forked from pdoconnell/TA-microsoft-windefender
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME.txt
69 lines (52 loc) · 2.32 KB
/
README.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
TA-Microsoft-WinDefender v1.0.5
----------------------------
Microsoft Windows Defender TA for Splunk®. Inputs and extractions for use
with Splunk®.
Author information
----------------------------
Original Author: Patrick O'Connell
Version/Date: 1.0.6 / April 27, 2018
Sourcetype: XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational
Has index-time ops: false
Update History
----------------------------
1.0.6 April 27, 2018
--------
Updated lookup for event ID messages to match new Microsoft definitions.
Thanks to Mark Baumgartner of Creighton University for the catch.
1.0.5 Dec 30, 2017
--------
Fixed typo in EventTypes.conf. This makes tags work again. Thanks to
Chris Keladis from Katana1.
1.0.4 Nov 1, 2017
--------
Fixed wrong file inclusion for certification.
1.0.3 Oct 31, 2017
--------
Added definitions for all magic values found in Defender logs as of today.
1.0.2 Oct 1, 2017
--------
Fixing naming conventions and trademarks per SplunkBase documentation.
1.0.1 Sep 28, 2017
--------
Fixed file_path and file_name extractions. Thanks to people both
in Slack and the support team working at .Conf 2017.
1.0.0 Sep 18, 2017
--------
Initial release
Using this TA
----------------------------
Configuration: Install TA via GUI on all search heads, install
via your preferred method (manual or Deployment Server) on
forwarders running on Windows running Windows Defender.
Ensure that you have at least version 6.2.0 universal forwarders.
This is because of the Windows XML event log format.
http://blogs.splunk.com/2014/11/04/splunk-6-2-feature-overview-xml-event-logs/
For information on Windows Defender event codes, see below.
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
Support
----------------------------
This is a community supported TA. As such, post to answers.splunk.com
and reference it. Someone should be with you shortly.
Pull requests via github are welcome! The repository can be found
at https://github.com/pdoconnell/TA-microsoft-windefender.