Event ID 1002 — Product Name scan has been stopped before completion.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Warning

Description

Product Name scan has been stopped before completion.

Message #

%1 scan has been stopped before completion.
 	Scan ID: %3
 	Scan Type: %5
 	Scan Parameters: %7
  	User: %8\%9
 	Stop Reason: %12

Fields #

Name	Description
`Product Name` UnicodeString	—
`Product Version` UnicodeString	—
`Scan ID` UnicodeString	—
`Scan Type Index` UnicodeString	—
`Scan Type` UnicodeString	—
`Scan Parameters Index` UnicodeString	—
`Scan Parameters` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 1002,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T17:04:28.116951+00:00",
    "event_record_id": 33,
    "correlation": {},
    "execution": {
      "process_id": 2680,
      "thread_id": 2860
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.2104.5",
    "Scan ID": "{CE345D2C-02E3-48B3-8683-BF64336A98E7}",
    "Scan Type Index": "1",
    "Scan Type": "Antimalware",
    "Scan Parameters Index": "1",
    "Scan Parameters": "Quick Scan",
    "Domain": "NT AUTHORITY",
    "User": "SYSTEM",
    "SID": "S-1-5-18"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/