Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading TA for Microsoft Windows Defender
SHA256 checksum (ta-for-microsoft-windows-defender_105.tgz) 8965b9c46bb72e6b594c9704ef76a2993bf8c1cadb7f6fcfed4966c5138408c3 SHA256 checksum (ta-for-microsoft-windows-defender_104.tgz) dd1336baad9dfb7a8b3e506e1149bf2dbe6cdc445801905b3c966913e0a66bfa SHA256 checksum (ta-for-microsoft-windows-defender_102.tgz) 751d0a299b688e59720f4c8a92078f31b4930f5fc2250cb429eb2e45bc3902c9
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

TA for Microsoft Windows Defender

Splunk Certified
Overview
Details
Microsoft Windows Defender TA for Splunk®. Contains inputs and extractions for use with Splunk. Also contains mapping to the Malware CIM, particularly useful for use with Splunk Enterprise Security.

TA-microsoft-windefender

Microsoft Windows Defender TA for Splunk®. Inputs and extractions for use
with Splunk®.

Author information

   Original Author: Patrick O'Connell
   Version/Date: 1.0.2 / Oct 1, 2017
   Sourcetype: XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational
   Has index-time ops: false

Update History

   1.0.2 Oct 1, 2017
   --------
   Fixing naming conventions and trademarks per SplunkBase documentation.

   1.0.1 Sep 28, 2017
   --------
   Fixed file_path and file_name extractions. Thanks to people both
   in Slack and the support team working at .Conf 2017.

   1.0.0 Sep 18, 2017
   --------
   Initial release

Using this TA

   Configuration: Install TA via GUI on all search heads, install
   via your preferred method (manual or Deployment Server) on
   forwarders running on Windows running Windows Defender.

   Ensure that you have at least version 6.2.0 universal forwarders.
   This is because of the Windows XML event log format.

   http://blogs.splunk.com/2014/11/04/splunk-6-2-feature-overview-xml-event-logs/

   For information on Windows Defender event codes, see below.
   https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus

Support

   This is a community supported TA. As such, post to answers.splunk.com
   and reference it. Someone should be with you shortly.

   Pull requests via github are welcome! The repository can be found
   at https://github.com/pdoconnell/TA-microsoft-windefender.

Release Notes

Version 1.0.5
Dec. 30, 2017

1.0.5 Dec 30, 2017
--------
Fixed typo in EventTypes.conf. This makes tags work again. Thanks to
Chris Keladis from Katana1.

1.0.4 Nov 1, 2017
--------
Fixed wrong file inclusion for certification.

1.0.3 Oct 31, 2017
--------
Added definitions for all magic values found in Defender logs as of today.

1.0.2 Oct 1, 2017
--------
Fixing naming conventions and trademarks per SplunkBase documentation.

1.0.1 Sep 28, 2017
--------
Fixed file_path and file_name extractions. Thanks to people both
in Slack and the support team working at .Conf 2017.

1.0.0 Sep 18, 2017
--------
Initial release

Version 1.0.4
Nov. 1, 2017

Version 1.0.2
Oct. 1, 2017

TA for intake of Microsoft Windows Defender logs to Splunk. Initial release, with malware CIM field mapping.

126
Installs
564
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Splunk Certification Program

Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2018 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.