Windows Defender

Scanner supports Windows Defender logs, which contain information related to security events, malware detections, and system scans. In order for Scanner to receive Windows Defender log events, you need to configure a worfklow to push these logs to an S3 bucket that Scanner is linked to.

Step 1: Set up Winlogbeats to write Windows Defender logs to local files

You can use the Winlogbeats agent to write Windows Defender log events as JSON to local files. You will need to set the event_logs.name configuration parameter to read from the Windows Defender channel, which is Microsoft-Windows-Windows Defender/Operational.

See the Winlogbeats documentation for more information:

Step 2: Set up Fluentd to read Windows Defender logs from local file and write them to S3

You can use the Fluentd agent to read Windows Defender logs from local file and write the logs to your S3 bucket. Make sure to configure the output format to be JSON. See the following Fluentd documentation articles:

Step 3: Link the S3 bucket to Scanner

If you haven't done so already, link the S3 bucket containing your Windows Defender logs to Scanner using the Linking AWS Accounts guide.

Step 3: Set up an S3 Import Rule in Scanner

  1. Within Scanner, navigate to Settings > S3 Import Rules.

  2. Click Create Rule.

  3. For Rule name, type a name like my_team_name_windows_defender_logs.

  4. For Destination Index, choose the index where you want these logs to be searchable in Scanner.

  5. For Status, set to Active if you want to start indexing the data immediately.

  6. For Source Type, we recommend windows:defender, but you are free to choose any name. However, out-of-the-box detection rules will expect windows:defender.

  7. For AWS Account, choose the account that contains the S3 bucket containing Windows Defender logs.

  8. For S3 Bucket, choose the S3 bucket containing Windows Defender logs.

  9. For S3 Key Prefix, type the prefix (i.e. directory path) of the S3 objects that Fluentd is writing.

  10. For File type, choose JsonLines with Gzip compression.

  11. For Timestamp extractors, under Column name, type @timestamp. This is the field in each log event that contains the timestamp information.

  12. Click Preview rule to try it out. Check that the S3 keys you expect are appearing, and check that the log events inside are being parsed properly with the timestamp detected properly.

  13. When you're ready, click Create.

PreviousTeleportNextWindows Sysmon

Last updated