detection.wiki

Microsoft-Windows-Windows Defender › Event 1001

Event ID 1001 — Product Name scan has finished.

Provider
Microsoft-Windows-Windows Defender
Channel
Operational
Level
Informational

Description

Product Name scan has finished.

Message #

%1 scan has finished.
 	Scan ID: %3
 	Scan Type: %5
 	Scan Parameters: %7
 	User: %8\%9
 	Scan Time: %11:%12:%13

Fields #

NameDescription
Product Name UnicodeString
Product Version UnicodeString
Scan ID UnicodeString
Scan Type Index UnicodeString
Scan Type UnicodeString
Scan Parameters Index UnicodeString
Scan Parameters UnicodeString
Domain UnicodeString
User UnicodeString
SID UnicodeString
Scan Time Hours UnicodeString
Scan Time Minutes UnicodeString
Scan Time Seconds UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 1001,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-04T14:09:02.003645+00:00",
    "event_record_id": 102,
    "correlation": {
      "ActivityID": "5F56C890-B44B-432D-8EF6-FB4D94734C2D"
    },
    "execution": {
      "process_id": 1796,
      "thread_id": 3036
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "WIN-TKC15D7KHUR",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.2202.4",
    "Scan ID": "{7749FCE9-BEE7-43EC-991B-C0ADC46B93C1}",
    "Scan Type Index": "1",
    "Scan Type": "Antimalware",
    "Scan Parameters Index": "1",
    "Scan Parameters": "Quick Scan",
    "Domain": "WIN-TKC15D7KHUR",
    "User": "Administrator",
    "SID": "S-1-5-21-1958040314-2592322477-2606035944-500",
    "Scan Time Hours": "0",
    "Scan Time Minutes": "02",
    "Scan Time Seconds": "25"
  },
  "message": ""
}

References #