Microsoft-Windows-Windows Defender
94 events across 2 channels
Event ID 101: Microsoft Defender Antivirus state updated to hc_stateid.
#Event ID 1000: Product Name scan has started.
#Description
Product Name scan has started.
Message #
Fields #
| Name | Description |
|---|---|
Product Name | |
Product Version | |
Scan ID | |
Scan Type Index | |
Scan Type | |
Scan Parameters Index | |
Scan Parameters | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString | |
Scan Resources | |
Scan Trigger Index | |
Scan Trigger | |
Scan Only If Idle | |
Low CPU Priority for Scans | |
Thread Priority | |
ProductName | |
ProductVersion | |
ScanID | |
ScanTypeIndex | |
ScanType | |
ScanParametersIndex | Known values
|
ScanParameters | |
ScanResources |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
"event_source_name": "",
"event_id": 1000,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T05:39:31.2640458+00:00",
"event_record_id": 681,
"correlation": {},
"execution": {
"process_id": 3912,
"thread_id": 284
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.26040.7",
"Scan ID": "{831B79B4-9E84-4538-9ED5-8BB6CFFB648D}",
"Scan Type Index": "1",
"Scan Type": "Antimalware",
"Scan Parameters Index": "1",
"Scan Parameters": "Quick Scan",
"Domain": "NT AUTHORITY",
"User": "SYSTEM",
"SID": "S-1-5-18",
"Scan Resources": "",
"Scan Trigger Index": "55",
"Scan Trigger": "Scheduled maintenance",
"Scan Only If Idle": "Enabled",
"Low CPU Priority for Scans": "Disabled",
"Thread Priority": "7"
},
"message": "Microsoft Defender Antivirus scan has started.\r\n \tScan ID: {831B79B4-9E84-4538-9ED5-8BB6CFFB648D}\r\n \tScan Type: Antimalware\r\n \tScan Parameters: Quick Scan\r\n \tScan Resources: \r\n \tUser: NT AUTHORITY\\SYSTEM\r\n \tScan Trigger: Scheduled maintenance\r\n \tScan Only If Idle: Enabled\r\n \tLow CPU Priority for Scans: Disabled\r\n \tThread Priority: 7"
}
References #
Event ID 1001: Product Name scan has finished.
#Description
Product Name scan has finished.
Message #
Fields #
| Name | Description |
|---|---|
Product Name | |
Product Version | |
Scan ID | |
Scan Type Index | |
Scan Type | |
Scan Parameters Index | |
Scan Parameters | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString | |
Scan Time Hours | |
Scan Time Minutes | |
Scan Time Seconds | |
ProductName | |
ProductVersion | |
ScanID | |
ScanTypeIndex | |
ScanType | |
ScanParametersIndex | Known values
|
ScanParameters | |
ScanTimeHours | |
ScanTimeMinutes | |
ScanTimeSeconds |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
"event_source_name": "",
"event_id": 1001,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T05:43:05.1284044+00:00",
"event_record_id": 683,
"correlation": {
"ActivityID": "{7CAA8AA4-2C90-4544-BDD8-ED3A22085B41}"
},
"execution": {
"process_id": 3912,
"thread_id": 284
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.26040.7",
"Scan ID": "{831B79B4-9E84-4538-9ED5-8BB6CFFB648D}",
"Scan Type Index": "1",
"Scan Type": "Antimalware",
"Scan Parameters Index": "1",
"Scan Parameters": "Quick Scan",
"Domain": "NT AUTHORITY",
"User": "SYSTEM",
"SID": "S-1-5-18",
"Scan Time Hours": "0",
"Scan Time Minutes": "03",
"Scan Time Seconds": "33"
},
"message": "Microsoft Defender Antivirus scan has finished.\r\n \tScan ID: {831B79B4-9E84-4538-9ED5-8BB6CFFB648D}\r\n \tScan Type: Antimalware\r\n \tScan Parameters: Quick Scan\r\n \tUser: NT AUTHORITY\\SYSTEM\r\n \tScan Time: 0:03:33"
}
References #
Event ID 1002: Product Name scan has been stopped before completion.
#Description
Product Name scan has been stopped before completion.
Message #
Fields #
| Name | Description |
|---|---|
Product Name | |
Product Version | |
Scan ID | |
Scan Type Index | |
Scan Type | |
Scan Parameters Index | |
Scan Parameters | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString | |
Stop Reason Index | |
Stop Reason | |
ProductName | |
ProductVersion | |
ScanID | |
ScanTypeIndex | |
ScanType | |
ScanParametersIndex | Known values
|
ScanParameters |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
"event_source_name": "",
"event_id": 1002,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-05-29T08:44:12.4714948+00:00",
"event_record_id": 644,
"correlation": {
"ActivityID": "{2C268CC8-914A-4D21-A104-49C8722B8AD4}"
},
"execution": {
"process_id": 4032,
"thread_id": 3672
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.26040.7",
"Scan ID": "{427DEA8A-0CA1-4AEE-9BDD-8E059AA33C24}",
"Scan Type Index": "1",
"Scan Type": "Antimalware",
"Scan Parameters Index": "1",
"Scan Parameters": "Quick Scan",
"Domain": "NT AUTHORITY",
"User": "SYSTEM",
"SID": "S-1-5-18",
"Stop Reason Index": "3",
"Stop Reason": "RPC connection rundown"
},
"message": "Microsoft Defender Antivirus scan has been stopped before completion.\r\n \tScan ID: {427DEA8A-0CA1-4AEE-9BDD-8E059AA33C24}\r\n \tScan Type: Antimalware\r\n \tScan Parameters: Quick Scan\r\n \tUser: NT AUTHORITY\\SYSTEM\r\n \tStop Reason: RPC connection rundown"
}
References #
Event ID 1003: ProductName scan has been paused.
#Description
ProductName scan has been paused.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
ScanID UnicodeString | |
ScanTypeIndex UnicodeString | |
ScanType UnicodeString | |
ScanParametersIndex UnicodeString | Known values
|
ScanParameters UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString |
References #
Event ID 1004: ProductName scan has resumed.
#Description
ProductName scan has resumed.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
ScanID UnicodeString | |
ScanTypeIndex UnicodeString | |
ScanType UnicodeString | |
ScanParametersIndex UnicodeString | Known values
|
ScanParameters UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString |
References #
Event ID 1005: ProductName scan has encountered an error and terminated.
#Description
ProductName scan has encountered an error and terminated.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
ScanID UnicodeString | |
ScanTypeIndex UnicodeString | |
ScanType UnicodeString | |
ScanParametersIndex UnicodeString | Known values
|
ScanParameters UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString | |
ErrorCode UnicodeString | |
ErrorDescription UnicodeString |
References #
Event ID 1006: ProductName has detected malware or other potentially unwanted software.
#Description
ProductName has detected malware or other potentially unwanted software.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
DetectionID UnicodeString | |
DetectionSourceIndex UnicodeString | |
DetectionSource UnicodeString | |
Unused UnicodeString | |
ProcessName UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString | |
ThreatName UnicodeString | |
ThreatID UnicodeString | |
SeverityID UnicodeString | Known values
|
CategoryID UnicodeString | |
FWLink UnicodeString | |
PathFound UnicodeString | |
DetectionOriginIndex UnicodeString | |
DetectionOrigin UnicodeString | |
ExecutionStatusIndex UnicodeString | |
ExecutionStatus UnicodeString | |
DetectionTypeIndex UnicodeString | |
DetectionType UnicodeString | |
Unused2 UnicodeString | |
Unused3 UnicodeString | |
SeverityName UnicodeString | |
CategoryName UnicodeString | |
SecurityintelligenceVersion UnicodeString | |
EngineVersion UnicodeString |
References #
Event ID 1007: ProductName has taken action to protect this machine from malware or other potentially unwanted software.
#Description
ProductName has taken action to protect this machine from malware or other potentially unwanted software.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
DetectionID UnicodeString | |
Unused UnicodeString | |
Unused2 UnicodeString | |
StatusCode UnicodeString | NTSTATUS reference |
StatusDescription UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString | |
ThreatName UnicodeString | |
ThreatID UnicodeString | |
SeverityID UnicodeString | Known values
|
CategoryID UnicodeString | |
FWLink UnicodeString | |
Path UnicodeString | |
Unused3 UnicodeString | |
Unused4 UnicodeString | |
CleaningActionIndex UnicodeString | |
CleaningAction UnicodeString | |
Unused5 UnicodeString | |
Unused6 UnicodeString | |
Unused7 UnicodeString | |
Unused8 UnicodeString | |
SeverityName UnicodeString | |
CategoryName UnicodeString | |
SecurityintelligenceVersion UnicodeString | |
EngineVersion UnicodeString |
References #
Event ID 1008: ProductName has encountered an error when taking action on malware or other potentially unwanted software.
#Description
ProductName has encountered an error when taking action on malware or other potentially unwanted software.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
DetectionID UnicodeString | |
Unused UnicodeString | |
Unused2 UnicodeString | |
StatusCode UnicodeString | NTSTATUS reference |
StatusDescription UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString | |
ThreatName UnicodeString | |
ThreatID UnicodeString | |
SeverityID UnicodeString | Known values
|
CategoryID UnicodeString | |
FWLink UnicodeString | |
Path UnicodeString | |
Unused3 UnicodeString | |
Unused4 UnicodeString | |
CleaningActionIndex UnicodeString | |
CleaningAction UnicodeString | |
ErrorCode UnicodeString | |
ErrorDescription UnicodeString | |
Unused5 UnicodeString | |
Unused6 UnicodeString | |
SeverityName UnicodeString | |
CategoryName UnicodeString | |
SecurityintelligenceVersion UnicodeString | |
EngineVersion UnicodeString |
References #
Event ID 1009: ProductName has restored an item from quarantine.
#Description
ProductName has restored an item from quarantine.
Message #
Fields #
| Name | Description |
|---|---|
Product Name | |
Product Version | |
Unused UnicodeString | |
Unused2 UnicodeString | |
Unused3 UnicodeString | |
Unused4 UnicodeString | |
Unused5 UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString | |
Threat Name | |
Threat ID | |
Severity ID | |
Category ID | |
FWLink UnicodeString | |
Path UnicodeString | |
Unused6 UnicodeString | |
Unused7 UnicodeString | |
Unused8 UnicodeString | |
Unused9 UnicodeString | |
Unused10 UnicodeString | |
Unused11 UnicodeString | |
Unused12 UnicodeString | |
Unused13 UnicodeString | |
Severity Name | |
Category Name | |
Security intelligence Version | |
Engine Version | |
ProductName UnicodeString | |
ProductVersion UnicodeString | |
ThreatName UnicodeString | |
ThreatID UnicodeString | |
SeverityID UnicodeString | Known values
|
CategoryID UnicodeString | |
SeverityName UnicodeString | |
CategoryName UnicodeString | |
SecurityintelligenceVersion UnicodeString | |
EngineVersion UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
"event_source_name": "",
"event_id": 1009,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-05-30T15:47:15.1238364+00:00",
"event_record_id": 6506,
"correlation": {
"ActivityID": "{5F95AD28-CAF8-4C6F-A387-C8C9D4B25B47}"
},
"execution": {
"process_id": 3360,
"thread_id": 1260
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.26040.7",
"Unused": "",
"Unused2": "",
"Unused3": "",
"Unused4": "",
"Unused5": "",
"Domain": "ludus",
"User": "domainadmin",
"SID": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"Threat Name": "HackTool:JS/Jsprat",
"Threat ID": "2147708292",
"Severity ID": "4",
"Category ID": "34",
"FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:JS/Jsprat&threatid=2147708292&enterprise=0",
"Path": "file:_C:\\Users\\domainadmin\\AppData\\Local\\Temp\\atmp\\atomic-red-team-master\\atomics\\T1505.003\\src\\b.jsp; file:_C:\\Users\\domainadmin\\AppData\\Local\\Temp\\atomics.zip",
"Unused6": "",
"Unused7": "",
"Unused8": "",
"Unused9": "",
"Unused10": "",
"Unused11": "",
"Unused12": "",
"Unused13": "",
"Severity Name": "High",
"Category Name": "Tool",
"Security intelligence Version": "AV: 1.451.182.0, AS: 1.451.182.0",
"Engine Version": "1.1.26040.8"
},
"message": "Microsoft Defender Antivirus has restored an item from quarantine.\r\n For more information please see the following:\r\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:JS/Jsprat&threatid=2147708292&enterprise=0\r\n \tName: HackTool:JS/Jsprat\r\n \tID: 2147708292\r\n \tSeverity: High\r\n \tCategory: Tool\r\n \tUser: ludus\\domainadmin\r\n \tSecurity intelligence Version: AV: 1.451.182.0, AS: 1.451.182.0\r\n \tEngine Version: 1.1.26040.8"
}
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
References #
Event ID 1010: ProductName has encountered an error trying to restore an item from quarantine.
#Description
ProductName has encountered an error trying to restore an item from quarantine.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
ErrorCode UnicodeString | |
ErrorDescription UnicodeString | |
Unused UnicodeString | |
Unused2 UnicodeString | |
Unused3 UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString | |
ThreatName UnicodeString | |
ThreatID UnicodeString | |
SeverityID UnicodeString | Known values
|
CategoryID UnicodeString | |
FWLink UnicodeString | |
Path UnicodeString | |
Unused4 UnicodeString | |
Unused5 UnicodeString | |
Unused6 UnicodeString | |
Unused7 UnicodeString | |
Unused8 UnicodeString | |
Unused9 UnicodeString | |
Unused10 UnicodeString | |
Unused11 UnicodeString | |
SeverityName UnicodeString | |
CategoryName UnicodeString | |
SecurityintelligenceVersion UnicodeString | |
EngineVersion UnicodeString |
References #
Event ID 1011: ProductName has deleted an item from quarantine.
#Description
ProductName has deleted an item from quarantine.
Message #
Fields #
| Name | Description |
|---|---|
Product Name | |
Product Version | |
Unused UnicodeString | |
Unused2 UnicodeString | |
Unused3 UnicodeString | |
Unused4 UnicodeString | |
Unused5 UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString | |
Threat Name | |
Threat ID | |
Severity ID | |
Category ID | |
FWLink UnicodeString | |
Path UnicodeString | |
Unused6 UnicodeString | |
Unused7 UnicodeString | |
Unused8 UnicodeString | |
Unused9 UnicodeString | |
Unused10 UnicodeString | |
Unused11 UnicodeString | |
Unused12 UnicodeString | |
Unused13 UnicodeString | |
Severity Name | |
Category Name | |
Security intelligence Version | |
Engine Version | |
ProductName UnicodeString | |
ProductVersion UnicodeString | |
ThreatName UnicodeString | |
ThreatID UnicodeString | |
SeverityID UnicodeString | Known values
|
CategoryID UnicodeString | |
SeverityName UnicodeString | |
CategoryName UnicodeString | |
SecurityintelligenceVersion UnicodeString | |
EngineVersion UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
"event_source_name": "",
"event_id": 1011,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-05-30T02:07:21.9451408+00:00",
"event_record_id": 6151,
"correlation": {},
"execution": {
"process_id": 6760,
"thread_id": 12460
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.26040.7",
"Unused": "",
"Unused2": "",
"Unused3": "",
"Unused4": "",
"Unused5": "",
"Domain": "NT AUTHORITY",
"User": "SYSTEM",
"SID": "S-1-5-18",
"Threat Name": "Trojan:Win32/Wacatac.H!ml",
"Threat ID": "2147814523",
"Severity ID": "5",
"Category ID": "8",
"FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Wacatac.H!ml&threatid=2147814523&enterprise=0",
"Path": "file:_C:\\Users\\domainuser\\Downloads\\finance - Copy.scr",
"Unused6": "",
"Unused7": "",
"Unused8": "",
"Unused9": "",
"Unused10": "",
"Unused11": "",
"Unused12": "",
"Unused13": "",
"Severity Name": "Severe",
"Category Name": "Trojan",
"Security intelligence Version": "AV: 1.451.173.0, AS: 1.451.173.0",
"Engine Version": "1.1.26040.8"
},
"message": "Microsoft Defender Antivirus has deleted an item from quarantine.\r\n For more information please see the following:\r\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Wacatac.H!ml&threatid=2147814523&enterprise=0\r\n \tName: Trojan:Win32/Wacatac.H!ml\r\n \tID: 2147814523\r\n \tSeverity: Severe\r\n \tCategory: Trojan\r\n \tUser: NT AUTHORITY\\SYSTEM\r\n \tSecurity intelligence Version: AV: 1.451.173.0, AS: 1.451.173.0\r\n \tEngine Version: 1.1.26040.8"
}
References #
Event ID 1012: ProductName has encountered an error trying to delete an item from quarantine.
#Description
ProductName has encountered an error trying to delete an item from quarantine.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
ErrorCode UnicodeString | |
ErrorDescription UnicodeString | |
Unused UnicodeString | |
Unused2 UnicodeString | |
Unused3 UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString | |
ThreatName UnicodeString | |
ThreatID UnicodeString | |
SeverityID UnicodeString | Known values
|
CategoryID UnicodeString | |
FWLink UnicodeString | |
Path UnicodeString | |
Unused4 UnicodeString | |
Unused5 UnicodeString | |
Unused6 UnicodeString | |
Unused7 UnicodeString | |
Unused8 UnicodeString | |
Unused9 UnicodeString | |
Unused10 UnicodeString | |
Unused11 UnicodeString | |
SeverityName UnicodeString | |
CategoryName UnicodeString | |
SecurityintelligenceVersion UnicodeString | |
EngineVersion UnicodeString |
References #
Event ID 1013: Product Name has removed history of malware and other potentially unwanted software.
#Description
Product Name has removed history of malware and other potentially unwanted software.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
Timestamp UnicodeString | |
Unused UnicodeString | |
Unused2 UnicodeString | |
Unused3 UnicodeString | |
Unused4 UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
"event_source_name": "",
"event_id": 1013,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:07:25.039591+00:00",
"event_record_id": 1344,
"correlation": {},
"execution": {
"process_id": 3784,
"thread_id": 1608
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.26010.5",
"Timestamp": "2026-02-22T18:07:23Z",
"Unused": "",
"Unused2": "",
"Unused3": "",
"Unused4": "",
"Domain": "NT AUTHORITY",
"User": "SYSTEM",
"SID": "S-1-5-18"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
References #
Event ID 1014: ProductName has encountered an error trying to remove history of malware and other potentially unwanted software.
#Description
ProductName has encountered an error trying to remove history of malware and other potentially unwanted software.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
Timestamp UnicodeString | |
ErrorCode UnicodeString | |
ErrorDescription UnicodeString | |
Unused UnicodeString | |
Unused2 UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString |
References #
Event ID 1015: ProductName has detected a suspicious behavior.
#Description
ProductName has detected a suspicious behavior.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
DetectionID UnicodeString | |
DetectionSourceIndex UnicodeString | |
DetectionSource UnicodeString | |
Unused UnicodeString | |
ProcessName UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString | |
ThreatName UnicodeString | |
ThreatID UnicodeString | |
SeverityID UnicodeString | Known values
|
CategoryID UnicodeString | |
FWLink UnicodeString | |
PathFound UnicodeString | |
DetectionOriginIndex UnicodeString | |
DetectionOrigin UnicodeString | |
ExecutionStatusIndex UnicodeString | |
ExecutionStatus UnicodeString | |
DetectionTypeIndex UnicodeString | |
DetectionType UnicodeString | |
Unused2 UnicodeString | |
Unused3 UnicodeString | |
SeverityName UnicodeString | |
CategoryName UnicodeString | |
SecurityintelligenceVersion UnicodeString | |
EngineVersion UnicodeString | |
ProcessID UnicodeString | |
SecurityintelligenceID UnicodeString | |
FidelityValue UnicodeString | |
FidelityLabel UnicodeString | |
ImageFileHash UnicodeString | |
Unused4 UnicodeString | |
Unused5 UnicodeString | |
TargetFileName UnicodeString | |
TargetFileHash UnicodeString |
References #
Event ID 1116: Product Name has detected malware or other potentially unwanted software.
#Description
Product Name has detected malware or other potentially unwanted software.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
ProductName | ||
ProductVersion | ||
DetectionID | ||
DetectionTime | ||
Unused UnicodeString | ||
Unused2 UnicodeString | ||
ThreatID | ||
ThreatName | ||
SeverityID | Known values
| |
SeverityName | ||
CategoryID | ||
CategoryName | ||
FWLink UnicodeString | ||
StatusCode | NTSTATUS reference | |
StatusDescription | ||
State UnicodeString | ||
SourceID | Known values
| |
SourceName | 1 detection rule | |
ProcessName | ||
DetectionUser | ||
Unused3 UnicodeString | ||
Path UnicodeString | ||
OriginID | Known values
| |
OriginName | ||
ExecutionID | ||
ExecutionName | ||
TypeID | ||
TypeName | ||
PreExecutionStatus | ||
ActionID | Known values
| |
ActionName | ||
Unused4 UnicodeString | ||
ErrorCode | ||
ErrorDescription | ||
Unused5 UnicodeString | ||
PostCleanStatus | ||
AdditionalActionsID | ||
AdditionalActionsString | ||
RemediationUser | ||
Unused6 UnicodeString | ||
SecurityintelligenceVersion | ||
EngineVersion |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
"event_source_name": "",
"event_id": 1116,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2019-07-18T20:51:50.798995+00:00",
"event_record_id": 102,
"correlation": {
"ActivityID": "40013F0F-EF76-4940-A8B2-4DE50BE9AAC3"
},
"execution": {
"process_id": 6024,
"thread_id": 6068
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "%%827",
"Product Version": "4.18.1906.3",
"Detection ID": "{37522D93-EBDD-4A5B-93B6-E984C9E3FD38}",
"Detection Time": "2019-07-18T20:40:16.697Z",
"Unused": "",
"Unused2": "",
"Threat ID": "2147708292",
"Threat Name": "HackTool:JS/Jsprat",
"Severity ID": "4",
"Severity Name": "High",
"Category ID": "34",
"Category Name": "Tool",
"FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:JS/Jsprat&threatid=2147708292&enterprise=0",
"Status Code": "1",
"Status Description": "",
"State": "1",
"Source ID": "3",
"Source Name": "%%818",
"Process Name": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Detection User": "MSEDGEWIN10\\IEUser",
"Unused3": "",
"Path": "containerfile:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp; file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0005); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0037); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0045); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0065); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0068)",
"Origin ID": "1",
"Origin Name": "%%845",
"Execution ID": "1",
"Execution Name": "%%813",
"Type ID": "8",
"Type Name": "%%862",
"Pre Execution Status": "0",
"Action ID": "9",
"Action Name": "%%887",
"Unused4": "",
"Error Code": "0x00000000",
"Error Description": "The operation completed successfully. ",
"Unused5": "",
"Post Clean Status": "0",
"Additional Actions ID": "0",
"Additional Actions String": "No additional actions required",
"Remediation User": "",
"Unused6": "",
"Signature Version": "AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0",
"Engine Version": "AM: 1.1.16100.4, NIS: 0.0.0.0"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/
- MS Learn Defender PowerShell module / MSFT_MpPreference https://learn.microsoft.com/en-us/powershell/module/defender/
Event ID 1117: Product Name has taken action to protect this machine from malware or other potentially unwanted software.
#Description
Product Name has taken action to protect this machine from malware or other potentially unwanted software.
Message #
Fields #
| Name | Description |
|---|---|
ProductName | |
ProductVersion | |
DetectionID | |
DetectionTime | |
Unused UnicodeString | |
Unused2 UnicodeString | |
ThreatID | |
ThreatName | |
SeverityID | Known values
|
SeverityName | |
CategoryID | |
CategoryName | |
FWLink UnicodeString | |
StatusCode | NTSTATUS reference |
StatusDescription | |
State UnicodeString | |
SourceID | Known values
|
SourceName | |
ProcessName | |
DetectionUser | |
Unused3 UnicodeString | |
Path UnicodeString | |
OriginID | Known values
|
OriginName | |
ExecutionID | |
ExecutionName | |
TypeID | |
TypeName | |
PreExecutionStatus | |
ActionID | Known values
|
ActionName | |
Unused4 UnicodeString | |
ErrorCode | |
ErrorDescription | |
Unused5 UnicodeString | |
PostCleanStatus | |
AdditionalActionsID | |
AdditionalActionsString | |
RemediationUser | |
Unused6 UnicodeString | |
SecurityintelligenceVersion | |
EngineVersion |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
"event_source_name": "",
"event_id": 1117,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2019-07-18T20:53:31.952569+00:00",
"event_record_id": 106,
"correlation": {
"ActivityID": "2AD0CF94-C382-4568-A488-1253A4ED0F54"
},
"execution": {
"process_id": 6024,
"thread_id": 6068
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "%%827",
"Product Version": "4.18.1906.3",
"Detection ID": "{8791B1FB-0FE7-412E-B084-524CB5A221F3}",
"Detection Time": "2019-07-18T20:40:13.775Z",
"Unused": "",
"Unused2": "",
"Threat ID": "2147735426",
"Threat Name": "Trojan:XML/Exeselrun.gen!A",
"Severity ID": "5",
"Severity Name": "Severe",
"Category ID": "8",
"Category Name": "Trojan",
"FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:XML/Exeselrun.gen!A&threatid=2147735426&enterprise=0",
"Status Code": "5",
"Status Description": "",
"State": "2",
"Source ID": "3",
"Source Name": "%%818",
"Process Name": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Detection User": "MSEDGEWIN10\\IEUser",
"Unused3": "",
"Path": "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1086\\payloads\\test.xsl",
"Origin ID": "1",
"Origin Name": "%%845",
"Execution ID": "1",
"Execution Name": "%%813",
"Type ID": "2",
"Type Name": "%%823",
"Pre Execution Status": "0",
"Action ID": "6",
"Action Name": "%%811",
"Unused4": "",
"Error Code": "0x80508023",
"Error Description": "The program could not find the malware and other potentially unwanted software on this device. ",
"Unused5": "",
"Post Clean Status": "0",
"Additional Actions ID": "0",
"Additional Actions String": "No additional actions required",
"Remediation User": "NT AUTHORITY\\SYSTEM",
"Unused6": "",
"Signature Version": "AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0",
"Engine Version": "AM: 1.1.16100.4, NIS: 0.0.0.0"
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
- RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/
- MS Learn Defender PowerShell module / MSFT_MpPreference https://learn.microsoft.com/en-us/powershell/module/defender/
Event ID 1118: ProductName has encountered a non-critical error when taking action on malware or other potentially unwanted software.
#Description
ProductName has encountered a non-critical error when taking action on malware or other potentially unwanted software.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
DetectionID UnicodeString | |
DetectionTime UnicodeString | |
Unused UnicodeString | |
Unused2 UnicodeString | |
ThreatID UnicodeString | |
ThreatName UnicodeString | |
SeverityID UnicodeString | Known values
|
SeverityName UnicodeString | |
CategoryID UnicodeString | |
CategoryName UnicodeString | |
FWLink UnicodeString | |
StatusCode UnicodeString | NTSTATUS reference |
StatusDescription UnicodeString | |
State UnicodeString | |
SourceID UnicodeString | Known values
|
SourceName UnicodeString | |
ProcessName UnicodeString | |
DetectionUser UnicodeString | |
Unused3 UnicodeString | |
Path UnicodeString | |
OriginID UnicodeString | Known values
|
OriginName UnicodeString | |
ExecutionID UnicodeString | |
ExecutionName UnicodeString | |
TypeID UnicodeString | |
TypeName UnicodeString | |
PreExecutionStatus UnicodeString | |
ActionID UnicodeString | Known values
|
ActionName UnicodeString | |
Unused4 UnicodeString | |
ErrorCode UnicodeString | |
ErrorDescription UnicodeString | |
Unused5 UnicodeString | |
PostCleanStatus UnicodeString | |
AdditionalActionsID UnicodeString | |
AdditionalActionsString UnicodeString | |
RemediationUser UnicodeString | |
Unused6 UnicodeString | |
SecurityintelligenceVersion UnicodeString | |
EngineVersion UnicodeString |
References #
- RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/
- MS Learn Defender PowerShell module / MSFT_MpPreference https://learn.microsoft.com/en-us/powershell/module/defender/
Event ID 1119: ProductName has encountered a critical error when taking action on malware or other potentially unwanted software.
#Description
ProductName has encountered a critical error when taking action on malware or other potentially unwanted software.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
ProductName UnicodeString | ||
ProductVersion UnicodeString | ||
DetectionID UnicodeString | ||
DetectionTime UnicodeString | ||
Unused UnicodeString | ||
Unused2 UnicodeString | ||
ThreatID UnicodeString | ||
ThreatName UnicodeString | 1 detection rule | |
SeverityID UnicodeString | Known values
| |
SeverityName UnicodeString | ||
CategoryID UnicodeString | ||
CategoryName UnicodeString | ||
FWLink UnicodeString | ||
StatusCode UnicodeString | NTSTATUS reference | |
StatusDescription UnicodeString | ||
State UnicodeString | ||
SourceID UnicodeString | Known values
| |
SourceName UnicodeString | 1 detection rule | |
ProcessName UnicodeString | 1 detection rule | |
DetectionUser UnicodeString | ||
Unused3 UnicodeString | ||
Path UnicodeString | 1 detection rule | |
OriginID UnicodeString | Known values
| |
OriginName UnicodeString | ||
ExecutionID UnicodeString | ||
ExecutionName UnicodeString | ||
TypeID UnicodeString | ||
TypeName UnicodeString | ||
PreExecutionStatus UnicodeString | ||
ActionID UnicodeString | Known values
| |
ActionName UnicodeString | ||
Unused4 UnicodeString | ||
ErrorCode UnicodeString | ||
ErrorDescription UnicodeString | ||
Unused5 UnicodeString | ||
PostCleanStatus UnicodeString | ||
AdditionalActionsID UnicodeString | ||
AdditionalActionsString UnicodeString | ||
RemediationUser UnicodeString | ||
Unused6 UnicodeString | ||
SecurityintelligenceVersion UnicodeString | ||
EngineVersion UnicodeString |
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger a Defender scan and remediation attempt 3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file 4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open 5. During the oplock break window, RedSun swaps the mount point (junction) to redirect \?\C:\Windows\System32 to the attacker-controlled temp path 6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges
References #
- RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/
- MS Learn Defender PowerShell module / MSFT_MpPreference https://learn.microsoft.com/en-us/powershell/module/defender/
Event ID 1120: ProductName has deduced the hashes for a threat resource.
#Description
ProductName has deduced the hashes for a threat resource.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
Unused UnicodeString | |
Threatresourcepath UnicodeString | |
Hashes UnicodeString |
References #
- RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/
- MS Learn Defender PowerShell module / MSFT_MpPreference https://learn.microsoft.com/en-us/powershell/module/defender/
Event ID 1121: Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
#Description
Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
Product Name | ||
Product Version | ||
Unused UnicodeString | ||
ID UnicodeString | ||
Detection Time | ||
User UnicodeString | ||
Path UnicodeString | 1 detection rule | |
Process Name | ||
Security intelligence Version | ||
Engine Version | ||
RuleType UnicodeString | ||
Target Commandline | ||
Parent Commandline | ||
Involved File | ||
Inhertiance Flags | ||
ProductName UnicodeString | ||
ProductVersion UnicodeString | ||
DetectionTime UnicodeString | ||
ProcessName UnicodeString | 17 detection rules | |
SecurityintelligenceVersion UnicodeString | ||
EngineVersion UnicodeString | ||
TargetCommandline UnicodeString | ||
ParentCommandline UnicodeString | ||
InvolvedFile UnicodeString | ||
InhertianceFlags UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
"event_source_name": "",
"event_id": 1121,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-05-30T14:15:36.1622673+00:00",
"event_record_id": 6305,
"correlation": {
"ActivityID": "{5DF4E046-A28D-4FBE-B553-6C83E2B1A15D}"
},
"execution": {
"process_id": 3292,
"thread_id": 3176
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.26040.7",
"Unused": "",
"ID": "D1E49AAC-8F56-4280-B9BA-993A6D77406C",
"Detection Time": "2026-05-30T14:15:36.161Z",
"User": "NT AUTHORITY\\NETWORK SERVICE",
"Path": "C:\\Windows\\System32\\cmd.exe",
"Process Name": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"Security intelligence Version": "1.451.175.0",
"Engine Version": "1.1.26040.8",
"RuleType": "ENT\\ConsR",
"Target Commandline": "cmd.exe /c echo EVTGEN-ASR-PROBE > %TEMP%\\evtgen_asr_probe.txt",
"Parent Commandline": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
"Involved File": "",
"Inhertiance Flags": "0x00000000"
},
"message": "Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.\r\n For more information please contact your IT administrator.\r\n \tID: D1E49AAC-8F56-4280-B9BA-993A6D77406C\r\n \tDetection time: 2026-05-30T14:15:36.161Z\r\n \tUser: NT AUTHORITY\\NETWORK SERVICE\r\n \tPath: C:\\Windows\\System32\\cmd.exe\r\n \tProcess Name: C:\\Windows\\System32\\wbem\\WmiPrvSE.exe\r\n \tTarget Commandline: cmd.exe /c echo EVTGEN-ASR-PROBE > %TEMP%\\evtgen_asr_probe.txt\r\n \tParent Commandline: C:\\Windows\\system32\\wbem\\wmiprvse.exe\r\n \tInvolved File: \r\n \tInheritance Flags: 0x00000000\r\n \tSecurity intelligence Version: 1.451.175.0\r\n \tEngine Version: 1.1.26040.8\r\n \tProduct Version: 4.18.26040.7\r\n"
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
process_name | ends_with | \wmiprvse.exe | 1 rule | sigma |
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
Kusto # view in coverage
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
You may need to exclude software development users/machines/folders.↳ also matches Event ID 1122: Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.
References #
Event ID 1122: Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.
#Description
Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.
Message #
Fields #
| Name | Description |
|---|---|
Product Name | |
Product Version | |
Unused UnicodeString | |
ID UnicodeString | |
Detection Time | |
User UnicodeString | |
Path UnicodeString | |
Process Name | |
Security intelligence Version | |
Engine Version | |
RuleType UnicodeString | |
Target Commandline | |
Parent Commandline | |
Involved File | |
Inhertiance Flags | |
ProductName UnicodeString | |
ProductVersion UnicodeString | |
DetectionTime UnicodeString | |
ProcessName UnicodeString | |
SecurityintelligenceVersion UnicodeString | |
EngineVersion UnicodeString | |
TargetCommandline UnicodeString | |
ParentCommandline UnicodeString | |
InvolvedFile UnicodeString | |
InhertianceFlags UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
"event_source_name": "",
"event_id": 1122,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-05-30T14:15:28.0001329+00:00",
"event_record_id": 6303,
"correlation": {
"ActivityID": "{5B69B6E9-CBF9-405A-9315-5D2CC183345E}"
},
"execution": {
"process_id": 3292,
"thread_id": 3176
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.26040.7",
"Unused": "",
"ID": "D1E49AAC-8F56-4280-B9BA-993A6D77406C",
"Detection Time": "2026-05-30T14:15:27.999Z",
"User": "ludus\\domainadmin",
"Path": "C:\\Windows\\System32\\conhost.exe",
"Process Name": "C:\\Windows\\System32\\cmd.exe",
"Security intelligence Version": "1.451.175.0",
"Engine Version": "1.1.26040.8",
"RuleType": "ENT\\ConsR",
"Target Commandline": "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1",
"Parent Commandline": "cmd.exe /c echo EVTGEN-ASR-PROBE > %TEMP%\\evtgen_asr_probe.txt",
"Involved File": "",
"Inhertiance Flags": "0x00000001"
},
"message": "Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.\r\n For more information please contact your IT administrator.\r\n \tID: D1E49AAC-8F56-4280-B9BA-993A6D77406C\r\n \tDetection time: 2026-05-30T14:15:27.999Z\r\n \tUser: ludus\\domainadmin\r\n \tPath: C:\\Windows\\System32\\conhost.exe\r\n \tProcess Name: C:\\Windows\\System32\\cmd.exe\r\n \tTarget Commandline: \\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1\r\n \tParent Commandline: cmd.exe /c echo EVTGEN-ASR-PROBE > %TEMP%\\evtgen_asr_probe.txt\r\n \tInvolved File: \r\n \tInheritance Flags: 0x00000001\r\n \tSecurity intelligence Version: 1.451.175.0\r\n \tEngine Version: 1.1.26040.8\r\n \tProduct Version: 4.18.26040.7\r\n"
}
Detection Rules #
View all rules referencing this event →Kusto # view in coverage
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
You may need to exclude software development users/machines/folders.↳ also matches Event ID 1121: Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
References #
Event ID 1123: ProcessName has been blocked from modifying Path by Controlled Folder Access.
#Description
ProcessName has been blocked from modifying Path by Controlled Folder Access.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
Unused UnicodeString | |
ID UnicodeString | |
DetectionTime UnicodeString | |
User UnicodeString | |
Path UnicodeString | |
ProcessName UnicodeString | |
SecurityintelligenceVersion UnicodeString | |
EngineVersion UnicodeString |
References #
Event ID 1124: ProcessName would have been blocked from modifying Path by Controlled Folder Access.
#Description
ProcessName would have been blocked from modifying Path by Controlled Folder Access.
Message #
Fields #
| Name | Description |
|---|---|
Product Name | |
Product Version | |
Unused UnicodeString | |
ID UnicodeString | |
Detection Time | |
User UnicodeString | |
Path UnicodeString | |
Process Name | |
Security intelligence Version | |
Engine Version | |
ProductName UnicodeString | |
ProductVersion UnicodeString | |
DetectionTime UnicodeString | |
ProcessName UnicodeString | |
SecurityintelligenceVersion UnicodeString | |
EngineVersion UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
"event_source_name": "",
"event_id": 1124,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-05-30T14:16:09.9021147+00:00",
"event_record_id": 6333,
"correlation": {
"ActivityID": "{FDAB464D-5EBD-496A-8447-DBFEED1DFCF6}"
},
"execution": {
"process_id": 3292,
"thread_id": 8224
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.26040.7",
"Unused": "",
"ID": "",
"Detection Time": "2026-05-30T14:16:09.900Z",
"User": "ludus\\domainadmin",
"Path": "%userprofile%\\Documents\\",
"Process Name": "C:\\Windows\\System32\\wsmprovhost.exe",
"Security intelligence Version": "1.451.175.0",
"Engine Version": "1.1.26040.8"
},
"message": "C:\\Windows\\System32\\wsmprovhost.exe would have been blocked from modifying %userprofile%\\Documents\\ by Controlled Folder Access.\r\n \tDetection time: 2026-05-30T14:16:09.900Z\r\n \tUser: ludus\\domainadmin\r\n \tPath: %userprofile%\\Documents\\\r\n \tProcess Name: C:\\Windows\\System32\\wsmprovhost.exe\r\n \tSecurity intelligence Version: 1.451.175.0\r\n \tEngine Version: 1.1.26040.8\r\n \tProduct Version: 4.18.26040.7\r\n"
}
References #
Event ID 1125: Your IT administrator would have caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.
#Description
Your IT administrator would have caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.
Message #
Fields #
| Name | Description |
|---|---|
Product Name | |
Product Version | |
ID UnicodeString | |
Detection Time | |
User UnicodeString | |
Destination UnicodeString | |
Process Name | |
ProductName UnicodeString | |
ProductVersion UnicodeString | |
DetectionTime UnicodeString | |
ProcessName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
"event_source_name": "",
"event_id": 1125,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-05-30T14:15:45.4894125+00:00",
"event_record_id": 6309,
"correlation": {
"ActivityID": "{BEE8253E-48BA-4F31-9D8C-72B08F80EAD3}"
},
"execution": {
"process_id": 3292,
"thread_id": 4288
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.26040.7",
"ID": "",
"Detection Time": "2026-05-30T14:15:45.488Z",
"User": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"Destination": "https://smartscreenurlnetworkfilter.azurewebsites.net",
"Process Name": "wsmprovhost.exe"
},
"message": "Your IT administrator would have caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.\r\n \tDetection time: 2026-05-30T14:15:45.488Z\r\n \tUser: S-1-5-21-1006758700-2167138679-1475694448-1105\r\n \tDestination: https://smartscreenurlnetworkfilter.azurewebsites.net\r\n \tProcess Name: wsmprovhost.exe\r\n"
}
References #
Event ID 1126: Your IT administrator has caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.
#Description
Your IT administrator has caused Microsoft Defender Exploit Guard to block a potentially dangerous network connection.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
ID UnicodeString | |
DetectionTime UnicodeString | |
User UnicodeString | |
Destination UnicodeString | |
ProcessName UnicodeString |
References #
Event ID 1127: Controlled Folder Access blocked ProcessName from making changes to memory.
#Description
Controlled Folder Access blocked ProcessName from making changes to memory.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
Unused UnicodeString | |
ID UnicodeString | |
DetectionTime UnicodeString | |
User UnicodeString | |
Path UnicodeString | |
ProcessName UnicodeString | |
SecurityintelligenceVersion UnicodeString | |
EngineVersion UnicodeString |
References #
Event ID 1128: Controlled Folder Access would have blocked ProcessName from making changes to memory.
#Description
Controlled Folder Access would have blocked ProcessName from making changes to memory.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
Unused UnicodeString | |
ID UnicodeString | |
DetectionTime UnicodeString | |
User UnicodeString | |
Path UnicodeString | |
ProcessName UnicodeString | |
SecurityintelligenceVersion UnicodeString | |
EngineVersion UnicodeString |
References #
Event ID 1129: A user has allowed a blocked Microsoft Defender Exploit Guard operation.
#Description
A user has allowed a blocked Microsoft Defender Exploit Guard operation.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
Unused UnicodeString | |
ID UnicodeString | |
User UnicodeString | |
Path UnicodeString | |
ProcessName UnicodeString | |
InvolvedFile UnicodeString |
References #
Event ID 1130: {Product Name} blocked a behavior by {Source app}.
#Event ID 1131: ProductName has blocked an operation that your administrator doesn't allow.
#Description
ProductName has blocked an operation that your administrator doesn't allow.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
Unused UnicodeString | |
ID UnicodeString | |
State UnicodeString | |
Timestamp UnicodeString | |
Action UnicodeString | |
Process UnicodeString | |
Source UnicodeString | |
Target UnicodeString | |
User UnicodeString | |
SignatureVersion UnicodeString | |
EngineVersion UnicodeString |
References #
Event ID 1132: ProductName has audited an operation.
#Description
ProductName has audited an operation.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
Unused UnicodeString | |
ID UnicodeString | |
State UnicodeString | |
Timestamp UnicodeString | |
Action UnicodeString | |
Process UnicodeString | |
Source UnicodeString | |
Target UnicodeString | |
User UnicodeString | |
SignatureVersion UnicodeString | |
EngineVersion UnicodeString |
References #
Event ID 1133: ProductName has blocked an operation that your administrator doesn't allow.
#Description
ProductName has blocked an operation that your administrator doesn't allow.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
Unused UnicodeString | |
PolicyVersion UnicodeString | |
PolicyRuleId UnicodeString | |
EnforcementLevel UnicodeString | |
AuditReason UnicodeString | |
EventTimestamp UnicodeString | |
ActionType UnicodeString | |
Process UnicodeString | |
Source UnicodeString | |
Target UnicodeString | |
SessionId UnicodeString | |
UserSid UnicodeString | |
SignatureVersion UnicodeString | |
EngineVersion UnicodeString |
References #
Event ID 1134: ProductName has audited an operation.
#Description
ProductName has audited an operation.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
Unused UnicodeString | |
PolicyVersion UnicodeString | |
PolicyRuleId UnicodeString | |
EnforcementLevel UnicodeString | |
AuditReason UnicodeString | |
EventTimestamp UnicodeString | |
ActionType UnicodeString | |
Process UnicodeString | |
Source UnicodeString | |
Target UnicodeString | |
SessionId UnicodeString | |
UserSid UnicodeString | |
SignatureVersion UnicodeString | |
EngineVersion UnicodeString |
References #
Event ID 1150: Endpoint Protection client is up and running in a healthy state.
#Description
Endpoint Protection client is up and running in a healthy state.
Message #
Fields #
| Name | Description |
|---|---|
Product Name | |
Platform version | |
Unused UnicodeString | |
Engine version | |
Security intelligence version | |
ProductName | |
Platformversion | |
Engineversion | |
Securityintelligenceversion |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
"event_source_name": "",
"event_id": 1150,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T13:51:41.2952768+00:00",
"event_record_id": 719,
"correlation": {},
"execution": {
"process_id": 4284,
"thread_id": 2924
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Platform version": "4.18.26050.15",
"Unused": "",
"Engine version": "1.1.26050.11",
"Security intelligence version": "1.453.68.0"
},
"message": "Endpoint Protection client is up and running in a healthy state.\r\n \tPlatform version: 4.18.26050.15\r\n \tEngine version: 1.1.26050.11\r\n \tSecurity intelligence version: 1.453.68.0\r\n"
}
References #
Event ID 1151: Endpoint Protection client health report (time in UTC).
#Description
Endpoint Protection client health report (time in UTC).
Message #
Fields #
| Name | Description |
|---|---|
Product Name | |
Platform version | |
Unused UnicodeString | |
Engine version | |
NRI engine version | |
AV security intelligence version | |
AS security intelligence version | |
NRI security intelligence version | |
RTP state | |
OA state | |
IOAV state | |
BM state | |
Last AV security intelligence age | |
Last AS security intelligence age | |
Last quick scan age | |
Last full scan age | |
AV security intelligence creation time | |
AS security intelligence creation time | |
Last quick scan start time | |
Last quick scan end time | |
Last quick scan source | |
Last full scan start time | |
Last full scan end time | |
Last full scan source | |
Product status | |
Latest engine version | |
Engine up-to-date | |
Latest platform version | |
Platform up-to-date | |
ProductName | |
Platformversion | |
Engineversion | |
NRIengineversion | |
AVsecurityintelligenceversion | |
ASsecurityintelligenceversion | |
NRIsecurityintelligenceversion | |
RTPstate | |
OAstate | |
IOAVstate | |
BMstate | |
LastAVsecurityintelligenceage | |
LastASsecurityintelligenceage | |
Lastquickscanage | |
Lastfullscanage | |
AVsecurityintelligencecreationtime | |
ASsecurityintelligencecreationtime | |
Lastquickscanstarttime | |
Lastquickscanendtime | |
Lastquickscansource | |
Lastfullscanstarttime | |
Lastfullscanendtime | |
Lastfullscansource | |
Productstatus | |
Latestengineversion | |
Engineuptodate | |
Latestplatformversion | |
Platformuptodate |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
"event_source_name": "",
"event_id": 1151,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T13:51:41.2975836+00:00",
"event_record_id": 720,
"correlation": {},
"execution": {
"process_id": 4284,
"thread_id": 2924
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Platform version": "4.18.26050.15",
"Unused": "",
"Engine version": "1.1.26050.11",
"NRI engine version": "1.1.26050.11",
"AV security intelligence version": "1.453.68.0",
"AS security intelligence version": "1.453.68.0",
"NRI security intelligence version": "1.453.68.0",
"RTP state": "Enabled",
"OA state": "Enabled",
"IOAV state": "Enabled",
"BM state": "Enabled",
"Last AV security intelligence age": "0",
"Last AS security intelligence age": "0",
"Last quick scan age": "0",
"Last full scan age": "4294967295",
"AV security intelligence creation time": "2026-06-12T22:27:59Z",
"AS security intelligence creation time": "2026-06-12T22:27:59Z",
"Last quick scan start time": "2026-06-13T05:39:31Z",
"Last quick scan end time": "2026-06-13T05:43:05Z",
"Last quick scan source": "2",
"Last full scan start time": "1601-01-01T00:00:00Z",
"Last full scan end time": "1601-01-01T00:00:00Z",
"Last full scan source": "0",
"Product status": "0x00080000",
"Latest engine version": "1.1.26050.11",
"Engine up-to-date": "0",
"Latest platform version": "4.18.26050.15",
"Platform up-to-date": "1"
},
"message": "Endpoint Protection client health report (time in UTC):\r\n \tPlatform version: 4.18.26050.15\r\n \tEngine version: 1.1.26050.11\r\n \tNetwork Realtime Inspection engine version: 1.1.26050.11\r\n \tAntivirus security intelligence version: 1.453.68.0\r\n \tAntispyware security intelligence version: 1.453.68.0\r\n \tNetwork Realtime Inspection security intelligence version: 1.453.68.0\r\n \tRTP state: Enabled\r\n \tOA state: Enabled\r\n \tIOAV state: Enabled\r\n \tBM state: Enabled\r\n \tAntivirus security intelligence age: 0\r\n \tAntispyware security intelligence age: 0\r\n \tLast quick scan age: 0\r\n \tLast full scan age: 4294967295\r\n \tAntivirus security intelligence creation time: 2026-06-12T22:27:59Z\r\n \tAntispyware security intelligence creation time: 2026-06-12T22:27:59Z\r\n \tLast quick scan start time: 2026-06-13T05:39:31Z\r\n \tLast quick scan end time: 2026-06-13T05:43:05Z\r\n \tLast quick scan source: 2\r\n \tLast full scan start time: 1601-01-01T00:00:00Z\r\n \tLast full scan end time: 1601-01-01T00:00:00Z\r\n \tLast full scan source: 0\r\n \tProduct status: 0x00080000\r\n"
}
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
References #
Event ID 1160: ProductName has detected potentially unwanted application(PUA).
#Description
ProductName has detected potentially unwanted application(PUA).
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
DetectionID UnicodeString | |
DetectionTime UnicodeString | |
Unused UnicodeString | |
Unused2 UnicodeString | |
ThreatID UnicodeString | |
ThreatName UnicodeString | |
SeverityID UnicodeString | Known values
|
SeverityName UnicodeString | |
CategoryID UnicodeString | |
CategoryName UnicodeString | |
FWLink UnicodeString | |
StatusCode UnicodeString | NTSTATUS reference |
StatusDescription UnicodeString | |
State UnicodeString | |
SourceID UnicodeString | Known values
|
SourceName UnicodeString | |
ProcessName UnicodeString | |
DetectionUser UnicodeString | |
Unused3 UnicodeString | |
Path UnicodeString | |
OriginID UnicodeString | Known values
|
OriginName UnicodeString | |
ExecutionID UnicodeString | |
ExecutionName UnicodeString | |
TypeID UnicodeString | |
TypeName UnicodeString | |
PreExecutionStatus UnicodeString | |
ActionID UnicodeString | Known values
|
ActionName UnicodeString | |
Unused4 UnicodeString | |
ErrorCode UnicodeString | |
ErrorDescription UnicodeString | |
Unused5 UnicodeString | |
PostCleanStatus UnicodeString | |
AdditionalActionsID UnicodeString | |
AdditionalActionsString UnicodeString | |
RemediationUser UnicodeString | |
Unused6 UnicodeString | |
SecurityintelligenceVersion UnicodeString | |
EngineVersion UnicodeString |
References #
Event ID 2000: Product Name security intelligence version updated.
#Description
Product Name security intelligence version updated.
Message #
Fields #
| Name | Description |
|---|---|
Product Name | |
Product Version | |
Current security intelligence Version | |
Previous security intelligence Version | |
Unused UnicodeString | |
Unused2 UnicodeString | |
Unused3 UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString | |
Security intelligence Type Index | |
Security intelligence Type | |
Update Type Index | |
Update Type | |
Current Engine Version | |
Previous Engine Version | |
ProductName | |
ProductVersion | |
CurrentsecurityintelligenceVersion | |
PrevioussecurityintelligenceVersion | |
SecurityintelligenceTypeIndex | |
SecurityintelligenceType | |
UpdateTypeIndex | |
UpdateType | |
CurrentEngineVersion | |
PreviousEngineVersion |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
"event_source_name": "",
"event_id": 2000,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T05:50:53.3765037+00:00",
"event_record_id": 686,
"correlation": {},
"execution": {
"process_id": 3912,
"thread_id": 3464
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.26040.7",
"Current security intelligence Version": "1.453.68.0",
"Previous security intelligence Version": "1.451.171.0",
"Unused": "",
"Unused2": "",
"Unused3": "",
"Domain": "NT AUTHORITY",
"User": "SYSTEM",
"SID": "S-1-5-18",
"Security intelligence Type Index": "2",
"Security intelligence Type": "AntiSpyware",
"Update Type Index": "1",
"Update Type": "Full",
"Current Engine Version": "1.1.26050.11",
"Previous Engine Version": "1.1.26040.8"
},
"message": "Microsoft Defender Antivirus security intelligence version updated.\r\n \tCurrent security intelligence Version: 1.453.68.0\r\n \tPrevious security intelligence Version: 1.451.171.0\r\n \tSecurity intelligence Type: AntiSpyware\r\n \tUpdate Type: Full\r\n \tUser: NT AUTHORITY\\SYSTEM\r\n \tCurrent Engine Version: 1.1.26050.11\r\n \tPrevious Engine Version: 1.1.26040.8"
}
References #
Event ID 2001: Product Name has encountered an error trying to update security intelligence.
#Description
Product Name has encountered an error trying to update security intelligence.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
CurrentsecurityintelligenceVersion UnicodeString | |
PrevioussecurityintelligenceVersion UnicodeString | |
UpdateSourceIndex UnicodeString | |
UpdateSource UnicodeString | |
Unused UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString | |
SecurityintelligenceTypeIndex UnicodeString | |
SecurityintelligenceType UnicodeString | |
UpdateTypeIndex UnicodeString | |
UpdateType UnicodeString | |
CurrentEngineVersion UnicodeString | |
PreviousEngineVersion UnicodeString | |
ErrorCode UnicodeString | |
ErrorDescription UnicodeString | |
UpdateStateIndex UnicodeString | |
UpdateState UnicodeString | |
SourcePath UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
"event_source_name": "",
"event_id": 2001,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:17:06.846703+00:00",
"event_record_id": 1315,
"correlation": {
"ActivityID": "4BE4BD99-4F61-4990-9CE4-215B5E5A9104"
},
"execution": {
"process_id": 3728,
"thread_id": 5300
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.26010.5",
"Current security intelligence Version": "",
"Previous security intelligence Version": "1.445.426.0",
"Update Source Index": "7",
"Update Source": "Microsoft Update Server",
"Unused": "",
"Domain": "NT AUTHORITY",
"User": "SYSTEM",
"SID": "S-1-5-18",
"Security intelligence Type Index": "1",
"Security intelligence Type": "AntiVirus",
"Update Type Index": "1",
"Update Type": "Full",
"Current Engine Version": "",
"Previous Engine Version": "1.1.26010.1",
"Error Code": "0x8007045b",
"Error Description": "A system shutdown is in progress. ",
"Update State Index": "1",
"Update State": "Search",
"Source Path": "Default URL"
},
"message": ""
}
References #
Event ID 2002: Product Name engine version has been updated.
#Description
Product Name engine version has been updated.
Message #
Fields #
| Name | Description |
|---|---|
Product Name | |
Product Version | |
Current Engine Version | |
Previous Engine Version | |
Unused UnicodeString | |
Unused2 UnicodeString | |
Unused3 UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString | |
Unused4 UnicodeString | |
Unused5 UnicodeString | |
Feature Index | |
Feature Name | |
ProductName | |
ProductVersion | |
CurrentEngineVersion | |
PreviousEngineVersion | |
FeatureIndex | |
FeatureName |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
"event_source_name": "",
"event_id": 2002,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T05:50:53.3754720+00:00",
"event_record_id": 684,
"correlation": {},
"execution": {
"process_id": 3912,
"thread_id": 3464
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.26040.7",
"Current Engine Version": "1.1.26050.11",
"Previous Engine Version": "1.1.26040.8",
"Unused": "",
"Unused2": "",
"Unused3": "",
"Domain": "NT AUTHORITY",
"User": "SYSTEM",
"SID": "S-1-5-18",
"Unused4": "",
"Unused5": "",
"Feature Index": "0",
"Feature Name": "Antimalware"
},
"message": "Microsoft Defender Antivirus engine version has been updated.\r\n \tCurrent Engine Version: 1.1.26050.11\r\n \tPrevious Engine Version: 1.1.26040.8\r\n \tUser: NT AUTHORITY\\SYSTEM"
}
References #
Event ID 2003: ProductName has encountered an error trying to update the engine.
#Description
ProductName has encountered an error trying to update the engine.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
CurrentEngineVersion UnicodeString | |
PreviousEngineVersion UnicodeString | |
Unused UnicodeString | |
Unused2 UnicodeString | |
Unused3 UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString | |
ErrorCode UnicodeString | |
ErrorDescription UnicodeString | |
UpdateStateIndex UnicodeString | |
UpdateState UnicodeString |
References #
Event ID 2004: ProductName has encountered an error trying to update security intelligence and will attempt to revert to a previous version.
#Description
ProductName has encountered an error trying to update security intelligence and will attempt to revert to a previous version.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
SecurityintelligenceAttemptedIndex UnicodeString | |
SecurityintelligenceAttempted UnicodeString | |
ErrorCode UnicodeString | |
ErrorDescription UnicodeString | |
Unused UnicodeString | |
Unused2 UnicodeString | |
Loadingsecurityintelligenceversion UnicodeString | |
Loadingengineversion UnicodeString |
References #
Event ID 2005: ProductName could not load antimalware engine because current platform version is not supported.
#Description
ProductName could not load antimalware engine because current platform version is not supported. ProductName will revert back to the last known-good engine and a platform update will be attempted.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString |
References #
Event ID 2006: ProductName has encountered an error trying to update the platform.
#Event ID 2007: ProductName will soon require a newer platform version to support future versions of the antimalware engine.
#Description
ProductName will soon require a newer platform version to support future versions of the antimalware engine. Download the latest ProductName platform to maintain the best level of protection available.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString |
References #
Event ID 2008: ProductName platform update update to NewPlatformVersion is paused due to system activity.
#Description
ProductName platform update update to NewPlatformVersion is paused due to system activity. For more details see the latest MpLog*.log entry under ProgramData.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
Unused UnicodeString | |
NewPlatformVersion UnicodeString |
References #
Event ID 2009: ProductName platform update to NewPlatformVersion has resumed.
#Event ID 2010: Product Name used cloud protection to get additional security intelligence.
#Description
Product Name used cloud protection to get additional security intelligence.
Message #
Fields #
| Name | Description |
|---|---|
Product Name | |
Product Version | |
Current security intelligence Version | |
Unused UnicodeString | |
Unused2 UnicodeString | |
Unused3 UnicodeString | |
Unused4 UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString | |
Security intelligence Type Index | |
Security intelligence Type | |
Unused5 UnicodeString | |
Unused6 UnicodeString | |
Current Engine Version | |
Unused7 UnicodeString | |
Unused8 UnicodeString | |
Unused9 UnicodeString | |
Unused10 UnicodeString | |
Unused11 UnicodeString | |
Unused12 UnicodeString | |
Cloud protection intelligence Type Index | |
Cloud protection intelligence Type | |
Persistence Path | |
Cloud protection intelligence Version | |
Cloud protection intelligence Compilation Timestamp | |
Persistence Limit Type Index | |
Persistence Limit Type | |
Persistence Limit Value | |
ProductName | |
ProductVersion | |
CurrentsecurityintelligenceVersion | |
SecurityintelligenceTypeIndex | |
SecurityintelligenceType | |
CurrentEngineVersion | |
CloudprotectionintelligenceTypeIndex | |
CloudprotectionintelligenceType | |
PersistencePath | |
CloudprotectionintelligenceVersion | |
CloudprotectionintelligenceCompilationTimestamp | |
PersistenceLimitTypeIndex | |
PersistenceLimitType | |
PersistenceLimitValue |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
"event_source_name": "",
"event_id": 2010,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-05-28T12:08:47.2710212+00:00",
"event_record_id": 339,
"correlation": {},
"execution": {
"process_id": 3524,
"thread_id": 4460
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.26040.7",
"Current security intelligence Version": "1.451.146.0",
"Unused": "",
"Unused2": "",
"Unused3": "",
"Unused4": "",
"Domain": "",
"User": "",
"SID": "",
"Security intelligence Type Index": "0",
"Security intelligence Type": "",
"Unused5": "",
"Unused6": "",
"Current Engine Version": "1.1.26040.8",
"Unused7": "",
"Unused8": "",
"Unused9": "",
"Unused10": "",
"Unused11": "",
"Unused12": "",
"Cloud protection intelligence Type Index": "1",
"Cloud protection intelligence Type": "Security intelligence update",
"Persistence Path": "C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\data\\16d35a2b712b574f78fd5dde93e1caea89414ad1",
"Cloud protection intelligence Version": "0.0.0.0",
"Cloud protection intelligence Compilation Timestamp": "5/28/2026 7:08:47 PM",
"Persistence Limit Type Index": "2",
"Persistence Limit Type": "Duration",
"Persistence Limit Value": "288000000"
},
"message": "Microsoft Defender Antivirus used cloud protection to get additional security intelligence.\r\n \tCurrent security intelligence Version: 1.451.146.0\r\n \tSecurity intelligence Type: \r\n \tUser: \\\r\n \tCurrent Engine Version: 1.1.26040.8\r\n \tCloud protection intelligence Type: Security intelligence update\r\n \tPersistence Path: C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\data\\16d35a2b712b574f78fd5dde93e1caea89414ad1\r\n \tCloud protection intelligence Version: 0.0.0.0\r\n \tCloud protection intelligence Compilation Timestamp: 5/28/2026 7:08:47 PM\r\n \tPersistence Limit Type: Duration\r\n \tPersistence Limit: 288000000"
}
References #
Event ID 2011: ProductName used cloud protection to discard obsolete security intelligence updates.
#Description
ProductName used cloud protection to discard obsolete security intelligence updates.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
CurrentsecurityintelligenceVersion UnicodeString | |
Unused UnicodeString | |
Unused2 UnicodeString | |
Unused3 UnicodeString | |
Unused4 UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString | |
SecurityintelligenceTypeIndex UnicodeString | |
SecurityintelligenceType UnicodeString | |
Unused5 UnicodeString | |
Unused6 UnicodeString | |
CurrentEngineVersion UnicodeString | |
Unused7 UnicodeString | |
Unused8 UnicodeString | |
Unused9 UnicodeString | |
Unused10 UnicodeString | |
Unused11 UnicodeString | |
Unused12 UnicodeString | |
CloudprotectionintelligenceTypeIndex UnicodeString | |
CloudprotectionintelligenceType UnicodeString | |
PersistencePath UnicodeString | |
CloudprotectionintelligenceVersion UnicodeString | |
CloudprotectionintelligenceCompilationTimestamp UnicodeString | |
PersistenceLimitTypeIndex UnicodeString | |
PersistenceLimitType UnicodeString | |
PersistenceLimitValue UnicodeString | |
RemovalReasonIndex UnicodeString | |
RemovalReasonValue UnicodeString |
References #
Event ID 2012: ProductName has encountered an error trying to use cloud protection.
#Description
ProductName has encountered an error trying to use cloud protection.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
CurrentsecurityintelligenceVersion UnicodeString | |
Unused UnicodeString | |
Unused2 UnicodeString | |
Unused3 UnicodeString | |
Unused4 UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString | |
SecurityintelligenceTypeIndex UnicodeString | |
SecurityintelligenceType UnicodeString | |
Unused5 UnicodeString | |
Unused6 UnicodeString | |
CurrentEngineVersion UnicodeString | |
Unused7 UnicodeString | |
ErrorCode UnicodeString | |
ErrorDescription UnicodeString | |
Unused8 UnicodeString | |
Unused9 UnicodeString | |
Unused10 UnicodeString | |
CloudprotectionintelligenceTypeIndex UnicodeString | |
CloudprotectionintelligenceType UnicodeString | |
PersistencePath UnicodeString | |
CloudprotectionintelligenceVersion UnicodeString | |
CloudprotectionintelligenceCompilationTimestamp UnicodeString | |
PersistenceLimitTypeIndex UnicodeString | |
PersistenceLimitType UnicodeString | |
PersistenceLimitValue UnicodeString |
References #
Event ID 2013: ProductName discarded all cloud protection intelligence.
#Description
ProductName discarded all cloud protection intelligence.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
CurrentsecurityintelligenceVersion UnicodeString | |
Unused UnicodeString | |
Unused2 UnicodeString | |
Unused3 UnicodeString | |
Unused4 UnicodeString | |
Domain UnicodeString | |
User UnicodeString | |
SID UnicodeString | |
SecurityintelligenceTypeIndex UnicodeString | |
SecurityintelligenceType UnicodeString | |
Unused5 UnicodeString | |
Unused6 UnicodeString | |
CurrentEngineVersion UnicodeString |
References #
Event ID 2014: Product Name platform update to Product Version has succeeded.
#Description
Product Name platform update to Product Version has succeeded.
Message #
Fields #
| Name | Description |
|---|---|
Product Name | |
Product Version | |
ProductName | |
ProductVersion |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
"event_source_name": "",
"event_id": 2014,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T05:51:26.5086726+00:00",
"event_record_id": 694,
"correlation": {},
"execution": {
"process_id": 4284,
"thread_id": 4512
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.26050.15"
},
"message": "Microsoft Defender Antivirus platform update to 4.18.26050.15 has succeeded.\r\n"
}
References #
Event ID 2020: {Product Name} downloaded a clean file.
#Event ID 2021: {Product Name} has encountered an error trying to download a clean file.
#Event ID 2030: ProductName downloaded and configured Microsoft Defender Antivirus (offline scan) to run on the next reboot.
#Event ID 2031: ProductName has encountered an error trying to download and configure Microsoft Defender Antivirus (offline scan).
#Event ID 2040: The support for your operating system will expire shortly.
#Event ID 2041: The support for your operating system has expired.
#Event ID 2042: The support for your operating system has expired.
#Description
The support for your operating system has expired. ProductName is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
Unused UnicodeString | |
Unused2 UnicodeString |
References #
Event ID 2050: Product Name has uploaded a file for further analysis.
#Description
Product Name has uploaded a file for further analysis.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
Filename UnicodeString | |
Sha256 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
"event_source_name": "",
"event_id": 2050,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-02-12T18:54:35.585634+00:00",
"event_record_id": 750,
"correlation": {
"ActivityID": "BE515C10-E001-43C7-997D-42CF5BAA18A7"
},
"execution": {
"process_id": 8580,
"thread_id": 4832
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.26010.5",
"Filename": "C:\\Users\\domainuser\\Downloads\\ScreenConnect.ClientSetup.exe",
"Sha256": "981233ccb88f5d6dcb9d7856c364c1d377153564202bba6935f97da5d2f3d316"
},
"message": ""
}
References #
Event ID 2051: ProductName has encountered an error trying to upload a suspicious file for further analysis.
#Description
ProductName has encountered an error trying to upload a suspicious file for further analysis.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
Filename UnicodeString | |
Sha256 UnicodeString | |
CurrentsecurityintelligenceVersion UnicodeString | |
CurrentEngineVersion UnicodeString | |
ErrorCode UnicodeString |
References #
Event ID 3000: {Product Name} Real-Time Protection agents have started.
#Event ID 3001: {Product Name}Real-Time Protection agents have stopped.
#Event ID 3002: ProductName Real-Time Protection feature has encountered an error and failed.
#Description
ProductName Real-Time Protection feature has encountered an error and failed.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
ProductName UnicodeString | ||
ProductVersion UnicodeString | ||
FeatureName UnicodeString | ||
Reason UnicodeString | 2 detection rules | |
ErrorCode UnicodeString | ||
ErrorDescription UnicodeString | ||
FeatureID UnicodeString |
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
References #
Event ID 3003: {Product Name} Real-Time Protection checkpoint has encountered an error and failed to start.
#Event ID 3004: {Product Name} Real-Time Protection agent has detected changes.
#Event ID 3005: {Product Name} Real-Time Protection agent has taken action to protect this machine from spyware or other potentially unwanted software.
#Event ID 3006: {Product Name} Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software.
#Event ID 3007: ProductName Real-time Protection feature has restarted.
#Description
ProductName Real-time Protection feature has restarted. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
FeatureName UnicodeString | |
Reason UnicodeString | |
Unused UnicodeString | |
Unused2 UnicodeString | |
FeatureID UnicodeString |
References #
Event ID 4000: {Product Name} AV OnAccess Filter has detected spyware or other potentially unwanted software.
#Event ID 4002: {param1} AV OnAccess Filter has taken action to protect this machine from detected spyware or other potentially unwanted software.
#Event ID 4003: {param1} AV OnAccess Filter has encountered an error when taking action on detected spyware or other potentially unwanted software.
#Event ID 5000: ProductName Real-time Protection scanning for malware and other potentially unwanted software was enabled.
#Description
ProductName Real-time Protection scanning for malware and other potentially unwanted software was enabled.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"event_id": 5000,
"level": 4,
"task": 0,
"opcode": 0,
"time_created": "2026-04-27T23:00:19.5556575+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Microsoft-Windows-Windows Defender"
},
"event_data": {
"Product Version": "4.18.26030.3011",
"Product Name": "Microsoft Defender Antivirus"
}
}
References #
Event ID 5001: Product Name Real-time Protection scanning for malware and other potentially unwanted software was disabled.
#Description
Product Name Real-time Protection scanning for malware and other potentially unwanted software was disabled.
Message #
Fields #
| Name | Description |
|---|---|
ProductName | |
ProductVersion |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
"event_source_name": "",
"event_id": 5001,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T00:11:26.945147+00:00",
"event_record_id": 150,
"correlation": {},
"execution": {
"process_id": 3332,
"thread_id": 9444
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.23090.2008"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/
Event ID 5002: {param1} OnAccess scanning for viruses was enabled.
#Event ID 5003: {param1} OnAccess scanning for viruses was disabled.
#Event ID 5004: Product Name Real-time Protection feature configuration has changed.
#Description
Product Name Real-time Protection feature configuration has changed.
Message #
Fields #
| Name | Description |
|---|---|
Product Name | |
Product Version | |
Feature Name | |
Configuration UnicodeString | |
Unused UnicodeString | |
Feature ID | |
ProductName | |
ProductVersion | |
FeatureName | |
FeatureID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
"event_source_name": "",
"event_id": 5004,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T05:51:16.3201393+00:00",
"event_record_id": 689,
"correlation": {},
"execution": {
"process_id": 3912,
"thread_id": 4984
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.26040.7",
"Feature Name": "Network Inspection System",
"Configuration": "1",
"Unused": "",
"Feature ID": "9"
},
"message": "Microsoft Defender Antivirus Real-time Protection feature configuration has changed.\r\n \tFeature: Network Inspection System\r\n \tConfiguration: 1"
}
References #
Event ID 5005: {Product Name} Real-time Protection checkpoint configuration has changed.
#Event ID 5006: {param1} OnAccess filter seems to be a unloaded - OnAccess scanning is disabled - Please restart the service.
#Event ID 5007: Product Name Configuration has changed.
#Description
Product Name Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
Product Name | ||
Product Version | ||
Old Value | ||
New Value | 1 detection rule | |
ProductName | ||
ProductVersion | ||
OldValue | 1 detection rule | |
NewValue | 13 detection rules |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
"event_source_name": "",
"event_id": 5007,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T05:51:41.6499897+00:00",
"event_record_id": 704,
"correlation": {},
"execution": {
"process_id": 4284,
"thread_id": 4508
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.26050.15",
"Old Value": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\Controls\\278 = 0x0",
"New Value": ""
},
"message": "Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.\r\n \tOld value: HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\Controls\\278 = 0x0\r\n \tNew value: "
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Details | contains | \appdata\local\temp\ | 1 rule | sigma |
Details | contains | \desktop\ | 1 rule | sigma |
Details | contains | \perflogs\ | 1 rule | sigma |
Details | contains | \users\public\ | 1 rule | sigma |
Details | contains | \windows\temp\ | 1 rule | sigma |
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
Show 2 more (5 total)
Splunk # view in coverage
References #
Event ID 5008: ProductName engine has been terminated due to an unexpected error.
#Event ID 5009: ProductName scanning for spyware and other potentially unwanted software has been enabled.
#Event ID 5010: ProductName scanning for spyware and other potentially unwanted software is disabled.
#Description
ProductName scanning for spyware and other potentially unwanted software is disabled.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString |
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
References #
Event ID 5011: ProductName scanning for viruses has been enabled.
#Event ID 5012: ProductName scanning for viruses is disabled.
#Description
ProductName scanning for viruses is disabled.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString |
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
References #
Event ID 5013: Tamper Protection Changed Type a change to Product Name.
#Description
Tamper Protection Changed Type a change to Product Name.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
ProductName UnicodeString | ||
ProductVersion UnicodeString | ||
ChangedType UnicodeString | ||
Value UnicodeString | 8 detection rules |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
"event_source_name": "",
"event_id": 5013,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-02-10T04:30:16.233011+00:00",
"event_record_id": 264,
"correlation": {},
"execution": {
"process_id": 8580,
"thread_id": 3380
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.26010.5",
"Changed Type": "Ignored",
"Value": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\SPYNET\\SpyNetReporting = 0x2"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
References #
Event ID 5014: ProductName Resource Monitor: Memory consumption exceeded its limit.
#Event ID 5015: ProductName Resource Monitor: CPU utilization exceeded its limit.
#Event ID 5016: ProductName service seemed to be hung during shutdown.
#Event ID 5017: Product Name service feature has encountered an error and failed.
#Description
Product Name service feature has encountered an error and failed.
Message #
Fields #
| Name | Description |
|---|---|
ProductName UnicodeString | |
ProductVersion UnicodeString | |
FeatureName UnicodeString | |
FailureId UnicodeString | |
FailureReason UnicodeString | Known values
|
Recommendation UnicodeString | |
ErrorCode UnicodeString | |
ErrorDescription UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
"event_source_name": "",
"event_id": 5017,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-06T19:18:49.882801+00:00",
"event_record_id": 1270,
"correlation": {},
"execution": {
"process_id": 3940,
"thread_id": 4856
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.26010.5",
"Feature Name": "MDE AV Configurations",
"Failure Id": "0x00000003",
"Failure Reason": "Group Policy hive was not ready when MDE AV service started and AV configurations might be not as expected.",
"Recommendation": "Investigate recent changes in Group Policy server settings and reboot the device.",
"Error Code": "0x80070002",
"Error Description": "The system cannot find the file specified. "
},
"message": ""
}
References #
Event ID 5100: {Product Name} has entered a grace period and will soon expire.
#Event ID 5101: {Product Name} grace period has expired.
#Message #
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
References #
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78
Defined in Windows, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 4.18.26040.7, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 4.18.26040.7, captured 2026-06-02