Data Source: Windows Event Log Defender 5007

Date: 2025-07-10

ID: 27f18792-8d95-4871-8853-874b7faf023f

Author: Patrick Bareiss, Splunk

Description

Logs an event when Windows Defender antimalware settings are modified.

Details

Property	Value
Source	`WinEventLog:Microsoft-Windows-Windows Defender/Operational`
Sourcetype	`XmlWinEventLog`
Separator	EventCode

Name ▲▼	Technique ▲▼	Type ▲▼
Windows Defender ASR Registry Modification	Modify Registry	Hunting
Windows Defender ASR Rule Disabled	Modify Registry	TTP
Windows Defender ASR Rules Stacking	Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter	Hunting

Supported Apps

Splunk Add-on for Microsoft Windows (version 9.1.2)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">New_Value</span>
  
  <span class="pill kill-chain">Old_Value</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">Product_Name</span>
  
  <span class="pill kill-chain">Product_Version</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>5007</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-11-27T10:39:16.1740105Z'/><EventRecordID>3726</EventRecordID><Correlation/><Execution ProcessID='3512' ThreadID='5936'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft Defender Antivirus</Data><Data Name='Product Version'>4.18.23100.2009</Data><Data Name='Old Value'>HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1</Data><Data Name='New Value'></Data></EventData></Event>

Source: GitHub | Version: 3

Data Source: Windows Event Log Defender 5007

Description

Details

Related Detections

Supported Apps

Event Fields

Example Log