Event ID 2010 — Product Name used cloud protection to get additional security intelligence.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Informational

Description

Product Name used cloud protection to get additional security intelligence.

Message #

%1 used cloud protection to get additional security intelligence.
 	Current security intelligence Version: %3
 	Security intelligence Type: %12
 	User: %8\%9
 	Current Engine Version: %15
 	Cloud protection intelligence Type: %23
 	Persistence Path: %24
 	Cloud protection intelligence Version: %25
 	Cloud protection intelligence Compilation Timestamp: %26
 	Persistence Limit Type: %28
 	Persistence Limit: %29

Fields #

Name	Description
`Product Name` UnicodeString	—
`Product Version` UnicodeString	—
`Current security intelligence Version` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`Unused3` UnicodeString	—
`Unused4` UnicodeString	—
`Domain` UnicodeString	—
`User` UnicodeString	—
`SID` UnicodeString	—
`Security intelligence Type Index` UnicodeString	—
`Security intelligence Type` UnicodeString	—
`Unused5` UnicodeString	—
`Unused6` UnicodeString	—
`Current Engine Version` UnicodeString	—
`Unused7` UnicodeString	—
`Unused8` UnicodeString	—
`Unused9` UnicodeString	—
`Unused10` UnicodeString	—
`Unused11` UnicodeString	—
`Unused12` UnicodeString	—
`Cloud protection intelligence Type Index` UnicodeString	—
`Cloud protection intelligence Type` UnicodeString	—
`Persistence Path` UnicodeString	—
`Cloud protection intelligence Version` UnicodeString	—
`Cloud protection intelligence Compilation Timestamp` UnicodeString	—
`Persistence Limit Type Index` UnicodeString	—
`Persistence Limit Type` UnicodeString	—
`Persistence Limit Value` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 2010,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T01:34:04.823948+00:00",
    "event_record_id": 162,
    "correlation": {},
    "execution": {
      "process_id": 3332,
      "thread_id": 12556
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "Microsoft Defender Antivirus",
    "Product Version": "4.18.23090.2008",
    "Current security intelligence Version": "1.399.1311.0",
    "Unused": "",
    "Unused2": "",
    "Unused3": "",
    "Unused4": "",
    "Domain": "",
    "User": "",
    "SID": "",
    "Security intelligence Type Index": "0",
    "Security intelligence Type": "",
    "Unused5": "",
    "Unused6": "",
    "Current Engine Version": "1.1.23090.2007",
    "Unused7": "",
    "Unused8": "",
    "Unused9": "",
    "Unused10": "",
    "Unused11": "",
    "Unused12": "",
    "Cloud protection intelligence Type Index": "1",
    "Cloud protection intelligence Type": "Security intelligence update",
    "Persistence Path": "C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\data\\2c120ea46d796db0984b96884f1a90a8dab2bfe3",
    "Cloud protection intelligence Version": "0.0.0.0",
    "Cloud protection intelligence Compilation Timestamp": "11/6/2023 1:34:04 AM",
    "Persistence Limit Type Index": "2",
    "Persistence Limit Type": "Duration",
    "Persistence Limit Value": "100000"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Example event sourced from https://github.com/NextronSystems/evtx-baseline
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/