AnsweredAssumed Answered

Is Windows Defender supported by the winevent_nic log parser?

Question asked by Craig Cameron-Weir on Sep 6, 2018
Latest reply on Sep 10, 2018 by Craig Cameron-Weir

We have some endpoints that are using Windows Defender managed via SCCM as their AV solution, for...some reason.

 

Is there a correct way to centralize logs from these clients (ie detections, scan results, etc.) into Netwitness? I have a sneaking suspicion that we're going to have to use Windows Event Forwarding from the clients to a central Windows server, and then pull those logs into Netwitness. My question is more about whether or not the events will be parsed correctly/at all, or if we'll have to extend the winevent_nic parser (or write a new one?) ourselves to properly interpret the contents of the /Applications and Services Logs/Microsoft/Windows/Windows Defender Antivirus logs once we are able to route them to Netwitness. 

 

Has anyone else done this?

 

For reference, here's Microsoft's documentation on these events: Windows Defender AV event IDs and error codes | Microsoft Docs 

Outcomes