Windows Defender

Version: Windows 10 and Windows Server 2016.

Windows Defender is known as Windows Defender antivirus in Windows 10 (Creators update) and later, is an anti-malware component of Microsoft Windows. It has evolved into a full antivirus program, replacing Microsoft Security Essentials as a part of Windows 8 and later versions.

Netsurion Open XDR collects the event logs delivered from Windows Defender and filters them out to get some critical event types for creating a report, dashboard, saved searches and alerts. Among the event types, we are considering: Threat detection, Suspicious behavior detection, Configuration change and action taken on threats.

Netsurion Open XDR monitors all the Windows Defender events which are given as below.

  • Security – Threat detected, Action taken on threats, Suspicious behavior detected.
  • Operations – Configuration changes, Windows Defender disabled, Windows Defender signature update failed.

Once events are received into Netsurion Open XDR, Reports, Knowledge Objects, Categories and Dashboards can be configured into Netsurion Open XDR.

The following are the key Data Source Integration available in Netsurion Open XDR.

Alerts

Type Name Description
Security Windows Defender – Malware detected This alert is generated when the anti-malware engine finds malware or other potentially unwanted software.
Security Windows Defender – Action taken on threats This event will be triggered when action is taken on the threat.
Security Windows Defender – Suspicious behavior detected This alert is generated when Windows Defender antivirus has detected suspicious behavior.
Operations Windows Defender – Definition update failed This alert is generated when Windows Defender antivirus has encountered an error trying to use Dynamic Signature Service or update, load signatures and attempt reverting to a known-good set of signatures.
Operations Windows Defender – Signature update failed This alert will be triggered when the signature update fails on Windows Defender.
Operations Windows Defender – Action taken on malware failed This alert is generated when Windows Defender antivirus has encountered a non-critical error when acting on malware or other potentially unwanted software.
Operations Windows Defender – Engine update failed This alert is generated when Windows Defender antivirus has encountered an error while trying to update the engine, could not load anti-malware engine and update the platform.

Reports

Type Name Description
Security Windows Defender – Threat detected This report provides information related to threat detected in windows machine. It provides information about the threat name, it’s category, what action was taken by the defender on that threat.
Security Windows Defender – Suspicious behavior detected This report provides information when the defender has detected some suspicious behavior in windows machine like usage of malicious macro, changes in the registry which can compromise the system.
Security Windows Defender – Action taken on threats This report provides information related to the action taken by the Windows Defender on the threats detected on the system. If action has failed, then this report will provide the detail of reason.
Operations Windows Defender – Configuration changed This report provides information related to changes happened on Windows Defender features like enabling/disabling of real-time protection, changes in the configuration of the defender.

Documentation

The configuration details are consistent with Netsurion Open XDR 9.x and later, and Windows Defender Windows 10 and Windows server 2016.

Download Integration Guide and How-to Guide for configuration instructions and more information.