We have some endpoints that are using Windows Defender managed via SCCM as their AV solution, for...some reason.
Is there a correct way to centralize logs from these clients (ie detections, scan results, etc.) into Netwitness? I have a sneaking suspicion that we're going to have to use Windows Event Forwarding from the clients to a central Windows server, and then pull those logs into Netwitness. My question is more about whether or not the events will be parsed correctly/at all, or if we'll have to extend the winevent_nic parser (or write a new one?) ourselves to properly interpret the contents of the /Applications and Services Logs/Microsoft/Windows/Windows Defender Antivirus logs once we are able to route them to Netwitness.
Has anyone else done this?
For reference, here's Microsoft's documentation on these events: Windows Defender AV event IDs and error codes | Microsoft Docs