Microsoft Defender
Event Logs
| Filename | Provider | Channel | EventID | Note |
|---|---|---|---|---|
| Microsoft-Windows-Windows Defender*.evtx | ? | ? | 1006 | Malware detected |
| Microsoft-Windows-Windows Defender*.evtx | ? | ? | 1007 | Malware detected (action taken) |
| Microsoft-Windows-Windows Defender*.evtx | ? | ? | 1008 | Malware detected (action failed) |
| Microsoft-Windows-Windows Defender*.evtx | ? | ? | 1009 | Quarantine restore |
| Microsoft-Windows-Windows Defender*.evtx | ? | ? | 1011 | Quarantine delete |
| Microsoft-Windows-Windows Defender*.evtx | ? | ? | 1015 | Behavior detected |
Application specific files
C:\ProgramData\Microsoft\Windows Defender\Support\C:\Windows\Temp\MpCmdRun.log...?\detections.log
Configuration settings/Registry data
HKLM\SOFTWARE\Microsoft\Windows Defender\*
Quarantine
C:\ProgramData\Microsoft\Windows Defender\Quarantine
Tools
DetectionHistory Parser v1.0.1
References:
-
Why Are Windows Defender AV Logs So Important And How To Monitor Them With Azure Sentinel? ↩
-
Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus ↩
-
Mind the MPLog: Leveraging Microsoft Protection Logging for Forensic Investigations ↩
-
Uncovering Windows Defender Real-time Protection History with DHParser ↩
-
Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus ↩