<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">ActivityID</span>
<span class="pill kill-chain">Channel</span>
<span class="pill kill-chain">Computer</span>
<span class="pill kill-chain">Detection_Time</span>
<span class="pill kill-chain">Engine_Version</span>
<span class="pill kill-chain">EventCode</span>
<span class="pill kill-chain">EventData_Xml</span>
<span class="pill kill-chain">EventID</span>
<span class="pill kill-chain">EventRecordID</span>
<span class="pill kill-chain">Guid</span>
<span class="pill kill-chain">ID</span>
<span class="pill kill-chain">Inhertiance_Flags</span>
<span class="pill kill-chain">Involved_File</span>
<span class="pill kill-chain">Keywords</span>
<span class="pill kill-chain">Level</span>
<span class="pill kill-chain">Name</span>
<span class="pill kill-chain">New_Value</span>
<span class="pill kill-chain">Old_Value</span>
<span class="pill kill-chain">Opcode</span>
<span class="pill kill-chain">Parent_Commandline</span>
<span class="pill kill-chain">Path</span>
<span class="pill kill-chain">ProcessID</span>
<span class="pill kill-chain">Process_Name</span>
<span class="pill kill-chain">Product_Name</span>
<span class="pill kill-chain">Product_Version</span>
<span class="pill kill-chain">RecordNumber</span>
<span class="pill kill-chain">RuleType</span>
<span class="pill kill-chain">Security_intelligence_Version</span>
<span class="pill kill-chain">SystemTime</span>
<span class="pill kill-chain">System_Props_Xml</span>
<span class="pill kill-chain">Target_Commandline</span>
<span class="pill kill-chain">Task</span>
<span class="pill kill-chain">ThreadID</span>
<span class="pill kill-chain">User</span>
<span class="pill kill-chain">UserID</span>
<span class="pill kill-chain">Version</span>
<span class="pill kill-chain">dvc</span>
<span class="pill kill-chain">dvc_nt_host</span>
<span class="pill kill-chain">event_id</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">id</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">signature_id</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">timestamp</span>
<span class="pill kill-chain">user_id</span>
<span class="pill kill-chain">vendor_product</span>
</div>
Data Source: Windows Event Log Defender 1121
Description
Data source object for Windows Event Log Defender 1121
Details
Property | Value |
---|---|
Source | WinEventLog:Microsoft-Windows-Windows Defender/Operational |
Sourcetype | xmlwineventlog |
Separator | EventCode |
Supported Apps
- Splunk Add-on for Microsoft Windows (version 9.0.1)
Event Fields
Example Log
1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>1121</EventID><Version>0</Version><Level>3</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-11-20T16:29:48.9847638Z'/><EventRecordID>2975</EventRecordID><Correlation ActivityID='{fb36f2d9-5b89-4566-8af5-7c1212b4797f}'/><Execution ProcessID='3488' ThreadID='7496'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft Defender Antivirus</Data><Data Name='Product Version'>4.18.23100.2009</Data><Data Name='Unused'></Data><Data Name='ID'>3B576869-A4EC-4529-8536-B80A7769E899</Data><Data Name='Detection Time'>2023-11-20T16:29:48.984Z</Data><Data Name='User'>researchvmhaa\research</Data><Data Name='Path'>C:\Users\research\AppData\Local\Temp\script.vbs</Data><Data Name='Process Name'>C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE</Data><Data Name='Security intelligence Version'>1.401.912.0</Data><Data Name='Engine Version'>1.1.23100.2009</Data><Data Name='RuleType'>ENT\ConsR</Data><Data Name='Target Commandline'></Data><Data Name='Parent Commandline'>"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" </Data><Data Name='Involved File'></Data><Data Name='Inhertiance Flags'>0x00000000</Data></EventData></Event>
Source: GitHub | Version: 1