Data Source: Windows Event Log Defender 1126

Date: 2025-07-10

ID: c1c6284b-b663-4001-bdf2-c0cacee22a2a

Author: Bhavin Patel, Splunk

Description

Data source object for Windows Event Log Defender 1126

Details

Property	Value
Source	`XmlWinEventLog:Security`
Sourcetype	`XmlWinEventLog`
Separator	EventCode

Name ▲▼	Technique ▲▼	Type ▲▼
Windows Defender ASR Audit Events	Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link	Anomaly
Windows Defender ASR Block Events	Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link	Anomaly
Windows Defender ASR Rules Stacking	Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter	Hunting

Supported Apps

Splunk Add-on for Microsoft Windows (version 9.1.2)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">ActivityID</span>
  
  <span class="pill kill-chain">CategoryString</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">Detection_Time</span>
  
  <span class="pill kill-chain">Engine_Version</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">ID</span>
  
  <span class="pill kill-chain">Image_File_Name</span>
  
  <span class="pill kill-chain">Inhertiance_Flags</span>
  
  <span class="pill kill-chain">Involved_File</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Message</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">Parent_Commandline</span>
  
  <span class="pill kill-chain">Path</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">Process_Name</span>
  
  <span class="pill kill-chain">Product_Name</span>
  
  <span class="pill kill-chain">Product_Version</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">RenderingInfo_Xml</span>
  
  <span class="pill kill-chain">RuleType</span>
  
  <span class="pill kill-chain">Security_intelligence_Version</span>
  
  <span class="pill kill-chain">SourceName</span>
  
  <span class="pill kill-chain">SubStatus</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Target_Commandline</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">TaskCategory</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">Unused</span>
  
  <span class="pill kill-chain">User</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">category</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">name</span>
  
  <span class="pill kill-chain">parent_process</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">result</span>
  
  <span class="pill kill-chain">service</span>
  
  <span class="pill kill-chain">service_id</span>
  
  <span class="pill kill-chain">service_name</span>
  
  <span class="pill kill-chain">severity</span>
  
  <span class="pill kill-chain">severity_id</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">splunk_server_group</span>
  
  <span class="pill kill-chain">subject</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::action</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">user_group_id</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">_bkt</span>
  
  <span class="pill kill-chain">_cd</span>
  
  <span class="pill kill-chain">_eventtype_color</span>
  
  <span class="pill kill-chain">_indextime</span>
  
  <span class="pill kill-chain">_pre_msg</span>
  
  <span class="pill kill-chain">_raw</span>
  
  <span class="pill kill-chain">_serial</span>
  
  <span class="pill kill-chain">_si</span>
  
  <span class="pill kill-chain">_sourcetype</span>
  
</div>

Source: GitHub | Version: 2

Data Source: Windows Event Log Defender 1126

Description

Details

Related Detections

Supported Apps

Event Fields