Event ID 1009 — ProductName has restored an item from quarantine.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Collection Priority: Recommended (Microsoft-WEF, others)

Description

ProductName has restored an item from quarantine.

Message #

%1 has restored an item from quarantine.
 For more information please see the following:
%15
 	Name: %11
 	ID: %12
 	Severity: %25
 	Category: %26
 	User: %8\%9
 	Security intelligence Version: %27
 	Engine Version: %28

Fields #

Name	Description
`ProductName` UnicodeString	—
`ProductVersion` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`Unused3` UnicodeString	—
`Unused4` UnicodeString	—
`Unused5` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`ThreatName` UnicodeString	—
`ThreatID` UnicodeString	—
`SeverityID` UnicodeString	—
`CategoryID` UnicodeString	—
`FWLink` UnicodeString	—
`Path` UnicodeString	—
`Unused6` UnicodeString	—
`Unused7` UnicodeString	—
`Unused8` UnicodeString	—
`Unused9` UnicodeString	—
`Unused10` UnicodeString	—
`Unused11` UnicodeString	—
`Unused12` UnicodeString	—
`Unused13` UnicodeString	—
`SeverityName` UnicodeString	—
`CategoryName` UnicodeString	—
`SecurityintelligenceVersion` UnicodeString	—
`EngineVersion` UnicodeString	—

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Win Defender Restored Quarantine File source high: Detects the restoration of files from the defender quarantine

References #

RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/