Windows Defender Log File

Follow
Avatar
CJ Vallade

Is it possible to create an alert for Windows Defender Logs based on a certain Event ID?   

 

Here's what I have so far:

 

Source Category: windows/events/windows_defender

Field: Event ID 5001

Custom Event Channels: Microsoft-Windows-Windows Defender/Operational

0

Comments

3 comments

Sort by Date Votes
  • Avatar
    Harinder Bhandari

    Yes, it is possible to create an alert for Windows Defender Logs based on a certain Event ID. For example, Event ID 5001

    _sourceCategory="windows/events/windows_defender"
    | parse "EventCode = *;" as EventCode
    | where EventCode matches "5001"
    | count by EventCode
    | where EventCode > "0"

    Now you can set up an alert where an alert condition is the number of results > 0. 

    https://help.sumologic.com/Visualizations-and-Alerts/Alerts/03-Create-a-Real-Time-Alert

    0
    Comment actions Permalink
  • Avatar
    CJ Vallade

    Thank you for the reply and I apologize for not getting back to you sooner.  I was trying to create the new alert, but I'm not sure I am adding it in the right spot.  Can I just create a new alert with the options above?  I tried to do that but it was giving me an error about a timeshift value?  

    0
    Comment actions Permalink
  • Avatar
    Aaron Cooper

    How are you pulling logs from Defender?  Did you create your own script, and if so, how did you do it?

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post