Microsoft Defender Antivirus Events | Log collection solutions

#1 hebval 2 years ago

Hi, I'd like to log my Microsoft Defender Events (EventID:1116) so when a malware is detected, I get it on my Graylog server.

Problem is that with Server 2016/Windows 10, the logs are too many for a simple input (with the 256 limit).

So I decided to filter some, and to only get some of them :

<Input in> Module im_msvistalog Query <QueryList>
<Query Id="0">
<Select Path="Application"></Select>
<Select Path="System"></Select>
<Select Path="Security"></Select>
<Select Path="Windows PowerShell"></Select>
<Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>
</Query>
</QueryList>

I receive my App, Sys, Security, and Powershell in Graylog but not my Windows Defender events. I tried to generate logs multiple times, with some EICAR files, the logs appear in the Event Viewer, but nothing appears in my Graylog Server.

Any help please ? :) thanks

Permalink

#2 scott.f.kisely@gmail.com 2 years ago

#1 hebval

Hi, I'd like to log my Microsoft Defender Events (EventID:1116) so when a malware is detected, I get it on my Graylog server. Problem is that with Server 2016/Windows 10, the logs are too many for a simple input (with the 256 limit). So I decided to filter some, and to only get some of them : <Input in> Module im_msvistalog Query <QueryList> <Query Id="0"> <Select Path="Application"></Select> <Select Path="System"></Select> <Select Path="Security"></Select> <Select Path="Windows PowerShell"></Select> <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select> </Query> </QueryList> I receive my App, Sys, Security, and Powershell in Graylog but not my Windows Defender events. I tried to generate logs multiple times, with some EICAR files, the logs appear in the Event Viewer, but nothing appears in my Graylog Server. Any help please ? :) thanks

I'm still learning myself so there may be better ways and I'm not positive, but I would test the statement “TolerateQueryErrors TRUE”. First, this should help with both Windows Defender and some PowerShell logs you are possibly missing out on. Windows Defender’s file format (and some PowerShell logs) can be a little off because it is reporting hashes, code strings, etc. all depending on the different event types.

And, if you don't already, depending on if you really want them or not. You may want to filter out the 5156 and 5158 events. 2 methods that I know of are:

Event drops or Blacklisting - (Don't remember were I learned this one) - Example: Exec if ($EventID == 5156) OR ($EventID == 5158) drop();
Define Events or Whitelisting - For a better description, see "Examples 9 and 10" from https://docs.nxlog.co/userguide/integrate/windows-eventlog.html for more thorough details - Example: # define Security Events define SecurityEvents 4624, 4634, 4648, 4656, 4658, 4660, 4663, 4672,
4673, 4688, 4689, 4698, 4720, 4768, 4769, 4946,
5140, 5142, 5144, 5145, 5154, 5447, 8222

I placed the TolerateQueryErrors and Event Blacklisting in my possible fix help show placement.

<Input in> Module im_msvistalog TolerateQueryErrors TRUE <QueryList> <Query Id="0"> <Select Path="Application"></Select> <Select Path="System"></Select> <Select Path="Security"></Select> <Select Path="Windows PowerShell"></Select> <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select> </Query> </QueryList> Exec if ($EventID == 5156) OR ($EventID == 5158) drop(); </Input>

I hope this helps!