Microsoft Defender Antivirus Events

I'm still learning myself so there may be better ways and I'm not positive, but I would test the statement “TolerateQueryErrors TRUE”. First, this should help with both Windows Defender and some PowerShell logs you are possibly missing out on. Windows Defender’s file format (and some PowerShell logs) can be a little off because it is reporting hashes, code strings, etc. all depending on the different event types.

And, if you don't already, depending on if you really want them or not. You may want to filter out the 5156 and 5158 events. 2 methods that I know of are:
1) Event drops or Blacklisting - (Don't remember were I learned this one) - Example:
Exec if ($EventID == 5156) OR ($EventID == 5158) drop();
2) Define Events or Whitelisting - For a better description, see "Examples 9 and 10" from https://docs.nxlog.co/userguide/integrate/windows-eventlog.html for more thorough details - Example:
# define Security Events
define SecurityEvents 4624, 4634, 4648, 4656, 4658, 4660, 4663, 4672, \
4673, 4688, 4689, 4698, 4720, 4768, 4769, 4946, \
5140, 5142, 5144, 5145, 5154, 5447, 8222

I placed the TolerateQueryErrors and Event Blacklisting in my possible fix help show placement.

<Input in>
Module im_msvistalog
TolerateQueryErrors TRUE
<QueryList>
<Query Id="0">
<Select Path="Application">*</Select>
<Select Path="System">*</Select>
<Select Path="Security">*</Select>
<Select Path="Windows PowerShell">*</Select>
<Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>
</Query>
</QueryList>
Exec if ($EventID == 5156) OR ($EventID == 5158) drop();
</Input>

I hope this helps!