Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading TA for Microsoft Windows Defender
SHA256 checksum (ta-for-microsoft-windows-defender_106.tgz) 52b110945f0db35a930806a34fc8b40999f7086f98ed29c90b50868a165d6e4a SHA256 checksum (ta-for-microsoft-windows-defender_105.tgz) 8965b9c46bb72e6b594c9704ef76a2993bf8c1cadb7f6fcfed4966c5138408c3 SHA256 checksum (ta-for-microsoft-windows-defender_104.tgz) dd1336baad9dfb7a8b3e506e1149bf2dbe6cdc445801905b3c966913e0a66bfa SHA256 checksum (ta-for-microsoft-windows-defender_102.tgz) 751d0a299b688e59720f4c8a92078f31b4930f5fc2250cb429eb2e45bc3902c9
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

TA for Microsoft Windows Defender

Splunk Certified
Microsoft Windows Defender TA for Splunk®. Contains inputs and extractions for use with Splunk. Also contains mapping to the Malware CIM, particularly useful for use with Splunk Enterprise Security.


Microsoft Windows Defender TA for Splunk®. Inputs and extractions for use
with Splunk®.

Author information

   Original Author: Patrick O'Connell
   Version/Date: 1.0.2 / Oct 1, 2017
   Sourcetype: XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational
   Has index-time ops: false

Update History

   1.0.2 Oct 1, 2017
   Fixing naming conventions and trademarks per SplunkBase documentation.

   1.0.1 Sep 28, 2017
   Fixed file_path and file_name extractions. Thanks to people both
   in Slack and the support team working at .Conf 2017.

   1.0.0 Sep 18, 2017
   Initial release

Using this TA

   Configuration: Install TA via GUI on all search heads, install
   via your preferred method (manual or Deployment Server) on
   forwarders running on Windows running Windows Defender.

   Ensure that you have at least version 6.2.0 universal forwarders.
   This is because of the Windows XML event log format.


   For information on Windows Defender event codes, see below.


   This is a community supported TA. As such, post to answers.splunk.com
   and reference it. Someone should be with you shortly.

   Pull requests via github are welcome! The repository can be found
   at https://github.com/pdoconnell/TA-microsoft-windefender.

Release Notes

Version 1.0.6
April 28, 2018

Updates lookups for EventCodes to match new Microsoft definitions, found here (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus#windows-defender-av-ids). Thanks to Mark Baumgartner of Creighton University for the catch.

Version 1.0.5
Dec. 30, 2017

1.0.5 Dec 30, 2017
Fixed typo in EventTypes.conf. This makes tags work again. Thanks to
Chris Keladis from Katana1.

1.0.4 Nov 1, 2017
Fixed wrong file inclusion for certification.

1.0.3 Oct 31, 2017
Added definitions for all magic values found in Defender logs as of today.

1.0.2 Oct 1, 2017
Fixing naming conventions and trademarks per SplunkBase documentation.

1.0.1 Sep 28, 2017
Fixed file_path and file_name extractions. Thanks to people both
in Slack and the support team working at .Conf 2017.

1.0.0 Sep 18, 2017
Initial release

Version 1.0.4
Nov. 1, 2017

Version 1.0.2
Oct. 1, 2017

TA for intake of Microsoft Windows Defender logs to Splunk. Initial release, with malware CIM field mapping.


Subscribe Share

Splunk Certification Program

Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2018 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.