Detection while windows defender is running

[OlexTratisky]

Hello,

I am running windows defender on a given client running also wazuh agent and winlogbeat.

I am trying to simulate an attack and trying to run a file. It is getting blocked directly by the windows defenderendpoint.

Should i still be able to get an alert from wazuh agent , winlogbeat about this potential execution? The idea is that defender is blocking before the alert is generated in my understanding and is not allowing me to see the events in SO

Not sure if that logic is correct

[Jaap79]

Yes you should If you look in the Event Log and navigate to Microsoft-Windows-Windows Defender/Operational logs and monitor for event "1117" you should be able to do just that. (I've set it up and had it working for a few days myself).

I'm using a Playbook for this.

title: Windows Defender --- Malware Found
status: experimental
description: Detects when the Windows Defender log lists 1117 or malware found
author: xxxx
logsource:
index: so-beats*
detection:
selection:
event.dataset:
- microsoft-windows-windows defender/operational
event.code:
- 1117
condition: selection
falsepositives:

• Unknown
  level: critical

[Jaap79]

However, please note that I had some issues with 'just' Wazuh which didn´t really report on that particular event despite setting it up in the ossec.conf file! I actually implemented Winlogbeat next to Wazuh to actually be able to make this work. Strange, but alas.