-
Notifications
You must be signed in to change notification settings - Fork 453
Expand file tree
/
Copy pathwindows_event_log_defender_1122.yml
More file actions
85 lines (85 loc) · 2.67 KB
/
windows_event_log_defender_1122.yml
File metadata and controls
85 lines (85 loc) · 2.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
name: Windows Event Log Defender 1122
id: 4a2d0499-f489-4557-82f4-f357025cf3e7
version: 3
date: '2025-07-10'
author: Patrick Bareiss, Splunk
description: Logs an event when a process attempts to load a DLL that is blocked by
an attack surface reduction rule.
mitre_components:
- Application Log Content
- Process Creation
- Module Load
source: WinEventLog:Microsoft-Windows-Windows Defender/Operational
sourcetype: XmlWinEventLog
separator: EventCode
separator_value: '1122'
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 9.1.2
fields:
- _time
- ActivityID
- Channel
- Computer
- Detection_Time
- Engine_Version
- EventCode
- EventData_Xml
- EventID
- EventRecordID
- Guid
- ID
- Inhertiance_Flags
- Keywords
- Level
- Name
- Opcode
- Parent_Commandline
- Path
- ProcessID
- Process_Name
- Product_Name
- Product_Version
- RecordNumber
- RuleType
- Security_intelligence_Version
- SystemTime
- System_Props_Xml
- Target_Commandline
- Task
- ThreadID
- User
- UserID
- Version
- dvc
- dvc_nt_host
- event_id
- eventtype
- host
- id
- index
- linecount
- punct
- signature_id
- source
- sourcetype
- splunk_server
- tag
- tag::eventtype
- timestamp
- user_id
- vendor_product
example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
Name='Microsoft-Windows-Windows Defender' Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>1122</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
SystemTime='2023-11-26T23:43:08.7101401Z'/><EventRecordID>3701</EventRecordID><Correlation
ActivityID='{b68511a1-ec5f-4bc7-a9bb-2bd601338de2}'/><Execution ProcessID='3512'
ThreadID='5936'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security
UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft Defender
Antivirus</Data><Data Name='Product Version'>4.18.23100.2009</Data><Data Name='Unused'></Data><Data
Name='ID'>E6DB77E5-3DF2-4CF1-B95A-636979351E5B</Data><Data Name='Detection Time'>2023-11-26T23:43:08.709Z</Data><Data
Name='User'>(unknown user)</Data><Data Name='Path'></Data><Data Name='Process Name'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data
Name='Security intelligence Version'>1.401.1247.0</Data><Data Name='Engine Version'>1.1.23100.2009</Data><Data
Name='RuleType'>ENT\ConsR</Data><Data Name='Target Commandline'></Data><Data Name='Parent
Commandline'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data
Name='Involved File'></Data><Data Name='Inhertiance Flags'>0x00000000</Data></EventData></Event>