Creating Data Collection rule for Windows Defender AV event

Question

Creating Data Collection rule for Windows Defender AV event

Bombbe 1,441

Hello,
I'm using AMA and I would want to collect Windows Defender AV events to Log Analytics but I'm not sure how to do it in Data collection rule.

Those Defender evets are located in following path: Microsoft-Windows-Windows Defender/Operational which means that I should probably do custom rule by using XPath queries because they are not in basic tab.

Here is example path of the events but how do I insert Select Path="Microsoft-Windows-Windows Defender/Operational" in my DCR? Just doing System!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]] won't get those events,

<QueryList>  
  <Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">  
    <Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]</Select>  
  </Query>  
</QueryList>

AnuragSingh-MSFT 21,506 Reputation points

2022-12-13T08:23:10.237+00:00

@Bombbe , Following up to see if my answer below helped. Do let me know if you have any queries.

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

Accepted answer

1 additional answer

Your answer

AnuragSingh-MSFT 21,506 Reputation points

2022-12-13T08:23:10.237+00:00

@Bombbe , Following up to see if my answer below helped. Do let me know if you have any queries.

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

Answer 1

AnuragSingh-MSFT 21,506

Hi @Bombbe ,

As you are trying to get the event logs from Microsoft-Windows-Windows Defender/Operational in AMA, please use the XPath query as shown below (note that the double-quotes are not present with the log path)

Microsoft-Windows-Windows Defender/Operational!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]

In Portal, it would look like:

I verified a few minutes back that the events do get collected in LogAnalytics workspace using this Xpath:

Please let me know if you have any questions.

---
Please 'Accept as answer' if it helped so that it can help others in the community looking for help on similar topics.

Christopher Schrauf (CP,GR) 0 Reputation points

2023-08-30T11:19:28.0233333+00:00

Hey Team what is super odd!

This query worked for me to fetch Anti Virus Detections EventID=1116
Since today I found out these are not fetched anymore with that xpath query and AMA.

In my first screenshot you see Events in the Event Viewer
But they are not appearing in log analytics workspace.

Other Event ID's like 5007 are there but not 1116 which is the interesting ones!

Any Idea if why this is happening?
Christopher Schrauf (CP,GR) 0 Reputation points

2023-08-30T11:27:16.83+00:00

It is Working again - Seems i had to update Defender Security Updates!

Answer 2

Andrew Blumhardt 9,956 Microsoft Employee

I would try "Microsoft-Windows-Windows Defender/Operational"!*

or

"Microsoft-Windows-Windows Defender/Operational"!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]

Bombbe 1,441 Reputation points

2022-12-02T11:28:32.497+00:00

Hmm.. Tried both but are not able to get events from the vm but heartbeats are fine, so the connection is fine. I also confirmed that events had been generated during this time.

Share via

Creating Data Collection rule for Windows Defender AV event

1 additional answer

Your answer