Event ID 1117 — Product Name has taken action to protect this machine from malware or other potentially unwanted software.
Description
Product Name has taken action to protect this machine from malware or other potentially unwanted software.
Message #
Fields #
| Name | Description |
|---|---|
Product Name UnicodeString | — |
Product Version UnicodeString | — |
Detection ID UnicodeString | — |
Detection Time UnicodeString | — |
Unused UnicodeString | — |
Unused2 UnicodeString | — |
Threat ID UnicodeString | — |
Threat Name UnicodeString | — |
Severity ID UnicodeString | — |
Severity Name UnicodeString | — |
Category ID UnicodeString | — |
Category Name UnicodeString | — |
FWLink UnicodeString | — |
Status Code UnicodeString | — |
Status Description UnicodeString | — |
State UnicodeString | — |
Source ID UnicodeString | — |
Source Name UnicodeString | — |
Process Name UnicodeString | — |
Detection User UnicodeString | — |
Unused3 UnicodeString | — |
Path UnicodeString | — |
Origin ID UnicodeString | — |
Origin Name UnicodeString | — |
Execution ID UnicodeString | — |
Execution Name UnicodeString | — |
Type ID UnicodeString | — |
Type Name UnicodeString | — |
Pre Execution Status UnicodeString | — |
Action ID UnicodeString | — |
Action Name UnicodeString | — |
Unused4 UnicodeString | — |
Error Code UnicodeString | — |
Error Description UnicodeString | — |
Unused5 UnicodeString | — |
Post Clean Status UnicodeString | — |
Additional Actions ID UnicodeString | — |
Additional Actions String UnicodeString | — |
Remediation User UnicodeString | — |
Unused6 UnicodeString | — |
Signature Version | — |
Engine Version UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
"event_source_name": "",
"event_id": 1117,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2019-07-18T20:53:31.952569+00:00",
"event_record_id": 106,
"correlation": {
"ActivityID": "2AD0CF94-C382-4568-A488-1253A4ED0F54"
},
"execution": {
"process_id": 6024,
"thread_id": 6068
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "%%827",
"Product Version": "4.18.1906.3",
"Detection ID": "{8791B1FB-0FE7-412E-B084-524CB5A221F3}",
"Detection Time": "2019-07-18T20:40:13.775Z",
"Unused": "",
"Unused2": "",
"Threat ID": "2147735426",
"Threat Name": "Trojan:XML/Exeselrun.gen!A",
"Severity ID": "5",
"Severity Name": "Severe",
"Category ID": "8",
"Category Name": "Trojan",
"FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:XML/Exeselrun.gen!A&threatid=2147735426&enterprise=0",
"Status Code": "5",
"Status Description": "",
"State": "2",
"Source ID": "3",
"Source Name": "%%818",
"Process Name": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Detection User": "MSEDGEWIN10\\IEUser",
"Unused3": "",
"Path": "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1086\\payloads\\test.xsl",
"Origin ID": "1",
"Origin Name": "%%845",
"Execution ID": "1",
"Execution Name": "%%813",
"Type ID": "2",
"Type Name": "%%823",
"Pre Execution Status": "0",
"Action ID": "6",
"Action Name": "%%811",
"Unused4": "",
"Error Code": "0x80508023",
"Error Description": "The program could not find the malware and other potentially unwanted software on this device. ",
"Unused5": "",
"Post Clean Status": "0",
"Additional Actions ID": "0",
"Additional Actions String": "No additional actions required",
"Remediation User": "NT AUTHORITY\\SYSTEM",
"Unused6": "",
"Signature Version": "AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0",
"Engine Version": "AM: 1.1.16100.4, NIS: 0.0.0.0"
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/