Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading TA for Microsoft Windows Defender
MD5 checksum (ta-for-microsoft-windows-defender_104.tgz) e1b7799603c9a9af3eb01a2ff2b78e44 MD5 checksum (ta-for-microsoft-windows-defender_102.tgz) 82efbeed22fde0f6035625908eea9ac5
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

TA for Microsoft Windows Defender

Splunk Certified
Microsoft Windows Defender TA for Splunk®. Contains inputs and extractions for use with Splunk. Also contains mapping to the Malware CIM, particularly useful for use with Splunk Enterprise Security.


Microsoft Windows Defender TA for Splunk®. Inputs and extractions for use
with Splunk®.

Author information

   Original Author: Patrick O'Connell
   Version/Date: 1.0.2 / Oct 1, 2017
   Sourcetype: XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational
   Has index-time ops: false

Update History

   1.0.2 Oct 1, 2017
   Fixing naming conventions and trademarks per SplunkBase documentation.

   1.0.1 Sep 28, 2017
   Fixed file_path and file_name extractions. Thanks to people both
   in Slack and the support team working at .Conf 2017.

   1.0.0 Sep 18, 2017
   Initial release

Using this TA

   Configuration: Install TA via GUI on all search heads, install
   via your preferred method (manual or Deployment Server) on
   forwarders running on Windows running Windows Defender.

   Ensure that you have at least version 6.2.0 universal forwarders.
   This is because of the Windows XML event log format.

   For information on Windows Defender event codes, see below.


   This is a community supported TA. As such, post to
   and reference it. Someone should be with you shortly.

   Pull requests via github are welcome! The repository can be found

Release Notes

Version 1.0.4
Nov. 1, 2017

Version 1.0.2
Oct. 1, 2017

TA for intake of Microsoft Windows Defender logs to Splunk. Initial release, with malware CIM field mapping.


Subscribe Share

Splunk Certification Program

Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2017 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.