Skip to content
This repository has been archived by the owner on Dec 30, 2023. It is now read-only.

nextpart/Defender_TA_nxtp

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

39 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Technical Add-On for Windows Defender

Build Status image image

This extension for Splunk® is a rewrite of the Add-on already created by pdoconnell (TA-microsoft-windefender) that we adapt to our needs and requirements. At this point we would like to thank Patrick for the great work he has done with his project and from which we could learn a lot as well as all the other members of the Splunk Community who publish their work. You are heroes 👏

Author information

  • Author: Nextpart Security Intelligence GmbH
  • Version: X.X.X (dynamic)
  • Creation: May 22, 2020

Using this Application

  • Source: XmlWinEventLog
  • Sourcetype: WinEventLog:Microsoft-Windows-Windows Defender/Operational

This add-on is intended as a complement to the Splunk Add-on for Microsoft Windows, which also manages the basic operations of the field extraction from the xml or raw events. If you have installed that add-on you can also use this one to extract more information and present it according to CIM.

Upgrade

Remove the app using splunk plugin tool

$SPLUNK_HOME/bin/splunk remove app Defender_TA_nxtp
Install the app
$SPLUNK_HOME/bin/splunk install app Defender_TA_nxtp_<version>.tgz
Forwarding Data

Once you have installed the Technical Add-On you can start sending data. In order to do so you need Windows instances running Windows Defender AntiVirus and the Splunk Universal Forwarder with the according configuration for you environment. Then you can also use this add-on on your endpoints and activate forwarding by adding the following content to the inputs.conf file in the local directory:

## Custom Inputs.conf for microsoft windows defender events

[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
disabled = false

Update History

  • 0.3.X October 05, 2020: Detection results will be extracted with multiple fields if more details are provided and the source has been adapted for general use outside the dev environment and should work well for general usage.

  • 0.2.X August 25, 2020: First possible field extractions according to the CIM event types malware and IDS alerts with documentation of these.

  • 0.1.X July 28, 2020: Template Application from Add-on Builder with specification of Index, Source and Sourcetype.

  • 0.0.X May 22, 2020: Initialization of the repository with first specifications in the documentation.

Copyright & License

Copyright © 2019 Nextpart Security Intelligence GmbH

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

Find more information about this on the LICENSE file.