Data Source: Windows Event Log Defender 1121

Date: 2025-07-10

ID: 84a254c5-7900-4b52-a324-a176adb7c11d

Author: Patrick Bareiss, Splunk

Description

Logs an event when a Windows Defender attack surface reduction rule fires in block mode.

Details

Property	Value
Source	`WinEventLog:Microsoft-Windows-Windows Defender/Operational`
Sourcetype	`XmlWinEventLog`
Separator	EventCode

Name ▲▼	Technique ▲▼	Type ▲▼
Windows Defender ASR Block Events	Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link	Anomaly
Windows Defender ASR Rules Stacking	Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter	Hunting

Supported Apps

Splunk Add-on for Microsoft Windows (version 9.1.2)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">ActivityID</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">Detection_Time</span>
  
  <span class="pill kill-chain">Engine_Version</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">ID</span>
  
  <span class="pill kill-chain">Inhertiance_Flags</span>
  
  <span class="pill kill-chain">Involved_File</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">New_Value</span>
  
  <span class="pill kill-chain">Old_Value</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">Parent_Commandline</span>
  
  <span class="pill kill-chain">Path</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">Process_Name</span>
  
  <span class="pill kill-chain">Product_Name</span>
  
  <span class="pill kill-chain">Product_Version</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">RuleType</span>
  
  <span class="pill kill-chain">Security_intelligence_Version</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Target_Commandline</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">User</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>1121</EventID><Version>0</Version><Level>3</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-11-20T16:29:48.9847638Z'/><EventRecordID>2975</EventRecordID><Correlation ActivityID='{fb36f2d9-5b89-4566-8af5-7c1212b4797f}'/><Execution ProcessID='3488' ThreadID='7496'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft Defender Antivirus</Data><Data Name='Product Version'>4.18.23100.2009</Data><Data Name='Unused'></Data><Data Name='ID'>3B576869-A4EC-4529-8536-B80A7769E899</Data><Data Name='Detection Time'>2023-11-20T16:29:48.984Z</Data><Data Name='User'>researchvmhaa\research</Data><Data Name='Path'>C:\Users\research\AppData\Local\Temp\script.vbs</Data><Data Name='Process Name'>C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE</Data><Data Name='Security intelligence Version'>1.401.912.0</Data><Data Name='Engine Version'>1.1.23100.2009</Data><Data Name='RuleType'>ENT\ConsR</Data><Data Name='Target Commandline'></Data><Data Name='Parent Commandline'>"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" </Data><Data Name='Involved File'></Data><Data Name='Inhertiance Flags'>0x00000000</Data></EventData></Event>

Source: GitHub | Version: 3