detection.wiki

Microsoft-Windows-Windows Defender › Event 1151

Event ID 1151 — Endpoint Protection client health report (time in UTC).

Provider
Microsoft-Windows-Windows Defender
Channel
Operational
Level
Informational

Description

Endpoint Protection client health report (time in UTC).

Message #

Endpoint Protection client health report (time in UTC):
 	Platform version: %2
 	Engine version: %4
 	Network Realtime Inspection engine version: %5
 	Antivirus security intelligence version: %6
 	Antispyware security intelligence version: %7
 	Network Realtime Inspection security intelligence version: %8
 	RTP state: %9
 	OA state: %10
 	IOAV state: %11
 	BM state: %12
 	Antivirus security intelligence age: %13
 	Antispyware security intelligence age: %14
 	Last quick scan age: %15
 	Last full scan age: %16
 	Antivirus security intelligence creation time: %17
 	Antispyware security intelligence creation time: %18
 	Last quick scan start time: %19
 	Last quick scan end time: %20
 	Last quick scan source: %21
 	Last full scan start time: %22
 	Last full scan end time: %23
 	Last full scan source: %24
 	Product status: %25

Fields #

NameDescription
Product Name UnicodeString
Platform version UnicodeString
Unused UnicodeString
Engine version UnicodeString
NRI engine version UnicodeString
AV security intelligence version UnicodeString
AS security intelligence version UnicodeString
NRI security intelligence version UnicodeString
RTP state UnicodeString
OA state UnicodeString
IOAV state UnicodeString
BM state UnicodeString
Last AV security intelligence age UnicodeString
Last AS security intelligence age UnicodeString
Last quick scan age UnicodeString
Last full scan age UnicodeString
AV security intelligence creation time UnicodeString
AS security intelligence creation time UnicodeString
Last quick scan start time UnicodeString
Last quick scan end time UnicodeString
Last quick scan source UnicodeString
Last full scan start time UnicodeString
Last full scan end time UnicodeString
Last full scan source UnicodeString
Product status UnicodeString
Latest engine version UnicodeString
Engine up-to-date UnicodeString
Latest platform version UnicodeString
Platform up-to-date UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 1151,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T01:33:02.916969+00:00",
    "event_record_id": 160,
    "correlation": {},
    "execution": {
      "process_id": 3332,
      "thread_id": 7940
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Platform version": "4.18.23090.2008",
    "Unused": "",
    "Engine version": "1.1.23090.2007",
    "NRI engine version": "1.1.23090.2007",
    "AV security intelligence version": "1.399.1311.0",
    "AS security intelligence version": "1.399.1311.0",
    "NRI security intelligence version": "1.399.1311.0",
    "RTP state": "Disabled",
    "OA state": "Disabled",
    "IOAV state": "Disabled",
    "BM state": "Disabled",
    "Last AV security intelligence age": "11",
    "Last AS security intelligence age": "11",
    "Last quick scan age": "4294967295",
    "Last full scan age": "4294967295",
    "AV security intelligence creation time": "2023-10-25T15:24:36Z",
    "AS security intelligence creation time": "2023-10-25T15:24:36Z",
    "Last quick scan start time": "1601-01-01T00:00:00Z",
    "Last quick scan end time": "1601-01-01T00:00:00Z",
    "Last quick scan source": "0",
    "Last full scan start time": "1601-01-01T00:00:00Z",
    "Last full scan end time": "1601-01-01T00:00:00Z",
    "Last full scan source": "0",
    "Product status": "0x00080000",
    "Latest engine version": "1.1.23090.2007",
    "Engine up-to-date": "0",
    "Latest platform version": "4.18.23090.2008",
    "Platform up-to-date": "1"
  },
  "message": ""
}

References #