-
Notifications
You must be signed in to change notification settings - Fork 1
/
windows-defender.yaml
89 lines (89 loc) · 2.14 KB
/
windows-defender.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
version: 3
resources:
replicant:
- logging
api:
- insight
artifact:
windows-defender-logs:
patterns:
- wel://Microsoft-Windows-Windows Defender/Operational:*
tags: []
platforms:
- windows
rules:
windows-defender-malware-detected:
namespace: general
detect:
event: WEL
op: and
rules:
- op: is
path: event/EVENT/System/Channel
value: Microsoft-Windows-Windows Defender/Operational
- op: is
path: event/EVENT/System/EventID
value: "1006"
respond:
- action: report
name: windows-defender-malware-detected
windows-defender-history-deleted:
namespace: general
detect:
event: WEL
op: and
rules:
- op: is
path: event/EVENT/System/Channel
value: Microsoft-Windows-Windows Defender/Operational
- op: is
path: event/EVENT/System/EventID
value: "1013"
respond:
- action: report
name: windows-defender-history-deleted
windows-defender-behavior-detected:
namespace: general
detect:
event: WEL
op: and
rules:
- op: is
path: event/EVENT/System/Channel
value: Microsoft-Windows-Windows Defender/Operational
- op: is
path: event/EVENT/System/EventID
value: "1015"
respond:
- action: report
name: windows-defender-behavior-detected
windows-defender-activity-detected:
namespace: general
detect:
event: WEL
op: and
rules:
- op: is
path: event/EVENT/System/Channel
value: Microsoft-Windows-Windows Defender/Operational
- op: is
path: event/EVENT/System/EventID
value: "1116"
respond:
- action: report
name: windows-defender-activity-detected
windows-defender-activity-prevented:
namespace: general
detect:
event: WEL
op: and
rules:
- op: is
path: event/EVENT/System/Channel
value: Microsoft-Windows-Windows Defender/Operational
- op: is
path: event/EVENT/System/EventID
value: "1117"
respond:
- action: report
name: windows-defender-malware-prevented