Windows Defender Data
App Installation
| App | Search Head | Indexer | Heavy Forwarder | UF / Deployment Server | Additional Details |
|---|---|---|---|---|---|
| TA for Microsoft Windows Defender | Required | - | - | Required (only for Windows) | Collect Windows Defender Logs from Windows Servers |
Collect Windows Defender Logs from Windows Servers
-
Add the following stanza to inputs.conf in the local directory for the TA-microsoft-windefender add-on:
[WinEventLog://Microsoft-Windows-Windows Defender/Operational] index = windefender disabled = 0 renderXml = 1
-
Deploy the addon from deployment server to all windows machines.
Important sourcetypes to be collected
- *WinEventLog:Microsoft-Windows-Windows Defender/Operational
Note:
- Windows Defender logs are only tested in XML format (see renderXml = 1 in inputs.conf stanza).
- reate an index named windefender or update the cs_windows_defender macro definition from Cyences app configuration page (Cyences Settings > Cyences App Configuration > Products Setup).
Estimated Data Size
The estimated data size depends on the number of hosts that are sending Windows Defender data.
- Events: 150-300 per Windows machine (daily)
- Licensing: < 5MB per Windows machine (daily)