Microsoft Windows Defender TA for Splunk®. Inputs and extractions for use
Original Author: Patrick O'Connell Version/Date: 1.0.2 / Oct 1, 2017 Sourcetype: XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational Has index-time ops: false
1.0.2 Oct 1, 2017 -------- Fixing naming conventions and trademarks per SplunkBase documentation. 1.0.1 Sep 28, 2017 -------- Fixed file_path and file_name extractions. Thanks to people both in Slack and the support team working at .Conf 2017. 1.0.0 Sep 18, 2017 -------- Initial release
Configuration: Install TA via GUI on all search heads, install via your preferred method (manual or Deployment Server) on forwarders running on Windows running Windows Defender. Ensure that you have at least version 6.2.0 universal forwarders. This is because of the Windows XML event log format. http://blogs.splunk.com/2014/11/04/splunk-6-2-feature-overview-xml-event-logs/ For information on Windows Defender event codes, see below. https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
This is a community supported TA. As such, post to answers.splunk.com and reference it. Someone should be with you shortly. Pull requests via github are welcome! The repository can be found at https://github.com/pdoconnell/TA-microsoft-windefender.
Updates lookups for EventCodes to match new Microsoft definitions, found here (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus#windows-defender-av-ids). Thanks to Mark Baumgartner of Creighton University for the catch.
1.0.5 Dec 30, 2017
Fixed typo in EventTypes.conf. This makes tags work again. Thanks to
Chris Keladis from Katana1.
1.0.4 Nov 1, 2017
Fixed wrong file inclusion for certification.
1.0.3 Oct 31, 2017
Added definitions for all magic values found in Defender logs as of today.
1.0.2 Oct 1, 2017
Fixing naming conventions and trademarks per SplunkBase documentation.
1.0.1 Sep 28, 2017
Fixed file_path and file_name extractions. Thanks to people both
in Slack and the support team working at .Conf 2017.
1.0.0 Sep 18, 2017
TA for intake of Microsoft Windows Defender logs to Splunk. Initial release, with malware CIM field mapping.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.