Change log for WINDOWS_DEFENDER_AV
| Date | Changes |
|---|---|
| 2026-04-06 | Enhancement -
- `event.idm.read_only_udm.security_result.summary`: Removed mapping of `Threat Name` from `event.idm.read_only_udm.security_result.summary` UDM field when `EventID` is "1116" or "1117" in order to introduce a more event specific mapping. - `event.idm.read_only_udm.security_result.summary`: Mapped the `EventID` raw log field to the `event.idm.read_only_udm.security_result.summary` UDM field when `EventID` is "1116" or "1117", since `EventID` more accurately represents the event summary. - `event.idm.read_only_udm.security_result.description`: Removed mapping of `EventID` from `event.idm.read_only_udm.security_result.description` UDM field when `EventID` is "1116" or "1117" in order to introduce a more event specific mapping. - `event.idm.read_only_udm.security_result.description`: Updated the value based on `EventID`: - If `EventID` is "1116": "Microsoft Defender Antivirus detected malware or other potentially unwanted software." - If `EventID` is "1117": "Microsoft Defender Antivirus performed an action to protect your system from malware or other potentially unwanted software." - If `EventID` is "1118": "Microsoft Defender Antivirus attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed." - If `EventID` is "1119": "Microsoft Defender Antivirus encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message." - If `EventID` is "1120": "Microsoft Defender Antivirus deduced the hashes for a threat resource." - `event.idm.read_only_udm.metadata.product_log_id`: Newly mapped `EventRecordID` raw log field with `event.idm.read_only_udm.metadata.product_log_id` UDM field. - `event.idm.read_only_udm.metadata.product_version`: Newly mapped `Product Version` raw log field with `event.idm.read_only_udm.metadata.product_version` UDM field. - `event.idm.read_only_udm.metadata.product_deployment_id`: Newly mapped `ProviderGuid` raw log field with `event.idm.read_only_udm.metadata.product_deployment_id` UDM field. - `event.idm.read_only_udm.principal.asset.hostname`: Newly mapped `Hostname` raw log field with `event.idm.read_only_udm.principal.asset.hostname` UDM field. - `event.idm.read_only_udm.principal.url`: Newly mapped `xmlns` raw log field with `event.idm.read_only_udm.principal.url` UDM field. - `event.idm.read_only_udm.target.file.full_path`: Newly mapped `Threat Resource Path` raw log field with `event.idm.read_only_udm.target.file.full_path` UDM field. - `event.idm.read_only_udm.target.file.sha1`: Newly mapped `Hashes` raw log field with `event.idm.read_only_udm.target.file.sha1` UDM field. - `event.idm.read_only_udm.security_result.severity_details`: Newly mapped `RenderingInfoLevel` raw log field with `event.idm.read_only_udm.security_result.severity_details` UDM field. - `event.idm.read_only_udm.security_result.action_details`: Newly mapped `Action Name` raw log field with `event.idm.read_only_udm.security_result.action_details` UDM field. - `event.idm.read_only_udm.security_result.first_discovered_time`: Newly mapped `Detection Time` raw log field with `event.idm.read_only_udm.security_result.first_discovered_time` UDM field. - `event.idm.read_only_udm.security_result.threat_id`: Newly mapped `Threat ID` raw log field with `event.idm.read_only_udm.security_result.threat_id` UDM field. - `event.idm.read_only_udm.security_result.detection_fields`: Newly mapped `Remediation User`, `Status Description`, `Action ID`, `Additional Actions ID`, `Additional Actions String`, `Category ID`, `Detection ID`, `Engine Version`, `Error Code`, `Error Description`, `Execution ID`, `Execution Name`, `Origin ID`, `Origin Name`, `Post Clean Status`, `Pre Execution Status`, `Security Intelligence Version`, `Severity ID`, `Source ID`, `State`, `Status Code`, `Type ID`, `Type Name` raw log fields with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `Level`, `Culture`, `Keywords`, `Opcode`, `Product Name`, `Provider Name`, `RenderingInfoMessage`, `Service`, `Task`, `Version` and `Security UserID` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - `event.idm.read_only_udm.security_result.summary`: Newly mapped `EventID` raw log field with `event.idm.read_only_udm.security_result.summary` UDM field when `EventID` is "1118", "1119" or "1120". - Added `on_error` handling to the type conversion of the `ProcessID` raw log field, which is mapped to the `event.idm.read_only_udm.principal.process.pid` UDM field. |
| 2025-02-27 | Enhancement -
- Added "gsub" to parse unparsed logs. - Changed mapping of "Path" from "target.process.file.full_path" to "target.registry.registry_key". - Added a conditional check when mapping "event_type" to "SCAN_HOST", "SCAN_FILE", and "GENERIC_EVENT". |
| 2025-02-14 | Enhancement -
- Added support for new JSON log format. |
| 2024-01-30 | Bug-Fix -
- Added "on_error" check for date filter to parse UNIX and UNIX_MS format. |
| 2023-09-04 | Bug-Fix -
- Parsed date by adding 'rebase' as 'true'. - Additionally mapped the following fields: - 'UserID' is mapped to 'principal.user.userid'. - 'Category Name' mapped to 'security_result.category_details'. - 'ProviderGuid' mapped to 'metadata.product_deployment_id'. - 'RecordNumber' mapped to 'metadata.product_log_id'. - 'ActivityID' mapped to 'security_result.detection_fields'. - 'ProcessID' mapped to 'principal.process.pid'. - 'Domain' mapped to 'principal.administrative_domain'. - 'FWLink' mapped to 'metadata.url_back_to_product'. - 'Path' mapped to 'target.process.file.full_path'. |