Data Source: Windows Event Log Defender 5007

Date: 2025-01-23

ID: 27f18792-8d95-4871-8853-874b7faf023f

Author: Patrick Bareiss, Splunk

Description

Logs an event when Windows Defender antimalware settings are modified.

Details

Property	Value
Source	`WinEventLog:Microsoft-Windows-Windows Defender/Operational`
Sourcetype	`xmlwineventlog`
Separator	EventCode

Supported Apps

Splunk Add-on for Microsoft Windows (version 9.0.1)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">New_Value</span>
  
  <span class="pill kill-chain">Old_Value</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">Product_Name</span>
  
  <span class="pill kill-chain">Product_Version</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>5007</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-11-27T10:39:16.1740105Z'/><EventRecordID>3726</EventRecordID><Correlation/><Execution ProcessID='3512' ThreadID='5936'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft Defender Antivirus</Data><Data Name='Product Version'>4.18.23100.2009</Data><Data Name='Old Value'>HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1</Data><Data Name='New Value'></Data></EventData></Event>

Source: GitHub | Version: 2