %7

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`ID` UnicodeString	—
`DetectionTime` UnicodeString	—
`User` UnicodeString	—
`Destination` UnicodeString	—
`ProcessName` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1126 — Your IT administrator has caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (JSCU-NL)

Description

Your IT administrator has caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.

Message #

Your IT administrator has caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.
 	Detection time: %4
 	User: %5
 	Destination: %6
 	Process Name: %7

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`ID` UnicodeString	—
`DetectionTime` UnicodeString	—
`User` UnicodeString	—
`Destination` UnicodeString	—
`ProcessName` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1127 — Controlled Folder Access blocked ProcessName from making changes to memory.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (Microsoft-Defender)

Description

Controlled Folder Access blocked ProcessName from making changes to memory.

Message #

Controlled Folder Access blocked %8 from making changes to memory.
 	Detection time: %5
 	User: %6
 	Path: %7
 	Process Name: %8
 	Security intelligence Version: %9
 	Engine Version: %10
 	Product Version: %2

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Unused` UnicodeString	—
`ID` UnicodeString	—
`DetectionTime` UnicodeString	—
`User` UnicodeString	—
`Path` UnicodeString	—
`ProcessName` UnicodeString	—
`SecurityintelligenceVersion` UnicodeString	—
`EngineVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1128 — Controlled Folder Access would have blocked ProcessName from making changes to memory.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

Controlled Folder Access would have blocked ProcessName from making changes to memory.

Message #

Controlled Folder Access would have blocked %8 from making changes to memory.
 	Detection time: %5
 	User: %6
 	Path: %7
 	Process Name: %8
 	Security intelligence Version: %9
 	Engine Version: %10
 	Product Version: %2

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Unused` UnicodeString	—
`ID` UnicodeString	—
`DetectionTime` UnicodeString	—
`User` UnicodeString	—
`Path` UnicodeString	—
`ProcessName` UnicodeString	—
`SecurityintelligenceVersion` UnicodeString	—
`EngineVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1129 — A user has allowed a blocked Microsoft Defender Exploit Guard operation.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

A user has allowed a blocked Microsoft Defender Exploit Guard operation.

Message #

A user has allowed a blocked Microsoft Defender Exploit Guard operation.
 	ID: %4
 	User: %5
 	Path: %6
 	Process Name: %7
 	Involved File: %8

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Unused` UnicodeString	—
`ID` UnicodeString	—
`User` UnicodeString	—
`Path` UnicodeString	—
`ProcessName` UnicodeString	—
`InvolvedFile` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1130 — {Product Name} blocked a behavior by {Source app}.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

{Product Name} blocked a behavior by {Source app}.

Message #

{Product Name} blocked a behavior by {Source app}.

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1131 — ProductName has blocked an operation that your administrator doesn't allow.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName has blocked an operation that your administrator doesn't allow.

Message #

%1 has blocked an operation that your administrator doesn't allow.
 For more information please contact your IT administrator.
 	ID: %4
 	State: %5
 	Timestamp: %6
 	Action: %7
 	Process: %8
 	Source: %9
 	Target: %10
 	User: %11
 %Security intelligence Version: %12
 	Engine Version: %13
 	Product Version: %2

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Unused` UnicodeString	—
`ID` UnicodeString	—
`State` UnicodeString	—
`Timestamp` UnicodeString	—
`Action` UnicodeString	—
`Process` UnicodeString	—
`Source` UnicodeString	—
`Target` UnicodeString	—
`User` UnicodeString	—
`SignatureVersion` UnicodeString	—
`EngineVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1132 — ProductName has audited an operation.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName has audited an operation.

Message #

%1 has audited an operation.
 For more information please contact your IT administrator.
 	ID: %4
 	State: %5
 	Timestamp: %6
 	Action: %7
 	Process: %8
 	Source: %9
 	Target: %10
 	User: %11
 %Security intelligence Version: %12
 	Engine Version: %13
 	Product Version: %2

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Unused` UnicodeString	—
`ID` UnicodeString	—
`State` UnicodeString	—
`Timestamp` UnicodeString	—
`Action` UnicodeString	—
`Process` UnicodeString	—
`Source` UnicodeString	—
`Target` UnicodeString	—
`User` UnicodeString	—
`SignatureVersion` UnicodeString	—
`EngineVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1133 — ProductName has blocked an operation that your administrator doesn't allow.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName has blocked an operation that your administrator doesn't allow.

Message #

%1 has blocked an operation that your administrator doesn't allow.
For more information please contact your IT administrator.
	Policy Version: %4
	Policy Rule ID: %5
	Enforcement Level: %6
	Timestamp: %8
	Action Type: %9
	Process: %10
	Source: %11
	Target: %12
	Session ID: %13
	User SID: %14
%Security intelligence Version: %15
	Engine Version: %16
	Product Version: %2

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Unused` UnicodeString	—
`PolicyVersion` UnicodeString	—
`PolicyRuleId` UnicodeString	—
`EnforcementLevel` UnicodeString	—
`AuditReason` UnicodeString	—
`EventTimestamp` UnicodeString	—
`ActionType` UnicodeString	—
`Process` UnicodeString	—
`Source` UnicodeString	—
`Target` UnicodeString	—
`SessionId` UnicodeString	—
`UserSid` UnicodeString	—
`SignatureVersion` UnicodeString	—
`EngineVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1134 — ProductName has audited an operation.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName has audited an operation.

Message #

%1 has audited an operation.
For more information please contact your IT administrator.
	Policy Version: %4
	Policy Rule ID: %5
	Enforcement Level: %6
	Audit Reason: %7
	Timestamp: %8
	Action Type: %9
	Process: %10
	Source: %11
	Target: %12
	Session ID: %13
	User SID: %14
%Security intelligence Version: %15
	Engine Version: %16
	Product Version: %2

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Unused` UnicodeString	—
`PolicyVersion` UnicodeString	—
`PolicyRuleId` UnicodeString	—
`EnforcementLevel` UnicodeString	—
`AuditReason` UnicodeString	—
`EventTimestamp` UnicodeString	—
`ActionType` UnicodeString	—
`Process` UnicodeString	—
`Source` UnicodeString	—
`Target` UnicodeString	—
`SessionId` UnicodeString	—
`UserSid` UnicodeString	—
`SignatureVersion` UnicodeString	—
`EngineVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1150 — Endpoint Protection client is up and running in a healthy state.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Informational

Description

Endpoint Protection client is up and running in a healthy state.

Message #

Endpoint Protection client is up and running in a healthy state.
 	Platform version: %2
 	Engine version: %4
 	Security intelligence version: %5

Fields #

Name	Description
`Product Name` UnicodeString	—
`Platform version` UnicodeString	—
`Unused` UnicodeString	—
`Engine version` UnicodeString	—
`Security intelligence version` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 1150,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-05T23:33:02.683905+00:00",
    "event_record_id": 136,
    "correlation": {},
    "execution": {
      "process_id": 3332,
      "thread_id": 4248
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Platform version": "4.18.23090.2008",
    "Unused": "",
    "Engine version": "1.1.23090.2007",
    "Security intelligence version": "1.399.1311.0"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1151 — Endpoint Protection client health report (time in UTC).

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Informational

Description

Endpoint Protection client health report (time in UTC).

Message #

Endpoint Protection client health report (time in UTC):
 	Platform version: %2
 	Engine version: %4
 	Network Realtime Inspection engine version: %5
 	Antivirus security intelligence version: %6
 	Antispyware security intelligence version: %7
 	Network Realtime Inspection security intelligence version: %8
 	RTP state: %9
 	OA state: %10
 	IOAV state: %11
 	BM state: %12
 	Antivirus security intelligence age: %13
 	Antispyware security intelligence age: %14
 	Last quick scan age: %15
 	Last full scan age: %16
 	Antivirus security intelligence creation time: %17
 	Antispyware security intelligence creation time: %18
 	Last quick scan start time: %19
 	Last quick scan end time: %20
 	Last quick scan source: %21
 	Last full scan start time: %22
 	Last full scan end time: %23
 	Last full scan source: %24
 	Product status: %25

Fields #

Name	Description
`Product Name` UnicodeString	—
`Platform version` UnicodeString	—
`Unused` UnicodeString	—
`Engine version` UnicodeString	—
`NRI engine version` UnicodeString	—
`AV security intelligence version` UnicodeString	—
`AS security intelligence version` UnicodeString	—
`NRI security intelligence version` UnicodeString	—
`RTP state` UnicodeString	—
`OA state` UnicodeString	—
`IOAV state` UnicodeString	—
`BM state` UnicodeString	—
`Last AV security intelligence age` UnicodeString	—
`Last AS security intelligence age` UnicodeString	—
`Last quick scan age` UnicodeString	—
`Last full scan age` UnicodeString	—
`AV security intelligence creation time` UnicodeString	—
`AS security intelligence creation time` UnicodeString	—
`Last quick scan start time` UnicodeString	—
`Last quick scan end time` UnicodeString	—
`Last quick scan source` UnicodeString	—
`Last full scan start time` UnicodeString	—
`Last full scan end time` UnicodeString	—
`Last full scan source` UnicodeString	—
`Product status` UnicodeString	—
`Latest engine version` UnicodeString	—
`Engine up-to-date` UnicodeString	—
`Latest platform version` UnicodeString	—
`Platform up-to-date` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 1151,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T01:33:02.916969+00:00",
    "event_record_id": 160,
    "correlation": {},
    "execution": {
      "process_id": 3332,
      "thread_id": 7940
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Platform version": "4.18.23090.2008",
    "Unused": "",
    "Engine version": "1.1.23090.2007",
    "NRI engine version": "1.1.23090.2007",
    "AV security intelligence version": "1.399.1311.0",
    "AS security intelligence version": "1.399.1311.0",
    "NRI security intelligence version": "1.399.1311.0",
    "RTP state": "Disabled",
    "OA state": "Disabled",
    "IOAV state": "Disabled",
    "BM state": "Disabled",
    "Last AV security intelligence age": "11",
    "Last AS security intelligence age": "11",
    "Last quick scan age": "4294967295",
    "Last full scan age": "4294967295",
    "AV security intelligence creation time": "2023-10-25T15:24:36Z",
    "AS security intelligence creation time": "2023-10-25T15:24:36Z",
    "Last quick scan start time": "1601-01-01T00:00:00Z",
    "Last quick scan end time": "1601-01-01T00:00:00Z",
    "Last quick scan source": "0",
    "Last full scan start time": "1601-01-01T00:00:00Z",
    "Last full scan end time": "1601-01-01T00:00:00Z",
    "Last full scan source": "0",
    "Product status": "0x00080000",
    "Latest engine version": "1.1.23090.2007",
    "Engine up-to-date": "0",
    "Latest platform version": "4.18.23090.2008",
    "Platform up-to-date": "1"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1160 — ProductName has detected potentially unwanted application(PUA).

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName has detected potentially unwanted application(PUA).

Message #

%1 has detected potentially unwanted application(PUA).
 For more information please see the following:
%13
 	Name: %8
 	ID: %7
 	Severity: %10
 	Category: %12
 	Path: %22
 	Detection Origin: %24
 	Detection Type: %28
 	Detection Source: %18
 	User: %20
 	Process Name: %19
 	Security intelligence Version: %41
 	Engine Version: %42

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`DetectionID` UnicodeString	—
`DetectionTime` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`ThreatID` UnicodeString	—
`ThreatName` UnicodeString	—
`SeverityID` UnicodeString	—
`SeverityName` UnicodeString	—
`CategoryID` UnicodeString	—
`CategoryName` UnicodeString	—
`FWLink` UnicodeString	—
`StatusCode` UnicodeString	—
`StatusDescription` UnicodeString	—
`State` UnicodeString	—
`SourceID` UnicodeString	—
`SourceName` UnicodeString	—
`ProcessName` UnicodeString	—
`DetectionUser` UnicodeString	—
`Unused3` UnicodeString	—
`Path` UnicodeString	—
`OriginID` UnicodeString	—
`OriginName` UnicodeString	—
`ExecutionID` UnicodeString	—
`ExecutionName` UnicodeString	—
`TypeID` UnicodeString	—
`TypeName` UnicodeString	—
`PreExecutionStatus` UnicodeString	—
`ActionID` UnicodeString	—
`ActionName` UnicodeString	—
`Unused4` UnicodeString	—
`ErrorCode` UnicodeString	—
`ErrorDescription` UnicodeString	—
`Unused5` UnicodeString	—
`PostCleanStatus` UnicodeString	—
`AdditionalActionsID` UnicodeString	—
`AdditionalActionsString` UnicodeString	—
`RemediationUser` UnicodeString	—
`Unused6` UnicodeString	—
`SecurityintelligenceVersion` UnicodeString	—
`EngineVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2000 — Product Name security intelligence version updated.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Informational

Description

Product Name security intelligence version updated.

Message #

%1 security intelligence version updated.
 	Current security intelligence Version: %3
 	Previous security intelligence Version: %4
 	Security intelligence Type: %12
 	Update Type: %14
 	User: %8\%9
 	Current Engine Version: %15
 	Previous Engine Version: %16

Fields #

Name	Description
`Product Name` UnicodeString	—
`Product Version` UnicodeString	—
`Current security intelligence Version` UnicodeString	—
`Previous security intelligence Version` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`Unused3` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`Security intelligence Type Index` UnicodeString	—
`Security intelligence Type` UnicodeString	—
`Update Type Index` UnicodeString	—
`Update Type` UnicodeString	—
`Current Engine Version` UnicodeString	—
`Previous Engine Version` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 2000,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-10-25T21:44:41.065306+00:00",
    "event_record_id": 38,
    "correlation": {},
    "execution": {
      "process_id": 2976,
      "thread_id": 4276
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "WinDevEval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.2201.11",
    "Current security intelligence Version": "1.399.1311.0",
    "Previous security intelligence Version": "1.321.69.0",
    "Unused": "",
    "Unused2": "",
    "Unused3": "",
    "Domain": "NT AUTHORITY",
    "User": "SYSTEM",
    "SID": "S-1-5-18",
    "Security intelligence Type Index": "2",
    "Security intelligence Type": "AntiSpyware",
    "Update Type Index": "1",
    "Update Type": "Full",
    "Current Engine Version": "1.1.23090.2007",
    "Previous Engine Version": "1.1.17300.4"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2001 — Product Name has encountered an error trying to update security intelligence.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Error
Collection Priority: Recommended (Microsoft-Defender, others)

Description

Product Name has encountered an error trying to update security intelligence.

Message #

%1 has encountered an error trying to update security intelligence.
 	New security intelligence Version: %3
 	Previous security intelligence Version: %4
 	Update Source: %6
 	Security intelligence Type: %12
 	Update Type: %14
 	User: %8\%9
 	Current Engine Version: %15
 	Previous Engine Version: %16
 	Error code: %17
 	Error description: %18

Fields #

Name	Description
`Product Name`	—
`Product Version`	—
`Current security intelligence Version`	—
`Previous security intelligence Version`	—
`Update Source Index`	—
`Update Source`	—
`Unused` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`Security intelligence Type Index`	—
`Security intelligence Type`	—
`Update Type Index`	—
`Update Type`	—
`Current Engine Version`	—
`Previous Engine Version`	—
`Error Code`	—
`Error Description`	—
`Update State Index`	—
`Update State`	—
`Source Path`	—
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`CurrentsecurityintelligenceVersion` UnicodeString	—
`PrevioussecurityintelligenceVersion` UnicodeString	—
`UpdateSourceIndex` UnicodeString	—
`UpdateSource` UnicodeString	—
`SecurityintelligenceTypeIndex` UnicodeString	—
`SecurityintelligenceType` UnicodeString	—
`UpdateTypeIndex` UnicodeString	—
`UpdateType` UnicodeString	—
`CurrentEngineVersion` UnicodeString	—
`PreviousEngineVersion` UnicodeString	—
`ErrorCode` UnicodeString	—
`ErrorDescription` UnicodeString	—
`UpdateStateIndex` UnicodeString	—
`UpdateState` UnicodeString	—
`SourcePath` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 2001,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-09T01:17:06.846703+00:00",
    "event_record_id": 1315,
    "correlation": {
      "ActivityID": "4BE4BD99-4F61-4990-9CE4-215B5E5A9104"
    },
    "execution": {
      "process_id": 3728,
      "thread_id": 5300
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.26010.5",
    "Current security intelligence Version": "",
    "Previous security intelligence Version": "1.445.426.0",
    "Update Source Index": "7",
    "Update Source": "Microsoft Update Server",
    "Unused": "",
    "Domain": "NT AUTHORITY",
    "User": "SYSTEM",
    "SID": "S-1-5-18",
    "Security intelligence Type Index": "1",
    "Security intelligence Type": "AntiVirus",
    "Update Type Index": "1",
    "Update Type": "Full",
    "Current Engine Version": "",
    "Previous Engine Version": "1.1.26010.1",
    "Error Code": "0x8007045b",
    "Error Description": "A system shutdown is in progress. ",
    "Update State Index": "1",
    "Update State": "Search",
    "Source Path": "Default URL"
  },
  "message": ""
}

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2002 — Product Name engine version has been updated.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Informational

Description

Product Name engine version has been updated.

Message #

%1 engine version has been updated.
 	Current Engine Version: %3
 	Previous Engine Version: %4
 	User: %8\%9

Fields #

Name	Description
`Product Name` UnicodeString	—
`Product Version` UnicodeString	—
`Current Engine Version` UnicodeString	—
`Previous Engine Version` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`Unused3` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`Unused4` UnicodeString	—
`Unused5` UnicodeString	—
`Feature Index` UnicodeString	—
`Feature Name` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 2002,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-10-25T21:44:41.062981+00:00",
    "event_record_id": 36,
    "correlation": {},
    "execution": {
      "process_id": 2976,
      "thread_id": 4276
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "WinDevEval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.2201.11",
    "Current Engine Version": "1.1.23090.2007",
    "Previous Engine Version": "1.1.17300.4",
    "Unused": "",
    "Unused2": "",
    "Unused3": "",
    "Domain": "NT AUTHORITY",
    "User": "SYSTEM",
    "SID": "S-1-5-18",
    "Unused4": "",
    "Unused5": "",
    "Feature Index": "0",
    "Feature Name": "Antimalware"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2003 — ProductName has encountered an error trying to update the engine.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (NSA, others)

Description

ProductName has encountered an error trying to update the engine.

Message #

%1 has encountered an error trying to update the engine.
 	New Engine Version: %3
 	Previous Engine Version: %4
 	User: %8\%9
 	Error Code: %11
 	Error description: %12

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`CurrentEngineVersion` UnicodeString	—
`PreviousEngineVersion` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`Unused3` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`ErrorCode` UnicodeString	—
`ErrorDescription` UnicodeString	—
`UpdateStateIndex` UnicodeString	—
`UpdateState` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2004 — ProductName has encountered an error trying to update security intelligence and will attempt to revert to a previous version.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (NSA, others)

Description

ProductName has encountered an error trying to update security intelligence and will attempt to revert to a previous version.

Message #

%1 has encountered an error trying to update security intelligence and will attempt to revert to a previous version.
 	Security intelligence Attempted: %4
 	Error Code: %5
 	Error description: %6
 	Security intelligence Version: %9
 	Engine Version: %10

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`SecurityintelligenceAttemptedIndex` UnicodeString	—
`SecurityintelligenceAttempted` UnicodeString	—
`ErrorCode` UnicodeString	—
`ErrorDescription` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`Loadingsecurityintelligenceversion` UnicodeString	—
`Loadingengineversion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2005 — ProductName could not load antimalware engine because current platform version is not supported.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName could not load antimalware engine because current platform version is not supported. ProductName will revert back to the last known-good engine and a platform update will be attempted.

Message #

%1 could not load antimalware engine because current platform version is not supported. %1 will revert back to the last known-good engine and a platform update will be attempted.
 	Current Platform Version: %2

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2006 — ProductName has encountered an error trying to update the platform.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName has encountered an error trying to update the platform.

Message #

%1 has encountered an error trying to update the platform.
 	Current Platform Version: %2
 	Error code: %4
 	Error description: %5

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Unused` UnicodeString	—
`ErrorCode` UnicodeString	—
`ErrorDescription` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2007 — ProductName will soon require a newer platform version to support future versions of the antimalware engine.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName will soon require a newer platform version to support future versions of the antimalware engine. Download the latest ProductName platform to maintain the best level of protection available.

Message #

%1 will soon require a newer platform version to support future versions of the antimalware engine. Download the latest %1 platform to maintain the best level of protection available.
 	Current Platform Version: %2

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2008 — ProductName platform update update to NewPlatformVersion is paused due to system activity.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName platform update update to NewPlatformVersion is paused due to system activity. For more details see the latest MpLog*.log entry under ProgramData.

Message #

%1 platform update update to %4 is paused due to system activity. For more details see the latest MpLog*.log entry under ProgramData.

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Unused` UnicodeString	—
`NewPlatformVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2009 — ProductName platform update to NewPlatformVersion has resumed.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName platform update to NewPlatformVersion has resumed.

Message #

%1 platform update to %4 has resumed.

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Unused` UnicodeString	—
`NewPlatformVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2010 — Product Name used cloud protection to get additional security intelligence.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Informational

Description

Product Name used cloud protection to get additional security intelligence.

Message #

%1 used cloud protection to get additional security intelligence.
 	Current security intelligence Version: %3
 	Security intelligence Type: %12
 	User: %8\%9
 	Current Engine Version: %15
 	Cloud protection intelligence Type: %23
 	Persistence Path: %24
 	Cloud protection intelligence Version: %25
 	Cloud protection intelligence Compilation Timestamp: %26
 	Persistence Limit Type: %28
 	Persistence Limit: %29

Fields #

Name	Description
`Product Name` UnicodeString	—
`Product Version` UnicodeString	—
`Current security intelligence Version` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`Unused3` UnicodeString	—
`Unused4` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`Security intelligence Type Index` UnicodeString	—
`Security intelligence Type` UnicodeString	—
`Unused5` UnicodeString	—
`Unused6` UnicodeString	—
`Current Engine Version` UnicodeString	—
`Unused7` UnicodeString	—
`Unused8` UnicodeString	—
`Unused9` UnicodeString	—
`Unused10` UnicodeString	—
`Unused11` UnicodeString	—
`Unused12` UnicodeString	—
`Cloud protection intelligence Type Index` UnicodeString	—
`Cloud protection intelligence Type` UnicodeString	—
`Persistence Path` UnicodeString	—
`Cloud protection intelligence Version` UnicodeString	—
`Cloud protection intelligence Compilation Timestamp` UnicodeString	—
`Persistence Limit Type Index` UnicodeString	—
`Persistence Limit Type` UnicodeString	—
`Persistence Limit Value` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 2010,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T01:34:04.823948+00:00",
    "event_record_id": 162,
    "correlation": {},
    "execution": {
      "process_id": 3332,
      "thread_id": 12556
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.23090.2008",
    "Current security intelligence Version": "1.399.1311.0",
    "Unused": "",
    "Unused2": "",
    "Unused3": "",
    "Unused4": "",
    "Domain": "",
    "User": "",
    "SID": "",
    "Security intelligence Type Index": "0",
    "Security intelligence Type": "",
    "Unused5": "",
    "Unused6": "",
    "Current Engine Version": "1.1.23090.2007",
    "Unused7": "",
    "Unused8": "",
    "Unused9": "",
    "Unused10": "",
    "Unused11": "",
    "Unused12": "",
    "Cloud protection intelligence Type Index": "1",
    "Cloud protection intelligence Type": "Security intelligence update",
    "Persistence Path": "C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\data\\2c120ea46d796db0984b96884f1a90a8dab2bfe3",
    "Cloud protection intelligence Version": "0.0.0.0",
    "Cloud protection intelligence Compilation Timestamp": "11/6/2023 1:34:04 AM",
    "Persistence Limit Type Index": "2",
    "Persistence Limit Type": "Duration",
    "Persistence Limit Value": "100000"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2011 — ProductName used cloud protection to discard obsolete security intelligence updates.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName used cloud protection to discard obsolete security intelligence updates.

Message #

%1 used cloud protection to discard obsolete security intelligence updates.
 	Current security intelligence Version: %3
 	Security intelligence Type: %12
 	Current Engine Version: %15
 	Cloud protection intelligence Type: %23
 	Persistence Path: %24
 	Cloud protection intelligence Version: %25
 	Cloud protection intelligence Compilation Timestamp: %26
 	Removal Reason: %31
 	Persistence Limit Type: %28
 	Persistence Limit: %29

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`CurrentsecurityintelligenceVersion` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`Unused3` UnicodeString	—
`Unused4` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`SecurityintelligenceTypeIndex` UnicodeString	—
`SecurityintelligenceType` UnicodeString	—
`Unused5` UnicodeString	—
`Unused6` UnicodeString	—
`CurrentEngineVersion` UnicodeString	—
`Unused7` UnicodeString	—
`Unused8` UnicodeString	—
`Unused9` UnicodeString	—
`Unused10` UnicodeString	—
`Unused11` UnicodeString	—
`Unused12` UnicodeString	—
`CloudprotectionintelligenceTypeIndex` UnicodeString	—
`CloudprotectionintelligenceType` UnicodeString	—
`PersistencePath` UnicodeString	—
`CloudprotectionintelligenceVersion` UnicodeString	—
`CloudprotectionintelligenceCompilationTimestamp` UnicodeString	—
`PersistenceLimitTypeIndex` UnicodeString	—
`PersistenceLimitType` UnicodeString	—
`PersistenceLimitValue` UnicodeString	—
`RemovalReasonIndex` UnicodeString	—
`RemovalReasonValue` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2012 — ProductName has encountered an error trying to use cloud protection.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName has encountered an error trying to use cloud protection.

Message #

%1 has encountered an error trying to use cloud protection.
 	Current security intelligence Version: %3
 	Security intelligence Type: %12
 	User: %8\%9
 	Current Engine Version: %15
 	Error code: %17
 	Error description: %18 	Cloud protection intelligence Type: %23
 	Persistence Path: %24
 	Cloud protection intelligence Version: %25
 	Cloud protection intelligence Compilation Timestamp: %26
 	Persistence Limit Type: %28
 	Persistence Limit: %29

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`CurrentsecurityintelligenceVersion` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`Unused3` UnicodeString	—
`Unused4` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`SecurityintelligenceTypeIndex` UnicodeString	—
`SecurityintelligenceType` UnicodeString	—
`Unused5` UnicodeString	—
`Unused6` UnicodeString	—
`CurrentEngineVersion` UnicodeString	—
`Unused7` UnicodeString	—
`ErrorCode` UnicodeString	—
`ErrorDescription` UnicodeString	—
`Unused8` UnicodeString	—
`Unused9` UnicodeString	—
`Unused10` UnicodeString	—
`CloudprotectionintelligenceTypeIndex` UnicodeString	—
`CloudprotectionintelligenceType` UnicodeString	—
`PersistencePath` UnicodeString	—
`CloudprotectionintelligenceVersion` UnicodeString	—
`CloudprotectionintelligenceCompilationTimestamp` UnicodeString	—
`PersistenceLimitTypeIndex` UnicodeString	—
`PersistenceLimitType` UnicodeString	—
`PersistenceLimitValue` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2013 — ProductName discarded all cloud protection intelligence.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName discarded all cloud protection intelligence.

Message #

%1 discarded all cloud protection intelligence.
 	User: %8\%9
 	Current Engine Version: %15

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`CurrentsecurityintelligenceVersion` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`Unused3` UnicodeString	—
`Unused4` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`SecurityintelligenceTypeIndex` UnicodeString	—
`SecurityintelligenceType` UnicodeString	—
`Unused5` UnicodeString	—
`Unused6` UnicodeString	—
`CurrentEngineVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2014 — Product Name platform update to Product Version has succeeded.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Informational

Description

Product Name platform update to Product Version has succeeded.

Message #

%1 platform update to %2 has succeeded.

Fields #

Name	Description
`Product Name` UnicodeString	—
`Product Version` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 2014,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-10-25T21:49:53.778165+00:00",
    "event_record_id": 58,
    "correlation": {},
    "execution": {
      "process_id": 1332,
      "thread_id": 4624
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "WinDevEval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.23090.2008"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2020 — {Product Name} downloaded a clean file.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

{Product Name} downloaded a clean file. Filename: {Filename} Current Signature Version: {Current Signature Version} Current Engine Version: {Current Engine Version}.

Message #

{Product Name} downloaded a clean file. 	Filename: {Filename} 	Current Signature Version: {Current Signature Version} 	Current Engine Version: {Current Engine Version}

Fields #

Name	Description
`Filename`	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2021 — {Product Name} has encountered an error trying to download a clean file.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message #

{Product Name} has encountered an error trying to download a clean file. 	Filename: {Filename} 	Current Signature Version: {Current Signature Version} 	Current Engine Version: {Current Engine Version} 	Error code: {Error Code} 	Error description: {Error Description}

Fields #

Name	Description
`Filename`	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2030 — ProductName downloaded and configured Microsoft Defender Antivirus (offline scan) to run on the next reboot.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName downloaded and configured Microsoft Defender Antivirus (offline scan) to run on the next reboot.

Message #

%1 downloaded and configured Microsoft Defender Antivirus (offline scan) to run on the next reboot.

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2031 — ProductName has encountered an error trying to download and configure Microsoft Defender Antivirus (offline scan).

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName has encountered an error trying to download and configure Microsoft Defender Antivirus (offline scan).

Message #

%1 has encountered an error trying to download and configure Microsoft Defender Antivirus (offline scan).
	Error code: %4
	Error description: %5

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Unused` UnicodeString	—
`ErrorCode` UnicodeString	—
`ErrorDescription` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2040 — The support for your operating system will expire shortly.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

The support for your operating system will expire shortly. Running ProductName on an out of support operating system is not an adequate solution to protect against threats.

Message #

The support for your operating system will expire shortly. Running %1 on an out of support operating system is not an adequate solution to protect against threats.

Fields #

Name	Description
`ProductName` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2041 — The support for your operating system has expired.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

The support for your operating system has expired. Running ProductName on an out of support operating system is not an adequate solution to protect against threats.

Message #

The support for your operating system has expired. Running %1 on an out of support operating system is not an adequate solution to protect against threats.

Fields #

Name	Description
`ProductName` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2042 — The support for your operating system has expired.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

The support for your operating system has expired. ProductName is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.

Message #

The support for your operating system has expired. %1 is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.

Fields #

Name	Description
`ProductName` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2050 — Product Name has uploaded a file for further analysis.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Informational

Description

Product Name has uploaded a file for further analysis.

Message #

%1 has uploaded a file for further analysis.
 	Filename: %3
 	Sha256: %4

Fields #

Name	Description
`Product Name`	—
`Product Version`	—
`Filename` UnicodeString	—
`Sha256` UnicodeString	—
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 2050,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-12T18:54:35.585634+00:00",
    "event_record_id": 750,
    "correlation": {
      "ActivityID": "BE515C10-E001-43C7-997D-42CF5BAA18A7"
    },
    "execution": {
      "process_id": 8580,
      "thread_id": 4832
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.26010.5",
    "Filename": "C:\\Users\\domainuser\\Downloads\\ScreenConnect.ClientSetup.exe",
    "Sha256": "981233ccb88f5d6dcb9d7856c364c1d377153564202bba6935f97da5d2f3d316"
  },
  "message": ""
}

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 2051 — ProductName has encountered an error trying to upload a suspicious file for further analysis.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName has encountered an error trying to upload a suspicious file for further analysis.

Message #

%1 has encountered an error trying to upload a suspicious file for further analysis.
 	Filename: %3
 	Sha256: %4
 	Current security intelligence Version: %5
 	Current Engine Version: %6
 	Error code: %7

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Filename` UnicodeString	—
`Sha256` UnicodeString	—
`CurrentsecurityintelligenceVersion` UnicodeString	—
`CurrentEngineVersion` UnicodeString	—
`ErrorCode` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 3000 — {Product Name} Real-Time Protection agents have started.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

{Product Name} Real-Time Protection agents have started. User: {Domain}\{User}.

Message #

{Product Name} Real-Time Protection agents have started. 	User: {Domain}\{User}

Fields #

Name	Description
`Domain`	—
`User`	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 3001 — {Product Name}Real-Time Protection agents have stopped.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

{Product Name}Real-Time Protection agents have stopped. User: {Domain}\{User}.

Message #

{Product Name}Real-Time Protection agents have stopped. 	User: {Domain}\{User}

Fields #

Name	Description
`Domain`	—
`User`	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 3002 — ProductName Real-Time Protection feature has encountered an error and failed.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (Microsoft-Defender, others)

Description

ProductName Real-Time Protection feature has encountered an error and failed.

Message #

%1 Real-Time Protection feature has encountered an error and failed.
 	Feature: %3
 	Error Code: %5
 	Error description: %6
 	Reason: %4

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`FeatureName` UnicodeString	—
`Reason` UnicodeString	—
`ErrorCode` UnicodeString	—
`ErrorDescription` UnicodeString	—
`FeatureID` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 3003 — {Product Name} Real-Time Protection checkpoint has encountered an error and failed to start.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message #

{Product Name} Real-Time Protection checkpoint has encountered an error and failed to start. 	User: {Domain}\{User} 	Checkpoint ID: {Checkpoint} 	Error Code: {Error Code} 	Error description: {Error Description}

Fields #

Name	Description
`Domain`	—
`User`	—
`Checkpoint`	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 3004 — {Product Name} Real-Time Protection agent has detected changes.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message #

{Product Name} Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. {Product Name} can't undo changes that you allow. For more information please see the following:{Product Name}5 	Scan ID: {Scan ID} 	User: {Domain}\{User} 	Name: {Product Name}1 	ID: {Product Name}2 	Severity ID: {Product Name}3 	Category ID: {Product Name}4 	Path Found: {Product Name}6 	Alert Type: {Product Name}8 	Detection Type: {Product Version}2

Fields #

Name	Description
`Domain`	—
`User`	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 3005 — {Product Name} Real-Time Protection agent has taken action to protect this machine from spyware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message #

{Product Name} Real-Time Protection agent has taken action to protect this machine from spyware or other potentially unwanted software. For more information please see the following:{Product Name}5 	Scan ID: {Scan ID} 	User: {Domain}\{User} 	Name: {Product Name}1 	ID: {Product Name}2 	Severity ID: {Product Name}3 	Category ID: {Product Name}4 	Alert Type: {Product Name}8 	Action: {Product Version}0

Fields #

Name	Description
`Domain`	—
`User`	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 3006 — {Product Name} Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message #

{Product Name} Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following:{Product Name}5 	Scan ID: {Scan ID} 	User: {Domain}\{User} 	Name: {Product Name}1 	ID: {Product Name}2 	Severity ID: {Product Name}3 	Category ID: {Product Name}4 	Path: {Product Name}6 	Alert Type: {Product Name}8 	Action: {Product Version}0 	Error Code: {Product Version}1 	Error description: {Product Version}2

Fields #

Name	Description
`Domain`	—
`User`	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 3007 — ProductName Real-time Protection feature has restarted.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName Real-time Protection feature has restarted. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.

Message #

%1 Real-time Protection feature has restarted. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
 	Feature: %3
 	Reason: %4

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`FeatureName` UnicodeString	—
`Reason` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`FeatureID` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 4000 — {Product Name} AV OnAccess Filter has detected spyware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message #

{Product Name} AV OnAccess Filter has detected spyware or other potentially unwanted software. For more information please see the following:{Product Name}5 	Scan ID: {param2} 	User: {param7}\{param8} 	Name: {Product Name}1 	ID: {Product Name}2 	Severity ID: {Product Name}3 	Category ID: {Product Name}4 	Path Found: {Product Name}6 	Local Copy Path: {Product Name}7 	Process Name: {Product Name}8 	Detection Type: {param1}2

Fields #

Name	Description
`param2`	—
`param7`	—
`param8`	—
`param1`	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 4002 — {param1} AV OnAccess Filter has taken action to protect this machine from detected spyware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message #

{param1} AV OnAccess Filter has taken action to protect this machine from detected spyware or other potentially unwanted software. For more information please see the following:{param1}5 	Scan ID: {param3} 	User: {param8}\{param9} 	Name: {param1}1 	ID: {param1}2 	Severity ID: {param1}3 	Category ID: {param1}4 	Action: {param2}0

Fields #

Name	Description
`param1`	—
`param3`	—
`param8`	—
`param9`	—
`param2`	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 4003 — {param1} AV OnAccess Filter has encountered an error when taking action on detected spyware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message #

{param1} AV OnAccess Filter has encountered an error when taking action on detected spyware or other potentially unwanted software. For more information please see the following:{param1}5 	Scan ID: {param3} 	User: {param8}\{param9} 	Name: {param1}1 	ID: {param1}2 	Severity ID: {param1}3 	Category ID: {param1}4 	Path: {param1}6 	Action: {param2}0 	Error Code: {param2}1 	Error Description: {param2}2

Fields #

Name	Description
`param1`	—
`param3`	—
`param8`	—
`param9`	—
`param2`	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5000 — ProductName Real-time Protection scanning for malware and other potentially unwanted software was enabled.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName Real-time Protection scanning for malware and other potentially unwanted software was enabled.

Message #

%1 Real-time Protection scanning for malware and other potentially unwanted software was enabled.

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5001 — Product Name Real-time Protection scanning for malware and other potentially unwanted software was disabled.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Informational
Collection Priority: Recommended (Microsoft-Defender)

Description

Product Name Real-time Protection scanning for malware and other potentially unwanted software was disabled.

Message #

%1 Real-time Protection scanning for malware and other potentially unwanted software was disabled.

Fields #

Name	Description
`Product Name` UnicodeString	—
`Product Version` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 5001,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T00:11:26.945147+00:00",
    "event_record_id": 150,
    "correlation": {},
    "execution": {
      "process_id": 3332,
      "thread_id": 9444
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.23090.2008"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Windows Defender Real-time Protection Disabled source high: Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5002 — {param1} OnAccess scanning for viruses was enabled.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

{param1} OnAccess scanning for viruses was enabled.

Message #

{param1} OnAccess scanning for viruses was enabled.

Fields #

Name	Description
`param1`	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5003 — {param1} OnAccess scanning for viruses was disabled.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

{param1} OnAccess scanning for viruses was disabled.

Message #

{param1} OnAccess scanning for viruses was disabled.

Fields #

Name	Description
`param1`	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5004 — Product Name Real-time Protection feature configuration has changed.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Informational
Collection Priority: Recommended (Microsoft-Defender)

Description

Product Name Real-time Protection feature configuration has changed.

Message #

%1 Real-time Protection feature configuration has changed.
 	Feature: %3
 	Configuration: %4

Fields #

Name	Description
`Product Name` UnicodeString	—
`Product Version` UnicodeString	—
`Feature Name` UnicodeString	—
`Configuration` UnicodeString	—
`Unused` UnicodeString	—
`Feature ID` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 5004,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-10-25T21:49:40.464437+00:00",
    "event_record_id": 56,
    "correlation": {},
    "execution": {
      "process_id": 1004,
      "thread_id": 912
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "WinDevEval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.2201.11",
    "Feature Name": "Network Inspection System",
    "Configuration": "0",
    "Unused": "",
    "Feature ID": "9"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5005 — {Product Name} Real-time Protection checkpoint configuration has changed.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

{Product Name} Real-time Protection checkpoint configuration has changed. Checkpoint: {Checkpoint} Configuration: {Configuration}.

Message #

{Product Name} Real-time Protection checkpoint configuration has changed. 	Checkpoint: {Checkpoint} 	Configuration: {Configuration}

Fields #

Name	Description
`Checkpoint`	—
`Configuration`	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5006 — {param1} OnAccess filter seems to be a unloaded - OnAccess scanning is disabled - Please restart the service.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

{param1} OnAccess filter seems to be a unloaded - OnAccess scanning is disabled - Please restart the service.

Message #

{param1} OnAccess filter seems to be a unloaded - OnAccess scanning is disabled - Please restart the service.

Fields #

Name	Description
`param1`	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5007 — Product Name Configuration has changed.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Informational
Collection Priority: Recommended (Microsoft-Defender, others)

Description

Product Name Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.

Message #

%1 Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
 	Old value: %3
 	New value: %4

Fields #

Name	Description
`Product Name` UnicodeString	—
`Product Version` UnicodeString	—
`Old Value` UnicodeString	—
`New Value` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 5007,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:45.697776+00:00",
    "event_record_id": 113,
    "correlation": {},
    "execution": {
      "process_id": 3944,
      "thread_id": 4488
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.23090.2008",
    "Old Value": "Default\\IsServiceRunning = 0x0",
    "New Value": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\IsServiceRunning = 0x1"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Windows Defender Exclusions Added source medium: Detects the Setting of Windows Defender Exclusions
Windows Defender Exploit Guard Tamper source high: Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"
Windows Defender Submit Sample Feature Disabled source low: Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.

Show 1 more (4 total)

Windows Defender Configuration Changes source high: Detects suspicious changes to the Windows Defender configuration

Splunk # view in reference

Windows Defender ASR Registry Modification source: The following analytic detects modifications to Windows Defender Attack Surface Reduction (ASR) registry settings. It leverages Windows Defender Operational logs, specifically EventCode 5007, to identify changes in ASR rules. This activity is significant because ASR rules are designed to block actions commonly used by malware to exploit systems. Unauthorized modifications to these settings could indicate an attempt to weaken system defenses. If confirmed malicious, this could allow an attacker to bypass security measures, leading to potential system compromise and data breaches.
Windows Defender ASR Rule Disabled source: The following analytic identifies when a Windows Defender ASR rule disabled events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR rule disabled events that are generated when an ASR rule is disabled.

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5008 — ProductName engine has been terminated due to an unexpected error.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (Microsoft-Defender, others)

Description

ProductName engine has been terminated due to an unexpected error.

Message #

%1 engine has been terminated due to an unexpected error.
 	Failure Type: %5
 	Exception code: %6
 	Resource: %3
 	Engine Code: %7

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Resource` UnicodeString	—
`FailureTypeIndex` UnicodeString	—
`FailureType` UnicodeString	—
`ExceptionCode` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5009 — ProductName scanning for spyware and other potentially unwanted software has been enabled.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName scanning for spyware and other potentially unwanted software has been enabled.

Message #

%1 scanning for spyware and other potentially unwanted software has been enabled.

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5010 — ProductName scanning for spyware and other potentially unwanted software is disabled.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (Microsoft-Defender)

Description

ProductName scanning for spyware and other potentially unwanted software is disabled.

Message #

%1 scanning for spyware and other potentially unwanted software is disabled.

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Windows Defender Malware And PUA Scanning Disabled source high: Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5011 — ProductName scanning for viruses has been enabled.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName scanning for viruses has been enabled.

Message #

%1 scanning for viruses has been enabled.

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5012 — ProductName scanning for viruses is disabled.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (Microsoft-Defender)

Description

ProductName scanning for viruses is disabled.

Message #

%1 scanning for viruses is disabled.

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Windows Defender Virus Scanning Feature Disabled source high: Detects disabling of the Windows Defender virus scanning feature

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5013 — Tamper Protection Changed Type a change to Product Name.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Informational
Collection Priority: Recommended (Microsoft-Defender)

Description

Tamper Protection Changed Type a change to Product Name.

Message #

Tamper Protection %3 a change to %1.
 	Value: %4

Fields #

Name	Description
`Product Name`	—
`Product Version`	—
`Changed Type`	—
`Value` UnicodeString	—
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`ChangedType` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 5013,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-10T04:30:16.233011+00:00",
    "event_record_id": 264,
    "correlation": {},
    "execution": {
      "process_id": 8580,
      "thread_id": 3380
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.26010.5",
    "Changed Type": "Ignored",
    "Value": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\SPYNET\\SpyNetReporting = 0x2"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Microsoft Defender Tamper Protection Trigger source high: Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5014 — ProductName Resource Monitor: Memory consumption exceeded its limit.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName Resource Monitor: Memory consumption exceeded its limit.

Message #

%1 Resource Monitor: Memory consumption exceeded its limit.
 	Hit count: %3
 	Current Threshold: %4

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`HitCount` UnicodeString	—
`Threshold` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5015 — ProductName Resource Monitor: CPU utilization exceeded its limit.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName Resource Monitor: CPU utilization exceeded its limit.

Message #

%1 Resource Monitor: CPU utilization exceeded its limit.
 	Hit count: %3
 	Current Threshold: %4

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`HitCount` UnicodeString	—
`Threshold` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5016 — ProductName service seemed to be hung during shutdown.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Description

ProductName service seemed to be hung during shutdown.

Message #

%1 service seemed to be hung during shutdown.
 	Timout (seconds): %3
 	Component: %4
 	Self-terminated: %5

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Timeout` UnicodeString	—
`Component` UnicodeString	—
`Crashed` UnicodeString	—

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5017 — Product Name service feature has encountered an error and failed.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Informational

Description

Product Name service feature has encountered an error and failed.

Message #

%1 service feature has encountered an error and failed.
 	Feature: %3
  	Failure Reason: %5
 	Recommended Mitigation: %6
 	Error Code: %7
 	Error description: %8

Fields #

Name	Description
`Product Name`	—
`Product Version`	—
`Feature Name`	—
`Failure Id`	—
`Failure Reason`	—
`Recommendation` UnicodeString	—
`Error Code`	—
`Error Description`	—
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`FeatureName` UnicodeString	—
`FailureId` UnicodeString	—
`FailureReason` UnicodeString	— Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.
`ErrorCode` UnicodeString	—
`ErrorDescription` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 5017,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-06T19:18:49.882801+00:00",
    "event_record_id": 1270,
    "correlation": {},
    "execution": {
      "process_id": 3940,
      "thread_id": 4856
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.26010.5",
    "Feature Name": "MDE AV Configurations",
    "Failure Id": "0x00000003",
    "Failure Reason": "Group Policy hive was not ready when MDE AV service started and AV configurations might be not as expected.",
    "Recommendation": "Investigate recent changes in Group Policy server settings and reboot the device.",
    "Error Code": "0x80070002",
    "Error Description": "The system cannot find the file specified. "
  },
  "message": ""
}

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5100 — {Product Name} has entered a grace period and will soon expire.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message #

{Product Name} has entered a grace period and will soon expire. After expiration; this program will disable protection against viruses; spyware; and other potentially unwanted software. 	Expiration Reason: {Expiration Reason} 	Expiration Date (UTC): {Expiration Date (UTC)}

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 5101 — {Product Name} grace period has expired.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational

Message #

{Product Name} grace period has expired. Protection against viruses; spyware; and other potentially unwanted software is disabled. 	Expiration Reason: {Expiration Reason} 	Expiration Date (UTC): {Expiration Date (UTC)} 	Error Code: {Error Code} 	Error Description: {Error Description}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Windows Defender Grace Period Expired source high: Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Microsoft-Windows-Windows Defender

Event ID 101 — Microsoft Defender Antivirus state updated to hc_stateid.

Description

Message #

Fields #

References #

Event ID 1000 — Product Name scan has started.

Description

Message #

Fields #

Example Event #

References #

Event ID 1001 — Product Name scan has finished.

Description

Message #

Fields #

Example Event #

References #

Event ID 1002 — Product Name scan has been stopped before completion.

Description

Message #

Fields #

Example Event #

References #

Event ID 1003 — ProductName scan has been paused.

Description

Message #

Fields #

References #

Event ID 1004 — ProductName scan has resumed.

Description

Message #

Fields #

References #

Event ID 1005 — ProductName scan has encountered an error and terminated.

Description

Message #

Fields #

References #

Event ID 1006 — ProductName has detected malware or other potentially unwanted software.

Description

Message #

Fields #

Related Events #

References #

Event ID 1007 — ProductName has taken action to protect this machine from malware or other potentially unwanted software.

Description

Message #

Fields #

References #

Event ID 1008 — ProductName has encountered an error when taking action on malware or other potentially unwanted software.

Description

Message #

Fields #

References #

Event ID 1009 — ProductName has restored an item from quarantine.

Description

Message #

Fields #

Detection Rules #

Sigma # view in reference

References #

Event ID 1010 — ProductName has encountered an error trying to restore an item from quarantine.

Description

Message #

Fields #

References #

Event ID 1011 — ProductName has deleted an item from quarantine.

Description

Message #

Fields #

References #

Event ID 1012 — ProductName has encountered an error trying to delete an item from quarantine.

Description

Message #

Fields #

References #

Event ID 1013 — Product Name has removed history of malware and other potentially unwanted software.

Description

Message #