Windows Defender rules and logsource

rules/windows/other/win_defender_disabled.yml

@@ -0,0 +1,26 @@
+title: Windows Defender threat detection disabled
+id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
+description: Detects disabling Windows Defender threat protection
+date: 2020/07/28
+author: Ján Trenčanský
+references:
+    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
+status: stable
+tags:
+    - attack.defense_evasion
+    - attack.t1089
+    - attack.t1562.001
+logsource:
+    product: windows
+    service: windefend
+detection:
+    selection:
+        EventID:
+            - 5001
+            - 5010
+            - 5012
+            - 5101
+    condition: selection
+falsepositives:
+    - Administrator actions
+level: high

rules/windows/other/win_defender_threat.yml

@@ -0,0 +1,22 @@
+title: Windows Defender threat detected
+id: 57b649ef-ff42-4fb0-8bf6-62da243a1708
+description: Detects all actions taken by Windows Defender malware detection engines
+date: 2020/07/28
+author: Ján Trenčanský
+references:
+    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
+status: stable
+logsource:
+    product: windows
+    service: windefend
+detection:
+    selection:
+        EventID:
+            - 1006
+            - 1116
+            - 1015
+            - 1117
+    condition: selection
+falsepositives:
+    - unlikely
+level: high

tools/config/logstash-windows.yml

@@ -43,4 +43,9 @@ logsources:
     service: dhcp
     conditions:
       Channel: 'Microsoft-Windows-DHCP-Server/Operational'
+  windows-defender:
+    product: windows
+    service: windefend
+    conditions:
+      Channel: 'Microsoft-Windows-Windows Defender/Operational'
 defaultindex: logstash-*

tools/config/powershell.yml

@@ -69,3 +69,8 @@ logsources:
     service: dhcp
     conditions:
       LogName: 'Microsoft-Windows-DHCP-Server/Operational'
+  windows-defender:
+    product: windows
+    service: windefend
+    conditions:
+      LogName: 'Microsoft-Windows-Windows Defender/Operational'

tools/config/winlogbeat-modules-enabled.yml

@@ -44,6 +44,11 @@ logsources:
     service: dhcp
     conditions:
       winlog.provider_name: 'Microsoft-Windows-DHCP-Server/Operational'
+  windows-defender:
+    product: windows
+    service: windefend
+    conditions:
+      winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
 defaultindex: winlogbeat-*
 # Extract all field names qith yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'

tools/config/winlogbeat-old.yml

@@ -43,6 +43,11 @@ logsources:
     service: dhcp
     conditions:
       source: 'Microsoft-Windows-DHCP-Server/Operational'
+  windows-defender:
+    product: windows
+    service: windefend
+    conditions:
+      source: 'Microsoft-Windows-Windows Defender/Operational'
 defaultindex: winlogbeat-*
 # Extract all field names qith yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'

tools/config/winlogbeat.yml

@@ -43,6 +43,11 @@ logsources:
     service: dhcp
     conditions:
       winlog.provider_name: 'Microsoft-Windows-DHCP-Server/Operational'
+  windows-defender:
+    product: windows
+    service: windefend
+    conditions:
+      winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
 defaultindex: winlogbeat-*
 # Extract all field names qith yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'