Microsoft Windows Defender Antivirus

Microsoft Windows Defender Antivirus is anti-malware software that protects against software threats. InsightIDR automatically collects Microsoft Windows Defender Antivirus events from deployed agents on Windows endpoints. By default, legacy UBA detection rules generate notable events for Windows Defender events. If you would like to configure these detection rules, navigate to Detection Rules > Legacy UBA Detection Rules, and locate the Virus Alert rule.

Microsoft System Center Endpoint Protection Events

If you are using Microsoft System Center Endpoint Protection (SCEP) and the events are written to the Windows Defender Antivirus operational log, then these events are collected in the same manner for Microsoft SCEP as for Windows Defender.

How it works

On all Windows endpoints where the Rapid7 Insight Agent is installed, the agent collects the log entries from the Defender Antivirus operational Windows event log. You can view this event log on a Windows host with the Event Viewer under Applications and Services Logs > Microsoft > Windows > Microsoft Defender Antivirus > Operational.

You can read more about this Microsoft Windows event log at: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus#windows-defender-antivirus-event-ids.

If the Insight Agent finds new events being written to this Windows event log, then the Insight Agent will collect them and send them to InsightIDR. There is no event source to add and no configuration required in InsightIDR.

View your logs in InsightIDR

Windows Defender logs flow into different log sets depending on the event. Windows Defender events that are not recognized by the Insight Agent are sent to the Unparsed Data log set. The Insight Agent recognizes certain event codes and sends them to InsightIDR where they flow into the Virus Alert log set.

Event codes that flow into the Unparsed Data log set

1001, 1002, 1003, 1004, 1005, 1009, 1010, 1011, 1012, 1013, 1014, 1120, 1150, 1151, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2010, 2011, 2012, 2013, 2020, 2021, 2030, 2031, 2040, 2041, 2042, 3002, 3007, 5000, 5001, 5004, 5007, 5008, 5009, 5010, 5011, 5012, 5100, 5101

To view these events, click Log Search > Unparsed Data.

Unparsed data Windows Defenser

Event codes that flow into the Virus Alert log set

1006, 1007, 1008, 1015, 1116, 1117, 1118, 1119

To view these events, click Log Search > Virus Alert.

Virus alert Windows Defender

Example input log

json
1
{
2
"timestamp": "2020-07-02T18:07:00.006Z",
3
"asset": "xyz",
4
"user": "abc",
5
"source_address": "xyz",
6
"account": "system",
7
"risk": "TrojanDropper:VBS/Swrort.A",
8
"action": "No Action",
9
"file_path": "containerfile:_C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\fHrHNHk8t[1].asp; file:_C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\fHrHNHk8t[1].asp->(SCRIPT0001)",
10
"action_status": "Successful",
11
"error_code": "0x00000000",
12
"error_description": "The operation completed successfully. ",
13
"source_json": {
14
"sourceName": "Microsoft-Windows-Windows Defender",
15
"eventCode": 1117,
16
"computerName": "XYZ",
17
"sid": "S-1-5-18",
18
"isDomainController": false,
19
"eventData": {
20
"severityName": "Severe",
21
"unused2": null,
22
"sourceName": "%%818",
23
"executionId": "1",
24
"detectionUser": "NT AUTHORITY\\SYSTEM",
25
"typeId": "0",
26
"errorCode": "0x00000000",
27
"categoryName": "Trojan Dropper",
28
"signatureVersion": "AV: 1.319.590.0, AS: 1.319.590.0, NIS: 1.319.590.0",
29
"preExecutionStatus": "0",
30
"productVersion": "4.18.2006.10",
31
"unused4": null,
32
"actionId": "9",
33
"errorDescription": "The operation completed successfully. ",
34
"unused": null,
35
"unused5": null,
36
"state": "1",
37
"data": [],
38
"executionName": "%%813",
39
"additionalActionsString": "No additional actions required",
40
"actionName": "%%887",
41
"unused6": null,
42
"typeName": "%%822",
43
"detectionId": "{1E0D6418-A6A4-4214-B97D-68D25C126C89}",
44
"severityId": "5",
45
"detectionTime": "2020-06-22T19:36:50.493Z",
46
"threatId": "2147653574",
47
"originId": "1",
48
"productName": "%%827",
49
"remediationUser": null,
50
"threatName": "TrojanDropper:VBS/Swrort.A",
51
"statusCode": "1",
52
"postCleanStatus": "0",
53
"statusDescription": null,
54
"categoryId": "37",
55
"sourceId": "3",
56
"engineVersion": "AM: 1.1.17200.2, NIS: 1.1.17200.2",
57
"unused3": null,
58
"path": "containerfile:_C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\fHrHNHk8t[1].asp; file:_C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\fHrHNHk8t[1].asp->(SCRIPT0001)",
59
"processName": "processName",
60
"originName": "%%845",
61
"fwlink": "https://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDropper:VBS/Swrort.A&threatid=2147653574&enterprise=0",
62
"additionalActionsId": "0"
63
},
64
"timeWritten": "2020-07-02T18:07:00.006792800Z"
65
}
66
}