NetWitness Community

CraigCameronWei · ‎2018-09-06

We have some endpoints that are using Windows Defender managed via SCCM as their AV solution, for...some reason.

Is there a correct way to centralize logs from these clients (ie detections, scan results, etc.) into Netwitness? I have a sneaking suspicion that we're going to have to use Windows Event Forwarding from the clients to a central Windows server, and then pull those logs into Netwitness. My question is more about whether or not the events will be parsed correctly/at all, or if we'll have to extend the winevent_nic parser (or write a new one?) ourselves to properly interpret the contents of the /Applications and Services Logs/Microsoft/Windows/Windows Defender Antivirus logs once we are able to route them to Netwitness.

Has anyone else done this?

For reference, here's Microsoft's documentation on these events: Windows Defender AV event IDs and error codes | Microsoft Docs

EricPartington · ‎2018-09-10

From previous work with a customer, Defender logs are captured by SCCM but not written to the event logs as other events are. They are written to the DB where they need to be extracted with a custom typespec and xml.

The typespec (ODBC query) needs to be customized to match your instance.

Try this

https://github.com/epartington/rsa_nw_log_sccm_defender

I would start with SQL test to make sure the ODBC query works and gets you the information that you need, then expand to implement the typespec and the parser to extract the information completely.

thanks to Ian Redden‌ for the original work on this.

CraigCameronWei · ‎2018-09-10

Thanks Eric - much appreciated!

dougds · ‎2021-07-23

Eric always to the rescue. Your answers here in the community has been invaluable to me. Thanks a lot.

NetWitness Community

Is Windows Defender supported by the winevent_nic log parser?