Windows Defender via Winlogbeat

Windows Defender is an anti-malware component of Microsoft Windows. This integration allows you to send Windows Defender logs to your Logz.io SIEM account.

Before you begin, you'll need: Winlogbeat 8, Winlogbeat 7 or Winlogbeat 6.

Configure Windows Defender audit permissions

In the Windows taskbar search box, type "gpedit" and click Edit group policy. You'll see the Local Group Policy Editor.

Local Group Policy Editor

In the left pane, select Windows Settings > Security Settings > Local Policies > Audit Policy. In the right pane, open Audit object access.

Audit object access Properties

Select Success and Failure, and click OK.

Back in the Windows taskbar search box, type "regedit" and click Registry Editor.

In the search bar at the top of the window, paste "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender".

In the left pane, right-click the Windows Defender folder, then click Permissions... to show Permissions for Windows Defender. Click Advanced to show Advanced Security Settings for Windows Defender.

Advanced Security Settings for Windows Defender

In the Auditing tab, click Add to show the Auditing Entry for Windows Defender dialog.

Click Select a principal to show the Select User or Group dialog.

Select User or Group

Type "Administrators" in the text box and click Check Names.

Now click OK to exit all those dialogs you just opened. 😬

Download the Logz.io public certificate

Download the Logz.io public certificate to C:\ProgramData\Winlogbeat\COMODORSADomainValidationSecureServerCA.crt on your machine.

Configure Windows input

If you're working with the default configuration file, (C:\Program Files\Winlogbeat\winlogbeat.yml) clear the content and start with a fresh file.

Paste this code block.

Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: System
  - name: Microsoft-Windows-Sysmon/Operational
  - name: Microsoft-Windows-Windows Defender/Operational
  - name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

fields:
  logzio_codec: json
  token: <<LOG-SHIPPING-TOKEN>>
  type: wineventlog
fields_under_root: true

If you're running Winlogbeat 7 or 8, paste this code block. Otherwise, you can leave it out.

# ... For Winlogbeat 7 or 8 only ...
processors:
  - rename:
      fields:
      - from: "agent"
        to: "beat_agent"
      ignore_missing: true
  - rename:
      fields:
      - from: "log.file.path"
        to: "source"
      ignore_missing: true
  - rename:
      fields:
      - from: "log"
        to: "log_information"
      ignore_missing: true

Add Logz.io as an output

If Logz.io isn't the output, set it now.

Winlogbeat can have one output only, so remove any other output entries.

Replace <<LISTENER-HOST>> with the host for your region. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe.

output.logstash:
  hosts: ["<<LISTENER-HOST>>:5015"]
  ssl:
    certificate_authorities: ['C:\ProgramData\Winlogbeat\COMODORSADomainValidationSecureServerCA.crt']

Restart Winlogbeat

Open PowerShell as an admin and run this command:

Restart-Service winlogbeat

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.

If you still don't see your logs, see Filebeat troubleshooting.

Configure Windows Defender audit permissions​

Download the Logz.io public certificate​

Configure Windows input​

Add Logz.io as an output​

Restart Winlogbeat​

Check Logz.io for your logs​