Data Source: Windows Event Log Defender 5007

Date: 2025-01-23

ID: 27f18792-8d95-4871-8853-874b7faf023f

Author: Patrick Bareiss, Splunk

Description

Logs an event when Windows Defender antimalware settings are modified.

Details

Property	Value
Source	`WinEventLog:Microsoft-Windows-Windows Defender/Operational`
Sourcetype	`xmlwineventlog`
Separator	EventCode

Supported Apps

Splunk Add-on for Microsoft Windows (version 9.0.1)

Event Fields

+ Fields


            1
            _time
          
            3
            Channel
          
            5
            Computer
          
            7
            EventCode
          
            9
            EventData_Xml
          
            11
            EventID
          
            13
            EventRecordID
          
            15
            Guid
          
            17
            Keywords
          
            19
            Level
          
            21
            Name
          
            23
            New_Value
          
            25
            Old_Value
          
            27
            Opcode
          
            29
            ProcessID
          
            31
            Product_Name
          
            33
            Product_Version
          
            35
            RecordNumber
          
            37
            SystemTime
          
            39
            System_Props_Xml
          
            41
            Task
          
            43
            ThreadID
          
            45
            UserID
          
            47
            Version
          
            49
            dvc
          
            51
            dvc_nt_host
          
            53
            event_id
          
            55
            eventtype
          
            57
            host
          
            59
            id
          
            61
            index
          
            63
            linecount
          
            65
            punct
          
            67
            signature_id
          
            69
            source
          
            71
            sourcetype
          
            73
            splunk_server
          
            75
            tag
          
            77
            tag::eventtype
          
            79
            timestamp
          
            81
            user_id
          
            83
            vendor_product
          
            85

...

not set

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>5007</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-11-27T10:39:16.1740105Z'/><EventRecordID>3726</EventRecordID><Correlation/><Execution ProcessID='3512' ThreadID='5936'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft Defender Antivirus</Data><Data Name='Product Version'>4.18.23100.2009</Data><Data Name='Old Value'>HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1</Data><Data Name='New Value'></Data></EventData></Event>

Source: GitHub | Version: 2