Is Windows Defender supported by the winevent_nic log parser?
We have some endpoints that are using Windows Defender managed via SCCM as their AV solution, for...some reason.
Is there a correct way to centralize logs from these clients (ie detections, scan results, etc.) into Netwitness? I have a sneaking suspicion that we're going to have to use Windows Event Forwarding from the clients to a central Windows server, and then pull those logs into Netwitness. My question is more about whether or not the events will be parsed correctly/at all, or if we'll have to extend the winevent_nic parser (or write a new one?) ourselves to properly interpret the contents of the /Applications and Services Logs/Microsoft/Windows/Windows Defender Antivirus logs once we are able to route them to Netwitness.
Has anyone else done this?
For reference, here's Microsoft's documentation on these events: Windows Defender AV event IDs and error codes | Microsoft Docs
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
- Windows Client
- windows defender
From previous work with a customer, Defender logs are captured by SCCM but not written to the event logs as other events are. They are written to the DB where they need to be extracted with a custom typespec and xml.
The typespec (ODBC query) needs to be customized to match your instance.
I would start with SQL test to make sure the ODBC query works and gets you the information that you need, then expand to implement the typespec and the parser to extract the information completely.
thanks to Ian Redden for the original work on this.