Microsoft Defender Antivirus Events

View thread

hebval

Hi, I'd like to log my Microsoft Defender Events (EventID:1116) so when a malware is detected, I get it on my Graylog server.

Problem is that with Server 2016/Windows 10, the logs are too many for a simple input (with the 256 limit).

So I decided to filter some, and to only get some of them :

<Input in> Module im_msvistalog Query <QueryList>
<Query Id="0">
<Select Path="Application"></Select>
<Select Path="System">
</Select>
<Select Path="Security"></Select>
<Select Path="Windows PowerShell">
</Select>
<Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>
</Query>
</QueryList>

I receive my App, Sys, Security, and Powershell in Graylog but not my Windows Defender events. I tried to generate logs multiple times, with some EICAR files, the logs appear in the Event Viewer, but nothing appears in my Graylog Server.

Any help please ? :) thanks