diff --git a/rules/windows/other/win_defender_disabled.yml b/rules/windows/other/win_defender_disabled.yml
new file mode 100644
index 00000000..c955fe00
--- /dev/null
+++ b/rules/windows/other/win_defender_disabled.yml
@@ -0,0 +1,26 @@
+title: Windows Defender Threat Detection Disabled
+id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
+description: Detects disabling Windows Defender threat protection
+date: 2020/07/28
+author: Ján Trenčanský
+references:
+    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
+status: stable
+tags:
+    - attack.defense_evasion
+    - attack.t1089
+    - attack.t1562.001
+logsource:
+    product: windows
+    service: windefend
+detection:
+    selection:
+        EventID:
+            - 5001
+            - 5010
+            - 5012
+            - 5101
+    condition: selection
+falsepositives:
+    - Administrator actions
+level: high
diff --git a/rules/windows/other/win_defender_threat.yml b/rules/windows/other/win_defender_threat.yml
new file mode 100644
index 00000000..9721af7b
--- /dev/null
+++ b/rules/windows/other/win_defender_threat.yml
@@ -0,0 +1,22 @@
+title: Windows Defender Threat Detected
+id: 57b649ef-ff42-4fb0-8bf6-62da243a1708
+description: Detects all actions taken by Windows Defender malware detection engines
+date: 2020/07/28
+author: Ján Trenčanský
+references:
+    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
+status: stable
+logsource:
+    product: windows
+    service: windefend
+detection:
+    selection:
+        EventID:
+            - 1006
+            - 1116
+            - 1015
+            - 1117
+    condition: selection
+falsepositives:
+    - unlikely
+level: high
diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml
index 96b125f8..dd042220 100644
--- a/tools/config/logstash-windows.yml
+++ b/tools/config/logstash-windows.yml
@@ -43,4 +43,9 @@ logsources:
     service: dhcp
     conditions:
       Channel: 'Microsoft-Windows-DHCP-Server/Operational'
+  windows-defender:
+    product: windows
+    service: windefend
+    conditions:
+      Channel: 'Microsoft-Windows-Windows Defender/Operational'
 defaultindex: logstash-*
diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml
index 5cb0ea75..c22cdc99 100644
--- a/tools/config/powershell.yml
+++ b/tools/config/powershell.yml
@@ -69,3 +69,8 @@ logsources:
     service: dhcp
     conditions:
       LogName: 'Microsoft-Windows-DHCP-Server/Operational'
+  windows-defender:
+    product: windows
+    service: windefend
+    conditions:
+      LogName: 'Microsoft-Windows-Windows Defender/Operational'
diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml
index 69954e22..cac85f32 100644
--- a/tools/config/winlogbeat-modules-enabled.yml
+++ b/tools/config/winlogbeat-modules-enabled.yml
@@ -44,6 +44,11 @@ logsources:
     service: dhcp
     conditions:
       winlog.provider_name: 'Microsoft-Windows-DHCP-Server/Operational'
+  windows-defender:
+    product: windows
+    service: windefend
+    conditions:
+      winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
 defaultindex: winlogbeat-*
 # Extract all field names qith yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'
diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml
index ce0124fd..a5c2474c 100644
--- a/tools/config/winlogbeat-old.yml
+++ b/tools/config/winlogbeat-old.yml
@@ -43,6 +43,11 @@ logsources:
     service: dhcp
     conditions:
       source: 'Microsoft-Windows-DHCP-Server/Operational'
+  windows-defender:
+    product: windows
+    service: windefend
+    conditions:
+      source: 'Microsoft-Windows-Windows Defender/Operational'
 defaultindex: winlogbeat-*
 # Extract all field names qith yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'
diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml
index 2171cef0..fe8dd96f 100644
--- a/tools/config/winlogbeat.yml
+++ b/tools/config/winlogbeat.yml
@@ -43,6 +43,11 @@ logsources:
     service: dhcp
     conditions:
       winlog.provider_name: 'Microsoft-Windows-DHCP-Server/Operational'
+  windows-defender:
+    product: windows
+    service: windefend
+    conditions:
+      winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
 defaultindex: winlogbeat-*
 # Extract all field names qith yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'