detection.wiki

Microsoft-Windows-Windows Defender › Event 1000

Event ID 1000 — Product Name scan has started.

Provider
Microsoft-Windows-Windows Defender
Channel
Operational
Level
Informational

Description

Product Name scan has started.

Message #

%1 scan has started.
 	Scan ID: %3
 	Scan Type: %5
 	Scan Parameters: %7
 	Scan Resources: %11
  	User: %8\%9
 	Scan Trigger: %13
 	Scan Only If Idle: %14
 	Low CPU Priority for Scans: %15
 	Thread Priority: %16

Fields #

NameDescription
Product Name UnicodeString
Product Version UnicodeString
Scan ID UnicodeString
Scan Type Index UnicodeString
Scan Type UnicodeString
Scan Parameters Index UnicodeString
Scan Parameters UnicodeString
Domain UnicodeString
User UnicodeString
SID UnicodeString
Scan Resources UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 1000,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T17:03:12.968279+00:00",
    "event_record_id": 32,
    "correlation": {},
    "execution": {
      "process_id": 2680,
      "thread_id": 2860
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.2104.5",
    "Scan ID": "{CE345D2C-02E3-48B3-8683-BF64336A98E7}",
    "Scan Type Index": "1",
    "Scan Type": "Antimalware",
    "Scan Parameters Index": "1",
    "Scan Parameters": "Quick Scan",
    "Domain": "NT AUTHORITY",
    "User": "SYSTEM",
    "SID": "S-1-5-18",
    "Scan Resources": ""
  },
  "message": ""
}

References #